0

I am trying to add permissions for my Administrator group to the roaming profiles for terminal server.

The problem is I am barred access to the individual user profile folders.

I already tried enabling the GPO for "Add Administrators Group to Roaming Profile Folder" or something like that. It did not do anything.

What is it I am missing?

AtomicPorkchop
  • 1,975
  • 8
  • 34
  • 55

1 Answers1

1

You'll have to add the Administrators group to the permissions of existing profile folders manually. The GPO setting affects new profiles as they are created, not existing profiles. You're probably going to have to take ownership of the existing profiles in order to add the Administrators group to the permissions.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Yeah I tried that, and then the user could not login even if I gave the full control over the folder. I also tried making a fresh account with a new profile and it did not add the admins to the list. – AtomicPorkchop Aug 04 '11 at 21:16
  • Where do you have the GPO with the setting linked? To the computer OU or to the user OU? This is a computer setting and needs to be linked to the OU where the computer objects that the users log on to are located. The computer creates the profile folders, not the user. Did you follow this guide when setting up the Share and NTFS permissions for the roaming profile parent folder? http://technet.microsoft.com/en-us/library/cc737633(WS.10).aspx – joeqwerty Aug 04 '11 at 22:30
  • @Solignis, If you have lots of users, then you are probably going to need to write a script to take ownership, adjust the permissions, and then change the ownership back to the user. Look at SetACL.exe or takeown/icacls. – Zoredache Aug 04 '11 at 22:51
  • I set the roaming profile GPO in the Default Domain Policy. All of my TS settings for lockdown are in a loopback policy linked to the terminal server OU. – AtomicPorkchop Aug 04 '11 at 22:51
  • @Zoredache, Lucky for me this is a new domain, and once all is added there will only be about 12 users. – AtomicPorkchop Aug 04 '11 at 22:52
  • You're not manually creating the roaming profile folder for each user are you? Do you have GPO inheritance blocked at the TS OU? – joeqwerty Aug 04 '11 at 23:27
  • @joeqwerty, nope I am letting TS do it for me on user logon. – AtomicPorkchop Aug 05 '11 at 01:36
  • It seems the answer to my question was simple. For some reason the group policy did not refresh when I logged out of the TS server and back in (it did before). So I ran `gpupdate /force` it fixed the problem, I now have permission. – AtomicPorkchop Aug 05 '11 at 01:38
  • Glad you got it worked out. As an aside, computer configuration settings aren't applied/refreshed at user logon, they're applied at computer startup and at the periodic group policy refresh interval. Running gpupdate /force will force the refresh of both computer and user configuration settings. – joeqwerty Aug 05 '11 at 01:40