Windows Server 2008 R2 Thread, Does taking ownership of profile prevent user from updating it? in Technical; Hi,
We didnt make the GPO change to add administrators to the profile security so whenever we want to delete ...
24th November 2011, 12:48 PM #1
- Rep Power
Does taking ownership of profile prevent user from updating it?
We didnt make the GPO change to add administrators to the profile security so whenever we want to delete a profile we are going to have to take ownership.
This removes all users and only adds the administrator. Will this deny the user from being able to update their profile? We have alot of accounts to do this to and would like to do it on the parent folder.
24th November 2011, 12:52 PM #2
Make sure that the user is not logged on. then take ownership and add the admin account full control, the user full control and the system account full control. Finish off with transfering the ownership to the user and all should be fine
24th November 2011, 12:58 PM #3
Yes. The user needs Full Control rights on their roaming profile directory. You will need to add these rights back if you seize ownership.
Under Vista/7 you will probably also find that without that GPO setting in place, the owner information and ACL is reset back to the default next time the user profile is updated. I seem to recall this wasn't the case in XP, but it has been nearly 5 years since I looked after an XP network so I can't quite remember!
24th November 2011, 01:00 PM #4
found this when looking....
Roaming Profile - Add Administrators rights to profile folder without taking ownership
Taking the above ideas and combining them I placed the following into our users logon script to run once.
icacls \\servername\profiles$\%username% /grant administratorsF) /T
As the user has full access to their own profile they can grant permission by using the above command. In this case the administrators group is given Full (F) Access and /T for subdirectories and files.
Thanks to Mcshammer_dj from:
dany2010 (29th November 2011)
24th November 2011, 03:54 PM #5
There is a GPO you can set to tell the system to ignore the owner of the Profile and just use it if they have rights to access it thus solving the owner issues for the roaming profile. I am on the road atm so cannot get to a server to look for the GPO but it exists and is a great one to just set to ignore the owner.
29th November 2011, 11:37 AM #6
- Rep Power
Thanks for your answers. Have updated the gpo for new users and will soon get the other profiles sorted
17th January 2012, 04:36 PM #7
This confused me for far too long, thought someone else might find it useful:
You need to add the .v2 to the username manually as it seems icacls is only working with raw directories and not aware of 'windows' things such as this...
icacls \\servername\profiles$\%username%.v2 /grant administrators:(F) /T
Thanks to nicklec from:
dany2010 (17th January 2012)
By techie211 in forum Windows Server 2000/2003
Last Post: 1st September 2009, 04:58 PM
By sidewinder in forum Windows
Last Post: 20th March 2007, 03:49 PM
By pooley in forum Windows
Last Post: 9th May 2006, 11:30 AM
Last Post: 3rd February 2006, 11:01 AM
By mseaney in forum Windows
Last Post: 9th January 2006, 08:43 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)