Didn't want to put one of my other threads off-topic so thought I'd make a new one :)
Situation is like this at the moment...
- one share per user on the file server
- roaming profile is inside My Documents folder in a folder called Profiles
- each user folder has permissions set as the User e.g. Joe Bloggs and Administrator Full Control
- each user folder has owner as local administrators group on the file server
- AppData was redirected inside the Profile folder (why I'll never know!)
This was how it was set up a long time before I was here, I want to change this to something more standard (and neater!) with a single share and user folders beneath.
Creating that system isn't difficult, standard GPO for redirection and I've used these permissions on the user data shared folder...
How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003
I've also made a share for AppData with the same permissions as the user data share. Tried a few test users and it works fine, logins are like lightning compared to how it is at the moment!
The issue is moving the user data over seamlessly as the files (and the user subfolders) need to have appropriate permissions set... as it stands all users' files seem to be owned by the local administrators group as their folders were made manually on the file server. This doesn't seem to play well with folder redirection as it needs the owner to be the user itself by the looks of it.
I've just tried with a test user logging in then moving the files from the old share to the new one while being logged in, they then gain the right permissions and owner. If I move the files on the server the permissions stay as they were and owner changes (as expected really)
The other gotcha is that I don't want to copy the old Profiles over so somehow need to exclude them, I know you can do exclusion paths with Robocopy but don't think I can tell it to look in each folder and exclude any called Profiles?
One method of attack seems to be...
- change paths over on GPO
- users then get a fresh My Documents folder
- login script to move files from old path to new
- create a flag file once files are moved so the script knows next time it doesn't need to shift any documents again
- leave that running for a few weeks to catch all users
- after a set period unshare the old home folders and archive
- if any users weren't in over that period move them manually afterwards
The advantage there is that I could use the drive letter mapping in a Robocopy script so it could exclude the profile folder when moving stuff around. I'll put delprof in a startup \ shutdown script just beforehand + the GPO setting so users' old local cached copies get wiped and they then start again with a fresh profile from the new share.
It doesn't seem the neatest option but unless someone has a tricksy script to set the right permissions and owner based on the folder's name from the server side I can't see many other options as it stands? Would need to somehow populate all the subfolders and have the right owner set on each one to be able to do the migration from the server side it seems? It looks like I can copy a set of folders using Robocopy robocopy \\srv1\share \\srv2\share /E /LEV:2 /SEC /XF *.* but that doesn't fix the ownership issue as far as I can tell...