Help with Owner of a romaing profile folder

[John D. Leonard -- Sage]

I have serveral users, with roaming profiles, that use the same
folder as Domain Admininstartors.

Now I want to take the administrator privledge away from them and still let
them use the same folder.

How do I set all users as "Owners" of the folder?

Would I set up another Group (non-administrator group) and add the users to
that?

thx


--
John D. Leonard -- Sage

 

[Anthony]

Re: Help with Owner of a romaing profile folder

John,
Its hard to be sure exactly what you mean.
The Profiles folder (say, \profiles$) should allow users full control. This
allows the profile creation process, running in the user context, to create
a profile and then set the correct permissions on it, which are exclusive
control of the profile. This way, no-one else can get into another persons
profile.
An administrator (only) can take ownership of an individual profile, but
this breaks the profile.
So if you have those permissions you don't need to do anything, and you
might want to explain more what you are trying to achieve,
Hope that helps,
Anthony,
http://www.airdesk.com



"John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in message
news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
> I have serveral users, with roaming profiles, that use the same
> folder as Domain Admininstartors.
>
> Now I want to take the administrator privledge away from them and still
> let
> them use the same folder.
>
> How do I set all users as "Owners" of the folder?
>
> Would I set up another Group (non-administrator group) and add the users
> to
> that?
>
> thx
>
>
> --
> John D. Leonard -- Sage
>

 

[John D. Leonard -- Sage]

Re: Help with Owner of a romaing profile folder

Thanks for replying.

To further explain - I am not having a problem with the Home folder, it is
with the folder I have mapped ( i.e. S to have them share and work in.

That folder (S has the Everyone Full permissions set, however, when I take
the user out of the Domain Admin Group - they loose access to it??


I don't understand why they are loosing the access to it?




--
John D. Leonard -- Sage
"Anthony" <anthony.spam@spammedout.com> wrote in message
news:uZVrupl5HHA.5984@TK2MSFTNGP04.phx.gbl...
> John,
> Its hard to be sure exactly what you mean.
> The Profiles folder (say, \profiles$) should allow users full control.
> This allows the profile creation process, running in the user context, to
> create a profile and then set the correct permissions on it, which are
> exclusive control of the profile. This way, no-one else can get into
> another persons profile.
> An administrator (only) can take ownership of an individual profile, but
> this breaks the profile.
> So if you have those permissions you don't need to do anything, and you
> might want to explain more what you are trying to achieve,
> Hope that helps,
> Anthony,
> http://www.airdesk.com
>
>
>
> "John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in message
> news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
>> I have serveral users, with roaming profiles, that use the same
>> folder as Domain Admininstartors.
>>
>> Now I want to take the administrator privledge away from them and still
>> let
>> them use the same folder.
>>
>> How do I set all users as "Owners" of the folder?
>>
>> Would I set up another Group (non-administrator group) and add the users
>> to
>> that?
>>
>> thx
>>
>>
>> --
>> John D. Leonard -- Sage
>>
>
>

 

[John D. Leonard -- Sage]

Re: Help with Owner of a romaing profile folder

Sorry meant to say Profiles not Home

--
John D. Leonard -- Sage
"Anthony" <anthony.spam@spammedout.com> wrote in message
news:uZVrupl5HHA.5984@TK2MSFTNGP04.phx.gbl...
> John,
> Its hard to be sure exactly what you mean.
> The Profiles folder (say, \profiles$) should allow users full control.
> This allows the profile creation process, running in the user context, to
> create a profile and then set the correct permissions on it, which are
> exclusive control of the profile. This way, no-one else can get into
> another persons profile.
> An administrator (only) can take ownership of an individual profile, but
> this breaks the profile.
> So if you have those permissions you don't need to do anything, and you
> might want to explain more what you are trying to achieve,
> Hope that helps,
> Anthony,
> http://www.airdesk.com
>
>
>
> "John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in message
> news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
>> I have serveral users, with roaming profiles, that use the same
>> folder as Domain Admininstartors.
>>
>> Now I want to take the administrator privledge away from them and still
>> let
>> them use the same folder.
>>
>> How do I set all users as "Owners" of the folder?
>>
>> Would I set up another Group (non-administrator group) and add the users
>> to
>> that?
>>
>> thx
>>
>>
>> --
>> John D. Leonard -- Sage
>>
>
>

