2

I'm having a bit of an issue getting roaming profiles setup with Server 2008 R2. Here are the permissions that I have set on the roaming profile share:

Share Permissions

Administrators - Full
SYSTEM - Full
Authenticated Users - Full

NTFS Permissions

Administrators - Full
CREATOR OWNER - Full
SYSTEM - Full
Authenticated Users - List Folder/Read Data, Read, Create Folders/Write Data (This Folder Only)

This seems to be working without a problem, the profile is automatically created for the user when they first login.

The issue that I am having is that I don't want users to be able to just create folders in the roaming profile share, but if I remove that permission, nothing gets created.

2 Answers2

1

If you want the profile folders to be created at first login by the user, then you are stuck with these permissions. While synchronizing a user's profile folder at login/logout to the profile share, the user's security settings are used, so if the user do not have permissions to create a folder on the profile share, you have a problem.

Unfortunately, there is no way to give users permission to create just their own folder and no more.

I think a way around it would be for you to precreate profile folders on the profile share for your users (and give each user full permissions on their own profile folder), before their first logon. The users should then only need permissions to traverse/read contents of the profile share (this folder only).

Note that my experience with this is with Win2k and Win2k3 (for now), not Win2k8, but I don't think it should be that different.

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
-2

This is a bit tricky to give a right answer to because their are several ways you can solve this and have to understand the concept of roaming profiles. Not saying that you don't.

What you can and often want to do is create policies to redirect some folders like My Documents, Desktop and others. What i like to do is create some directories on my server data dir. like so:

D:\Users\RoamingProfiles

D:\Users\Homedir

D:\Users\Desktop

or something like that.

So when users login to their desktops if you implemented policies for roaming profiles correctly in Active Directory. You have full control over the desktop for that user. In an enterprise environment what you maybe want to do is:

Create a standard user profile as a template for new roaming profiles. Lock the desktop and only show icons to programs which you provided in your template. To ensure that if users want to create folders or files redirect them to the homedir or enterprise data dir. For Example: on their workstation H:\ is their homedir on the server. M:\ is the enterprise data dir.

For more info on how to use Active Directory and policies have a look on the MSDN website.

I hope this helped.

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
Clyde Veldkamp
  • 95
  • 2