We're in the process of building a new domain at the moment and have set up a basic share called something like "student users".
When we create a user account, we have set a roaming profile to \\student users\%username%\profile
Then, we have used folder redirection to make my documents \\student users\%username%\data
So, when a new user account is created, the first time they log in, these folders are created.
Now to the difficult bit.. When these folders are created, the user is given exclusive access to them. This isn't a problem until, for some reason, we need to look at that user's files. This could be in the case of misuse for example. In order to look at them, we have to take ownership of the folders. This isn't a problem either. However, once we have done this, even if we then give the user full control over the folders again, they can no longer access their profile or their documents.
WHY THE HELL DOES WINDOWS SERVER 2003 DO THIS!?!?! ..And more to the point, how can we stop it?
You can probably notice that I'm a tad wound up about it
Anyone any ideas?
Try a look at this - its what I used
http://support.microsoft.com/default...;en-us;Q288991
Alternatively - and I think this has been covered here before - set up the users areas yourself and set the permissions required with a script (also shown here somewhere) - wish I'd done this myself as using the MS method above gives irritating permissions problems when you copy files into the user areas (as I've had to do with digital photos etc)
Why pray tell? There are plenty of posts and threads here to let everyone know just how evil and unnecercery these are for education and the problems they create. It is far simpler to map the My Documnets folder to the root of their share, so in the redirect policy simply state \\servername\users\%username% this way you need only one policy to acheive everything.When we create a user account, we have set a roaming profile to \\student users\%username%\profile
Well... I'd love to get rid of roaming profiles but for a mutlitude of reasons it's just not possible at the moment. I would like to find the person whose idea it was originally and shoot them though
<jolly sarcasm>
Poor old DOS_BOX, just because he couldn't get roaming profiles to work, he assumes they are no good for anyone!</jolly sarcasm>
I think you need to do 3 things
1 - Modify the MyDocs redirection policy and untick the box that says 'Grant the user exclusive rights to My Documents'
2 - Create a computer policy which will apply to all computers and under Admin Templates\System\User Profiles, enable the 'Add the Administrators group to roaming user profiles' and 'Do not check for user ownership of Roaming Profile Folders' settings.
3 - Seperate user documents and profiles onto different shares e.g.
profiles... \\server\profiles$\%username%
files... \\server\users\%username%
<screams at top of voice in general direction of the Anti-RP crew>
Roaming profiles are not evil, but you do need to understand what they are and how they work to get the best from them.
</screams at top of voice in general direction of the Anti-RP crew>
climbs down off soapbox...
@ajbritton: It's not that they just cause loads of problems, there is very little need (if not no need) for them in a locked-down user environment.
Why save information about a user's settings if you are going to reset them the next time that they log on?
You can grant administrators access to "My Docs" when redirected (or other folders too) by carrying out the following (now, this is off the top of my head so bear with me if there are errors- check it out on a test system first):
1. Clear the "Grant User exclusive rights to My Documents" setting (in the settings tab within folder redirection)
2. Set security on the subfolder you are sharing that will contain the redirected folder(s)
To do (2), right click the folder and get to the security tab. Select "Advanced" and uncheck "allow inheritable permissions from parent to propogate to this object" check box and then remove the permissions; now add four groups and assign them permissions--like so:
Admins- Full control, applying to "This folder, subfolders, and files"
System- Full control, which applies to "This folder, subfolders and files"
Creator Owner- Full control, which applies to "This folder, subfolder and files"
Authenticated Users- Create folders/Append Data, Read Permissions, Read Extended Attributes which apply to "This folder" only.
I think the KB article for all this is Q2888991. If you have *already* set up the redirected folders and need to gain admin rights after the fact, let me know and I can dig out the commands you can use to get those rights applied in any case.
HTH
Paul
If you need to reset the rights, PM me next week and I will send the VBScript
[topic locked - use the sticky thread regarding use of roaming profiles]
PM me thomas if you need to add more to this topic - i.e. if you still need help with this one
Cheer
N.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