 

[Anthony]

Re: Help with Owner of a romaing profile folder

Have you checked both the folder NTFS permissions and the Share permissions?
Whatever group you want them to be in (domain users, or a group you create)
you can give them Change permissions on the Share, and Modify permissions on
the folder.
Hope that helps,
Anthony,
http://www.airdesk.com




"John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in message
news:%23lyfYom5HHA.5844@TK2MSFTNGP02.phx.gbl...
> Thanks for replying.
>
> To further explain - I am not having a problem with the Home folder, it is
> with the folder I have mapped ( i.e. S to have them share and work in.
>
> That folder (S has the Everyone Full permissions set, however, when I
> take the user out of the Domain Admin Group - they loose access to it??
>
>
> I don't understand why they are loosing the access to it?
>
>
>
>
> --
> John D. Leonard -- Sage
> "Anthony" <anthony.spam@spammedout.com> wrote in message
> news:uZVrupl5HHA.5984@TK2MSFTNGP04.phx.gbl...
>> John,
>> Its hard to be sure exactly what you mean.
>> The Profiles folder (say, \profiles$) should allow users full control.
>> This allows the profile creation process, running in the user context, to
>> create a profile and then set the correct permissions on it, which are
>> exclusive control of the profile. This way, no-one else can get into
>> another persons profile.
>> An administrator (only) can take ownership of an individual profile, but
>> this breaks the profile.
>> So if you have those permissions you don't need to do anything, and you
>> might want to explain more what you are trying to achieve,
>> Hope that helps,
>> Anthony,
>> http://www.airdesk.com
>>
>>
>>
>> "John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in message
>> news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
>>> I have serveral users, with roaming profiles, that use the same
>>> folder as Domain Admininstartors.
>>>
>>> Now I want to take the administrator privledge away from them and still
>>> let
>>> them use the same folder.
>>>
>>> How do I set all users as "Owners" of the folder?
>>>
>>> Would I set up another Group (non-administrator group) and add the users
>>> to
>>> that?
>>>
>>> thx
>>>
>>>
>>> --
>>> John D. Leonard -- Sage
>>>
>>
>>
>
>

 

[Lanwench [MVP - Exchange]]

Re: Help with Owner of a romaing profile folder

John D. Leonard -- Sage <sage.grp@comcast.net> wrote:
> Sorry meant to say Profiles not Home
>

I'm a bit confused. You don't usually map a drive to your profiles share,
and users shouldn't be "working" in it at all. You need to use folder
redirection, for My Documents at the very least - you can use the home
directories for that. You can also redirect Application Data and Desktop
(I'd avoid redirecting the start menu, for performance reasons and so
forth). The profile folders should be in a hidden share, and Administrators
+ the System account + %username% would need full control. Users shouldn't
be accessing the profile folders directly at all.

I'm posting my boilerplate on roaming profiles below. Hope this helps.

1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is not set
to allow offline files/caching!
2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.
3. In the users' ADUC properties, specify \\server\profiles$\%username% in
the profiles field
4. Have each user log into the domain once from their usual workstation
(where their existing profile lives) and log out. The profile is now
roaming.
5. If you want the administrators group to automatically have permissions to
the profiles folders, you'll need to make the appropriate change in group
policy. Look in computer configuration/administrative templates/system/user
profiles - there's an option to add administrators group to the roaming
profiles permissions.

Notes:

* Make sure users understand that they should never log into multiple
computers at the same time when they have roaming profiles (unless you make
the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't
change them). Explain that the
last one out
wins, when it comes to uploading the final, changed copy of the profile.

* Keep your profiles TINY. Redirect My Documents at the very least; usually
best done to the user's home directory on the server - either via
group policy (folder redirection) or manually (far less advisable). If you
aren't going to also redirect the desktop using policies, tell users that
they are not to store any files on the desktop or you will beat them with a
stick. Big profile=slow login/logout, and possible profile corruption.

* Note that user profiles are not compatible between different OS versions,
even between W2k/XP. Keep all your computers. Keep your workstations as
identical as possible - meaning, OS version is the same, SP level is the
same, app load is (as much as possible) the same.

* Do not let people store any data locally - all data belongs on the server.

* The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en



>> John,
>> Its hard to be sure exactly what you mean.
>> The Profiles folder (say, \profiles$) should allow users full
>> control. This allows the profile creation process, running in the
>> user context, to create a profile and then set the correct
>> permissions on it, which are exclusive control of the profile. This
>> way, no-one else can get into another persons profile.
>> An administrator (only) can take ownership of an individual profile,
>> but this breaks the profile.
>> So if you have those permissions you don't need to do anything, and
>> you might want to explain more what you are trying to achieve,
>> Hope that helps,
>> Anthony,
>> http://www.airdesk.com
>>
>>
>>
>> "John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in message
>> news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
>>> I have serveral users, with roaming profiles, that use the same
>>> folder as Domain Admininstartors.
>>>
>>> Now I want to take the administrator privledge away from them and
>>> still let
>>> them use the same folder.
>>>
>>> How do I set all users as "Owners" of the folder?
>>>
>>> Would I set up another Group (non-administrator group) and add the
>>> users to
>>> that?
>>>
>>> thx
>>>
>>>
>>> --
>>> John D. Leonard -- Sage

 

[North Coast Sea Foods]

Re: Help with Owner of a romaing profile folder

Lanwench

I appreciate your response.

I have a logon BAT that maps a shared folder - that is the folder I am
trying to control.

This folder was setup with Domain Admin ownership, seems when I take the
users out of the Admin group, they loose their roaming profile?

I do not know how the maped drive/folder (with Domain Admin Owner) is
changing things, but it is?? I was asking if I should set up the users in
their own group and give them Full Permissions. Would this eliminate the
roaming profile problem?

Again, I do not see how the roaming profile is even entering into the
problem>

thx



"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:eLjY1go5HHA.5184@TK2MSFTNGP03.phx.gbl...
> John D. Leonard -- Sage <sage.grp@comcast.net> wrote:
>> Sorry meant to say Profiles not Home
>>
>
> I'm a bit confused. You don't usually map a drive to your profiles share,
> and users shouldn't be "working" in it at all. You need to use folder
> redirection, for My Documents at the very least - you can use the home
> directories for that. You can also redirect Application Data and Desktop
> (I'd avoid redirecting the start menu, for performance reasons and so
> forth). The profile folders should be in a hidden share, and
> Administrators + the System account + %username% would need full control.
> Users shouldn't be accessing the profile folders directly at all.
>
> I'm posting my boilerplate on roaming profiles below. Hope this helps.
>
> 1. Set up a share on the server. For example - d:\profiles, shared as
> profiles$ to make it hidden from browsing. Make sure this share is not set
> to allow offline files/caching!
> 2. Make sure the share permissions on profiles$ indicate everyone=full
> control. Set the NTFS security to administrators, system, and users=full
> control.
> 3. In the users' ADUC properties, specify \\server\profiles$\%username% in
> the profiles field
> 4. Have each user log into the domain once from their usual workstation
> (where their existing profile lives) and log out. The profile is now
> roaming.
> 5. If you want the administrators group to automatically have permissions
> to the profiles folders, you'll need to make the appropriate change in
> group policy. Look in computer configuration/administrative
> templates/system/user profiles - there's an option to add administrators
> group to the roaming profiles permissions.
>
> Notes:
>
> * Make sure users understand that they should never log into multiple
> computers at the same time when they have roaming profiles (unless you
> make
> the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't
> change them). Explain that the
> last one out
> wins, when it comes to uploading the final, changed copy of the profile.
>
> * Keep your profiles TINY. Redirect My Documents at the very least;
> usually best done to the user's home directory on the server - either via
> group policy (folder redirection) or manually (far less advisable). If you
> aren't going to also redirect the desktop using policies, tell users that
> they are not to store any files on the desktop or you will beat them with
> a
> stick. Big profile=slow login/logout, and possible profile corruption.
>
> * Note that user profiles are not compatible between different OS
> versions,
> even between W2k/XP. Keep all your computers. Keep your workstations as
> identical as possible - meaning, OS version is the same, SP level is the
> same, app load is (as much as possible) the same.
>
> * Do not let people store any data locally - all data belongs on the
> server.
>
> * The User Profile Hive Cleanup Utility should be running on all your
> computers. You can download it here:
> http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en
>
>
>
>>> John,
>>> Its hard to be sure exactly what you mean.
>>> The Profiles folder (say, \profiles$) should allow users full
>>> control. This allows the profile creation process, running in the
>>> user context, to create a profile and then set the correct
>>> permissions on it, which are exclusive control of the profile. This
>>> way, no-one else can get into another persons profile.
>>> An administrator (only) can take ownership of an individual profile,
>>> but this breaks the profile.
>>> So if you have those permissions you don't need to do anything, and
>>> you might want to explain more what you are trying to achieve,
>>> Hope that helps,
>>> Anthony,
>>> http://www.airdesk.com
>>>
>>>
>>>
>>> "John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in message
>>> news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
>>>> I have serveral users, with roaming profiles, that use the same
>>>> folder as Domain Admininstartors.
>>>>
>>>> Now I want to take the administrator privledge away from them and
>>>> still let
>>>> them use the same folder.
>>>>
>>>> How do I set all users as "Owners" of the folder?
>>>>
>>>> Would I set up another Group (non-administrator group) and add the
>>>> users to
>>>> that?
>>>>
>>>> thx
>>>>
>>>>
>>>> --
>>>> John D. Leonard -- Sage
>
>
>

 

[North Coast Sea Foods]

Re: Help with Owner of a romaing profile folder

Everyone - thanks for the help.

I have solved my problem.
"North Coast Sea Foods" <jleonard@northcoastseafoods.com> wrote in message
news:e3RVbAY6HHA.2380@TK2MSFTNGP02.phx.gbl...
> Lanwench
>
> I appreciate your response.
>
> I have a logon BAT that maps a shared folder - that is the folder I am
> trying to control.
>
> This folder was setup with Domain Admin ownership, seems when I take the
> users out of the Admin group, they loose their roaming profile?
>
> I do not know how the maped drive/folder (with Domain Admin Owner) is
> changing things, but it is?? I was asking if I should set up the users in
> their own group and give them Full Permissions. Would this eliminate the
> roaming profile problem?
>
> Again, I do not see how the roaming profile is even entering into the
> problem>
>
> thx
>
>
>
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
> message news:eLjY1go5HHA.5184@TK2MSFTNGP03.phx.gbl...
>> John D. Leonard -- Sage <sage.grp@comcast.net> wrote:
>>> Sorry meant to say Profiles not Home
>>>
>>
>> I'm a bit confused. You don't usually map a drive to your profiles share,
>> and users shouldn't be "working" in it at all. You need to use folder
>> redirection, for My Documents at the very least - you can use the home
>> directories for that. You can also redirect Application Data and Desktop
>> (I'd avoid redirecting the start menu, for performance reasons and so
>> forth). The profile folders should be in a hidden share, and
>> Administrators + the System account + %username% would need full control.
>> Users shouldn't be accessing the profile folders directly at all.
>>
>> I'm posting my boilerplate on roaming profiles below. Hope this helps.
>>
>> 1. Set up a share on the server. For example - d:\profiles, shared as
>> profiles$ to make it hidden from browsing. Make sure this share is not
>> set to allow offline files/caching!
>> 2. Make sure the share permissions on profiles$ indicate everyone=full
>> control. Set the NTFS security to administrators, system, and users=full
>> control.
>> 3. In the users' ADUC properties, specify \\server\profiles$\%username%
>> in
>> the profiles field
>> 4. Have each user log into the domain once from their usual workstation
>> (where their existing profile lives) and log out. The profile is now
>> roaming.
>> 5. If you want the administrators group to automatically have permissions
>> to the profiles folders, you'll need to make the appropriate change in
>> group policy. Look in computer configuration/administrative
>> templates/system/user profiles - there's an option to add administrators
>> group to the roaming profiles permissions.
>>
>> Notes:
>>
>> * Make sure users understand that they should never log into multiple
>> computers at the same time when they have roaming profiles (unless you
>> make
>> the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't
>> change them). Explain that the
>> last one out
>> wins, when it comes to uploading the final, changed copy of the profile.
>>
>> * Keep your profiles TINY. Redirect My Documents at the very least;
>> usually best done to the user's home directory on the server - either via
>> group policy (folder redirection) or manually (far less advisable). If
