+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
Windows Thread, Access To User Profiles in Technical; Ok here goes. We have a W2K Server / XP network. Our Network Manager has recently left and left us ...
  1. #1

    Join Date
    Oct 2005
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Access To User Profiles

    Ok here goes.

    We have a W2K Server / XP network. Our Network Manager has recently left and left us in a right mess. Currently we have roaming profiles, which work okish. The problem I have is that I cannot access any of the users’ profiles; I just get access denied, even as administrator.

    If I reset ownership rights and then security rights I can gain access, but if I then delete said profile, when the user logs back on the profile is recreated and then I’m back to square one.

    So:

    1. How can I reset access rights on all the user profiles?
    2. How can I make it so I have access to newly created profiles?

    FYI the profiles are in the following location \\%SERVER%\%USERNAME%\W2KPROF

    Cheers

    TOM

  2. #2
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,938
    Thank Post
    114
    Thanked 272 Times in 250 Posts
    Rep Power
    104

    Re: Access To User Profiles

    You need to use a script to run through all the directories that sets all the permissions.
    May I ask whats so interesting about their profiles though? The user documents arent travelling around in these I hope?
    You need to use the command line tool cacls or xcacls eg

    Code:
       xcacls studentfolder /T /E/G yourdomain\domain admins:F /y
       xcacls studentfolder /T /E /G yourdomain\studentuser:F /y
    I normally run this batch file on my home directories. If you run it at the same level as all the username folders it picks up the name of the folder and uses that as the user account name to assign permissions.

    Code:
    for /D %%i in (*) do (
       xcacls %%i /T /E/G yourdomain\domain admins:F /y
       xcacls %%i /T /E /G yourdomain\%%i:C /y
    )
    %%i will be the folder name at the level you have run it from as in the example above.

    You will have to take ownership of all the folders to do this though. Its not straight forward and if you dont understand that script dont try it as you could mess everything up. USE AT YOUR OWN RISK.

    I have another script to assign users ownership of their folders as well so quotas work properly.

    You need to get rid of roaming profiels though they are the devil!!!

  3. #3
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    33

    Re: Access To User Profiles

    As Administrator, you should be able to 'take ownership' of the profile folders and thus gain access. Unfortunately (as I think you may have found out), XP no longer recognises the profile folder as belonging to the user who created it. This is because, by default, there is a policy setting which tells XP to test the ownership of a profile folder before using it. You need to enable the 'Do not check for user ownership of roaming profile folders' policy setting (Computer Settings, Admin. Templates, System, Logon, Do not check...). At the same time, if you enable the 'Add the Administrators security group to Roaming user profiles' setting, then any new profiles will already have the Administrators group in the ACL, thus allowing you access.
    The policy you modify should be at a level in the AD structure such that it affects all you workstations.

  4. #4
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,938
    Thank Post
    114
    Thanked 272 Times in 250 Posts
    Rep Power
    104

    Re: Access To User Profiles

    ^^ That sounds better than my answer wasnt aware of those settings since I dont do the roaming thing. Mine is a good answer to home directories though. But I would only give them modify on them.

  5. #5

    Join Date
    Oct 2005
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Access To User Profiles

    Thanks for that chris, but will that cure the problem of new user profiles giving denied access?

    The reason i want access to the profiles is due to printing problems. Users have access to printers in other rooms then the one they are in. I am in the process of setting up the suit PCs printer access, but although the PC is only setup to print to the network in the room, students are getting access to other printers.

    I believe the problem is due to printers being picked up via roaming profiles, and following he user from room to room.

  6. #6

    Join Date
    Oct 2005
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Access To User Profiles

    WOW thanks ajbritton that sound like the info i need. I'll take a look at those GPO settings later.

    Many thanks.

  7. #7
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    33

    Re: Access To User Profiles

    @ChrisH: I have found that even if you give users Modify on their home directory, they can still change the permissions on anything that they create. I think this is because the user is the owner of anything that they can create and have some kind of implicit admin status. I'd love to know of a way around this. I have heard people suggest limiting the permissions on the share that the users connect through, but I could not get that to work.

  8. #8
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,938
    Thank Post
    114
    Thanked 272 Times in 250 Posts
    Rep Power
    104

    Re: Access To User Profiles

    I dont have a share for every user I have one share and the only permssions the student has is to their particular folder. There are probably special permssions you could play with but I dont want to open that box. There is also the creator owner group as well which may be worth some investigation.

  9. #9
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,945
    Thank Post
    233
    Thanked 48 Times in 44 Posts
    Blog Entries
    2
    Rep Power
    45

    Re: Access To User Profiles

    very interesting ajb!

    I did have right click disabled until recently so I just discovered that problem [users able to change file/ folder permissions]. I had it on my todo list to sort out the permissions - so it ain't that simple then

  10. #10
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    33

    Re: Access To User Profiles

    @ChrisH: I also use a single share for all users, but I still have the same problem. You might want to try to reproduce the problem as follows...

    1 - Log on as a normal user
    2 - Create a new folder in your home directory
    3 - Go to the security tab and click Advanced
    4 - Untick the 'inherit' box, and select Copy
    5 - Remove the Administrators (or Domain Admins, whatever you have)
    6 - OK

    Try accessing the folder from the server as Administrator. You can still take ownership if you need to, but forget about the folder being backed up!

    I have just found this Microsoft article which claims to remove the Security tab. I assume this would apply to all users of the machine however.

  11. #11
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,938
    Thank Post
    114
    Thanked 272 Times in 250 Posts
    Rep Power
    104

    Re: Access To User Profiles

    Maybe a scheduled script is needed to go through the files at night and find problem files and sort them?

  12. #12
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    33

    Re: Access To User Profiles

    This looks more hopeful... Remove Security Tab

  13. #13
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    33

    Re: Access To User Profiles

    Yep, that works. Of course we would also need to restrict things like CACLS, XCACLS or any other app students could get onto a PC!

  14. #14
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    33

    Re: Access To User Profiles

    Quote Originally Posted by ChrisH
    Maybe a scheduled script is needed to go through the files at night and find problem files and sort them?
    Hmmm...Sounds like a job for ICTNUT. Perhaps the Nasty File Search could be expanded to look for dodgy permissions!

  15. #15
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,938
    Thank Post
    114
    Thanked 272 Times in 250 Posts
    Rep Power
    104

    Re: Access To User Profiles

    I think you could do a fairly easy script with a WMI query and I have VBScripts to change permissions and ownership. I did some scripts a while ago that found all the files belonging to certain users and tally them up. I could adapt that.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Default Profiles - setting user directories
    By speckytecky in forum Windows
    Replies: 0
    Last Post: 22nd June 2007, 07:52 PM
  2. User Network Areas and Profiles
    By wesleyw in forum Windows
    Replies: 7
    Last Post: 21st June 2006, 12:40 PM
  3. Deleting User Profiles
    By Gordie in forum Scripts
    Replies: 4
    Last Post: 19th June 2006, 03:41 PM
  4. Replies: 0
    Last Post: 16th June 2006, 09:00 PM
  5. User profiles
    By speckytecky in forum How do you do....it?
    Replies: 3
    Last Post: 16th June 2006, 12:11 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •