Access To User Profiles

[Teacher_Tom]

Ok here goes.

We have a W2K Server / XP network. Our Network Manager has recently left and left us in a right mess. Currently we have roaming profiles, which work okish. The problem I have is that I cannot access any of the users’ profiles; I just get access denied, even as administrator.

If I reset ownership rights and then security rights I can gain access, but if I then delete said profile, when the user logs back on the profile is recreated and then I’m back to square one.

So:

1. How can I reset access rights on all the user profiles?
2. How can I make it so I have access to newly created profiles?

FYI the profiles are in the following location \\%SERVER%\%USERNAME%\W2KPROF

Cheers

TOM

[ChrisH]

You need to use a script to run through all the directories that sets all the permissions.
May I ask whats so interesting about their profiles though? The user documents arent travelling around in these I hope?
You need to use the command line tool cacls or xcacls eg

Code:

   xcacls studentfolder /T /E/G yourdomain\domain admins:F /y
   xcacls studentfolder /T /E /G yourdomain\studentuser:F /y

I normally run this batch file on my home directories. If you run it at the same level as all the username folders it picks up the name of the folder and uses that as the user account name to assign permissions.

Code:

for /D %%i in (*) do (
   xcacls %%i /T /E/G yourdomain\domain admins:F /y
   xcacls %%i /T /E /G yourdomain\%%i:C /y
)

%%i will be the folder name at the level you have run it from as in the example above.

You will have to take ownership of all the folders to do this though. Its not straight forward and if you dont understand that script dont try it as you could mess everything up. USE AT YOUR OWN RISK.

I have another script to assign users ownership of their folders as well so quotas work properly.

You need to get rid of roaming profiels though they are the devil!!!

[ajbritton]

As Administrator, you should be able to 'take ownership' of the profile folders and thus gain access. Unfortunately (as I think you may have found out), XP no longer recognises the profile folder as belonging to the user who created it. This is because, by default, there is a policy setting which tells XP to test the ownership of a profile folder before using it. You need to enable the 'Do not check for user ownership of roaming profile folders' policy setting (Computer Settings, Admin. Templates, System, Logon, Do not check...). At the same time, if you enable the 'Add the Administrators security group to Roaming user profiles' setting, then any new profiles will already have the Administrators group in the ACL, thus allowing you access.
The policy you modify should be at a level in the AD structure such that it affects all you workstations.

[ChrisH]

^^ That sounds better than my answer wasnt aware of those settings since I dont do the roaming thing. Mine is a good answer to home directories though. But I would only give them modify on them.

[Teacher_Tom]

Thanks for that chris, but will that cure the problem of new user profiles giving denied access?

The reason i want access to the profiles is due to printing problems. Users have access to printers in other rooms then the one they are in. I am in the process of setting up the suit PCs printer access, but although the PC is only setup to print to the network in the room, students are getting access to other printers.

I believe the problem is due to printers being picked up via roaming profiles, and following he user from room to room.

[Teacher_Tom]

WOW thanks ajbritton that sound like the info i need. I'll take a look at those GPO settings later.

Many thanks.

[ajbritton]

@ChrisH: I have found that even if you give users Modify on their home directory, they can still change the permissions on anything that they create. I think this is because the user is the owner of anything that they can create and have some kind of implicit admin status. I'd love to know of a way around this. I have heard people suggest limiting the permissions on the share that the users connect through, but I could not get that to work.

[ChrisH]

I dont have a share for every user I have one share and the only permssions the student has is to their particular folder. There are probably special permssions you could play with but I dont want to open that box. There is also the creator owner group as well which may be worth some investigation.

[mark]

very interesting ajb!

I did have right click disabled until recently so I just discovered that problem [users able to change file/ folder permissions]. I had it on my todo list to sort out the permissions - so it ain't that simple then

[ajbritton]

@ChrisH: I also use a single share for all users, but I still have the same problem. You might want to try to reproduce the problem as follows...

1 - Log on as a normal user
2 - Create a new folder in your home directory
3 - Go to the security tab and click Advanced
4 - Untick the 'inherit' box, and select Copy
5 - Remove the Administrators (or Domain Admins, whatever you have)
6 - OK

Try accessing the folder from the server as Administrator. You can still take ownership if you need to, but forget about the folder being backed up!

I have just found this Microsoft article which claims to remove the Security tab. I assume this would apply to all users of the machine however.

[ChrisH]

Maybe a scheduled script is needed to go through the files at night and find problem files and sort them?

[ajbritton]

This looks more hopeful... Remove Security Tab

[ajbritton]

Yep, that works. Of course we would also need to restrict things like CACLS, XCACLS or any other app students could get onto a PC!

[ajbritton]

Maybe a scheduled script is needed to go through the files at night and find problem files and sort them?

Hmmm...Sounds like a job for ICTNUT. Perhaps the Nasty File Search could be expanded to look for dodgy permissions!

[ChrisH]

I think you could do a fairly easy script with a WMI query and I have VBScripts to change permissions and ownership. I did some scripts a while ago that found all the files belonging to certain users and tally them up. I could adapt that.