>> you
>> aren't going to also redirect the desktop using policies, tell users that
>> they are not to store any files on the desktop or you will beat them with
>> a
>> stick. Big profile=slow login/logout, and possible profile corruption.
>>
>> * Note that user profiles are not compatible between different OS
>> versions,
>> even between W2k/XP. Keep all your computers. Keep your workstations as
>> identical as possible - meaning, OS version is the same, SP level is the
>> same, app load is (as much as possible) the same.
>>
>> * Do not let people store any data locally - all data belongs on the
>> server.
>>
>> * The User Profile Hive Cleanup Utility should be running on all your
>> computers. You can download it here:
>> http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en
>>
>>
>>
>>>> John,
>>>> Its hard to be sure exactly what you mean.
>>>> The Profiles folder (say, \profiles$) should allow users full
>>>> control. This allows the profile creation process, running in the
>>>> user context, to create a profile and then set the correct
>>>> permissions on it, which are exclusive control of the profile. This
>>>> way, no-one else can get into another persons profile.
>>>> An administrator (only) can take ownership of an individual profile,
>>>> but this breaks the profile.
>>>> So if you have those permissions you don't need to do anything, and
>>>> you might want to explain more what you are trying to achieve,
>>>> Hope that helps,
>>>> Anthony,
>>>> http://www.airdesk.com
>>>>
>>>>
>>>>
>>>> "John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in message
>>>> news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
>>>>> I have serveral users, with roaming profiles, that use the same
>>>>> folder as Domain Admininstartors.
>>>>>
>>>>> Now I want to take the administrator privledge away from them and
>>>>> still let
>>>>> them use the same folder.
>>>>>
>>>>> How do I set all users as "Owners" of the folder?
>>>>>
>>>>> Would I set up another Group (non-administrator group) and add the
>>>>> users to
>>>>> that?
>>>>>
>>>>> thx
>>>>>
>>>>>
>>>>> --
>>>>> John D. Leonard -- Sage
>>
>>
>>
>
>

 

[Lanwench [MVP - Exchange]]

Re: Help with Owner of a romaing profile folder

North Coast Sea Foods <jleonard@northcoastseafoods.com> wrote:
> Lanwench
>
> I appreciate your response.
>
> I have a logon BAT that maps a shared folder - that is the folder I am
> trying to control.

What *is* that folder?
>
> This folder was setup with Domain Admin ownership, seems when I take
> the users out of the Admin group, they loose their roaming profile?

If this is a mapped drive pointing at a share you use for roaming profile
storage, stop mapping that drive ASAP.
Users should *never* be in any domain admin groups. You'll need to check the
ownership on their roaming profile folder (the parent) and correct it to
Administrators - and then reset the NTFS permissions as I already mentiond
(Administrators & System & %username% = full control on each folder)
>
> I do not know how the maped drive/folder (with Domain Admin Owner) is
> changing things, but it is?? I was asking if I should set up the
> users in their own group and give them Full Permissions. Would this
> eliminate the roaming profile problem?

