none
Grant permissions to folder containing roaming profiles

    Question

  • Hi everyone

    I have a server running Windows Server 2008 that hosts a share for roaming profiles for hundreds of Windows XP users.  We are going through a domain migration and I need to grant Full Control to the Quest migration account to allow it to perform security translation against the profile folders.

    The problem is that the profile folders are owned by the individual users.  The only accounts with permissions on the profile folders and contents are:

    1. The user account corresponding to the profile

    2. The SYSTEM account

    The only way I can see to assign the permission is to first to take ownership (including sub folders and files) and then to grant the permissions I need.  The issue is that afterwards I need to go back and grant ownership back to the original owner (the user).  This last step is required as there is an ownership check when the user's roaming profile is written back to the server upon logout of the XP workstation.

    Is there an easy way to do what I want?  If not, does anyone have a scripted method?

    Thanks

    Alexei

    Friday, April 02, 2010 2:57 AM

Answers

  • Thanks all

    I chose to go with the approach of using the "Do not check for user ownership of Roaming Profile Folders" GPO.  It worked - but it means I need to go back later at some point and re-assign the ownership and remove the GPO.  I'll look at scripting the first part when I have some more time.

    Alexei

    Tuesday, April 06, 2010 8:04 PM

All replies

  • Ownership on roaming folders can be (and should be) on Administrators. Do you use permission inheritance? Are the users named the same as the profile directory? If so it would be quite easy to set the correct permissions.

    Regards,

    Stefan Hazenbroek

    Friday, April 02, 2010 12:21 PM
  • Hi Stefan

    I'm curious about your statement that "ownership on roaming profiles can (and should be) on Administrators".  By default The Administrators group has no permissions on individual profile folders and the security recommendations from Microsoft suggest that it should stay that way:

    http://technet.microsoft.com/en-us/library/cc757013(WS.10).aspx

    Permissions inheritance on the individual roaming profile folders is blocked. I believe this is by default when the profile is created.  The only way that I can see to grant access is to take ownership of the folders and set the permissions I need.  The problem is that there appears to be no easy way to re-set the permissions back to the original owners.

    I guess I could set the "Do not check for user ownership of Roaming Profile Folders" GPO, but I don't really want to compromise security.

    Alexei

    Friday, April 02, 2010 10:27 PM
  • Hi Alexei,

    This is indeed default. What you can do to add the Administrators is to add them using a GPO, the user that logs in then grants Administrators Full Control on the profile (automatically ofcourse). Check out http://technet.microsoft.com/en-us/library/cc781862(WS.10).aspx how to do this.

    About Administrators having Ownership on profile folders: I disagree with Microsoft that the user should be owner, but that's something I'll have to agree to disagree on with Microsoft. It's quite a burden to take ownership, fix the profile, give permissions, set ownership when it can also be fixed by just setting it up like that from the beginning. The funny thing is, in the url I named above, Microsoft itself states to add Administrators to the profile group as a GPO recommendation.

    Hope this helps.

    Regards,

    Stefan Hazenbroek

    Saturday, April 03, 2010 7:56 AM
  • About Administrators having Ownership on profile folders: I disagree with Microsoft that the user should be owner.A


    Agreed! I think its an absurd idea that the Best Pratice is for Server Administrators not to have access to the data on their own servers!

    We run a script as part of the creation process to go through User Profile and Home Directory Folders to give Administrators Full Control.  Some smart alec users have been blocking admin rights in their home folders so we now create them with Modify rights rather than Full Control.

    Monday, April 05, 2010 9:15 AM
  • Hi Stefan

    I looked at the GPO to grant Administrators Full Control rights to the profile, but this only works on newly created profiles.

    I guess Microsoft is being consistent with not allowing Administrators to automatically have rights to user data.  Another example is (IIRC) Exchange 2003 when Exchange Full Admins no longer had full rights to user mailboxes by default.  It was all part of Microsoft's "secure by default" push.  It makes sense, but is perhaps not suitable for all environments.

    Alexei

    Monday, April 05, 2010 10:39 PM
  • Hi Alexei,

    As you said, it is setup for protect users personal files.

    How about setup a DFS between the original and the new server to copy the profile folders to the new server? We will not need to take ownership to do the copy. Sometimes we will setup DFS on roaming profile or Folder Redirection folders.

    Tuesday, April 06, 2010 9:07 AM
    Moderator
  • Thanks all

    I chose to go with the approach of using the "Do not check for user ownership of Roaming Profile Folders" GPO.  It worked - but it means I need to go back later at some point and re-assign the ownership and remove the GPO.  I'll look at scripting the first part when I have some more time.

    Alexei

    Tuesday, April 06, 2010 8:04 PM
  • Thank you for post the result here. Have a good day.
    Wednesday, April 07, 2010 6:37 AM
    Moderator
  • I have the same issue but on Windows SBS 2003. Is it still the best idea to take ownership and add the administrators group and then change them back? When I take ownership I have to 'Replace owner on subcontainers and objects' and also 'Replace permission entries on all child objects shown here that apply to child objects', is this correct?

    There are only 15 profiles I have this issue with but the data is still very important and I don't want to be recreating them.

    Wednesday, March 16, 2011 5:57 PM