Unfortunately, I still don't understand exactly what the roaming profile
problem *is*
>
> Again, I do not see how the roaming profile is even entering into the
> problem>

Nor do I - but you brought it up. I think you'll need to be much more
specific about where things are - paths, share names, login scripts, and
both share & NTFS permissions. Also exact symptoms & error messages.
>
> thx
>
>
>
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
> message news:eLjY1go5HHA.5184@TK2MSFTNGP03.phx.gbl...
>> John D. Leonard -- Sage <sage.grp@comcast.net> wrote:
>>> Sorry meant to say Profiles not Home
>>>
>>
>> I'm a bit confused. You don't usually map a drive to your profiles
>> share, and users shouldn't be "working" in it at all. You need to
>> use folder redirection, for My Documents at the very least - you can
>> use the home directories for that. You can also redirect Application
>> Data and Desktop (I'd avoid redirecting the start menu, for
>> performance reasons and so forth). The profile folders should be in
>> a hidden share, and Administrators + the System account + %username%
>> would need full control. Users shouldn't be accessing the profile
>> folders directly at all. I'm posting my boilerplate on roaming profiles
>> below. Hope this
>> helps. 1. Set up a share on the server. For example - d:\profiles, shared
>> as
>> profiles$ to make it hidden from browsing. Make sure this share is
>> not set to allow offline files/caching!
>> 2. Make sure the share permissions on profiles$ indicate
>> everyone=full control. Set the NTFS security to administrators,
>> system, and users=full control.
>> 3. In the users' ADUC properties, specify
>> \\server\profiles$\%username% in the profiles field
>> 4. Have each user log into the domain once from their usual
>> workstation (where their existing profile lives) and log out. The
>> profile is now roaming.
>> 5. If you want the administrators group to automatically have
>> permissions to the profiles folders, you'll need to make the
>> appropriate change in group policy. Look in computer
>> configuration/administrative templates/system/user profiles -
>> there's an option to add administrators group to the roaming
>> profiles permissions. Notes:
>>
>> * Make sure users understand that they should never log into multiple
>> computers at the same time when they have roaming profiles (unless
>> you make
>> the profiles mandatory by renaming ntuser.dat to ntuser.man so they
>> can't change them). Explain that the
>> last one out
>> wins, when it comes to uploading the final, changed copy of the
>> profile. * Keep your profiles TINY. Redirect My Documents at the very
>> least;
>> usually best done to the user's home directory on the server -
>> either via group policy (folder redirection) or manually (far less
>> advisable). If you aren't going to also redirect the desktop using
>> policies, tell users that they are not to store any files on the
>> desktop or you will beat them with a
>> stick. Big profile=slow login/logout, and possible profile
>> corruption. * Note that user profiles are not compatible between
>> different OS
>> versions,
>> even between W2k/XP. Keep all your computers. Keep your workstations
>> as identical as possible - meaning, OS version is the same, SP level
>> is the same, app load is (as much as possible) the same.
>>
>> * Do not let people store any data locally - all data belongs on the
>> server.
>>
>> * The User Profile Hive Cleanup Utility should be running on all your
>> computers. You can download it here:
>> http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en
>>
>>
>>
>>>> John,
>>>> Its hard to be sure exactly what you mean.
>>>> The Profiles folder (say, \profiles$) should allow users full
>>>> control. This allows the profile creation process, running in the
>>>> user context, to create a profile and then set the correct
>>>> permissions on it, which are exclusive control of the profile. This
>>>> way, no-one else can get into another persons profile.
>>>> An administrator (only) can take ownership of an individual
>>>> profile, but this breaks the profile.
>>>> So if you have those permissions you don't need to do anything, and
>>>> you might want to explain more what you are trying to achieve,
>>>> Hope that helps,
>>>> Anthony,
>>>> http://www.airdesk.com
>>>>
>>>>
>>>>
>>>> "John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in message
>>>> news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
>>>>> I have serveral users, with roaming profiles, that use the same
>>>>> folder as Domain Admininstartors.
>>>>>
>>>>> Now I want to take the administrator privledge away from them and
>>>>> still let
>>>>> them use the same folder.
>>>>>
>>>>> How do I set all users as "Owners" of the folder?
>>>>>
>>>>> Would I set up another Group (non-administrator group) and add the
>>>>> users to
>>>>> that?
>>>>>
>>>>> thx
>>>>>
>>>>>
>>>>> --
>>>>> John D. Leonard -- Sage

 

[Lanwench [MVP - Exchange]]

Re: Help with Owner of a romaing profile folder

North Coast Sea Foods <jleonard@northcoastseafoods.com> wrote:
> Everyone - thanks for the help.
>
> I have solved my problem.

Great - mind sharing the solution for the benefit of others?


> "North Coast Sea Foods" <jleonard@northcoastseafoods.com> wrote in
> message news:e3RVbAY6HHA.2380@TK2MSFTNGP02.phx.gbl...
>> Lanwench
>>
>> I appreciate your response.
>>
>> I have a logon BAT that maps a shared folder - that is the folder I
>> am trying to control.
>>
>> This folder was setup with Domain Admin ownership, seems when I take
>> the users out of the Admin group, they loose their roaming profile?
>>
>> I do not know how the maped drive/folder (with Domain Admin Owner) is
>> changing things, but it is?? I was asking if I should set up the
>> users in their own group and give them Full Permissions. Would this
>> eliminate the roaming profile problem?
>>
>> Again, I do not see how the roaming profile is even entering into the
>> problem>
>>
>> thx
>>
>>
>>
>> "Lanwench [MVP - Exchange]"
>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
>> message news:eLjY1go5HHA.5184@TK2MSFTNGP03.phx.gbl...
>>> John D. Leonard -- Sage <sage.grp@comcast.net> wrote:
>>>> Sorry meant to say Profiles not Home
>>>>
>>>
>>> I'm a bit confused. You don't usually map a drive to your profiles
>>> share, and users shouldn't be "working" in it at all. You need to
>>> use folder redirection, for My Documents at the very least - you
>>> can use the home directories for that. You can also redirect
>>> Application Data and Desktop (I'd avoid redirecting the start menu,
>>> for performance reasons and so forth). The profile folders should
>>> be in a hidden share, and Administrators + the System account +
>>> %username% would need full control. Users shouldn't be accessing
>>> the profile folders directly at all. I'm posting my boilerplate on
>>> roaming profiles below. Hope this
>>> helps. 1. Set up a share on the server. For example - d:\profiles,
>>> shared
>>> as profiles$ to make it hidden from browsing. Make sure this share
>>> is not set to allow offline files/caching!
>>> 2. Make sure the share permissions on profiles$ indicate
>>> everyone=full control. Set the NTFS security to administrators,
>>> system, and users=full control.
>>> 3. In the users' ADUC properties, specify
>>> \\server\profiles$\%username% in
>>> the profiles field
>>> 4. Have each user log into the domain once from their usual
>>> workstation (where their existing profile lives) and log out. The
>>> profile is now roaming.
>>> 5. If you want the administrators group to automatically have
>>> permissions to the profiles folders, you'll need to make the
>>> appropriate change in group policy. Look in computer
>>> configuration/administrative templates/system/user profiles -
>>> there's an option to add administrators group to the roaming
>>> profiles permissions. Notes:
>>>
>>> * Make sure users understand that they should never log into
>>> multiple computers at the same time when they have roaming profiles
>>> (unless you make
>>> the profiles mandatory by renaming ntuser.dat to ntuser.man so they
>>> can't change them). Explain that the
>>> last one out
>>> wins, when it comes to uploading the final, changed copy of the
>>> profile. * Keep your profiles TINY. Redirect My Documents at the very
>>> least;
>>> usually best done to the user's home directory on the server -
>>> either via group policy (folder redirection) or manually (far less
>>> advisable). If you
>>> aren't going to also redirect the desktop using policies, tell
>>> users that they are not to store any files on the desktop or you
>>> will beat them with a
>>> stick. Big profile=slow login/logout, and possible profile
>>> corruption. * Note that user profiles are not compatible between
>>> different OS
>>> versions,
>>> even between W2k/XP. Keep all your computers. Keep your
>>> workstations as identical as possible - meaning, OS version is the
>>> same, SP level is the same, app load is (as much as possible) the
>>> same. * Do not let people store any data locally - all data belongs on
>>> the
>>> server.
>>>
>>> * The User Profile Hive Cleanup Utility should be running on all
>>> your computers. You can download it here:
>>> http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en
>>>
>>>
>>>
>>>>> John,
>>>>> Its hard to be sure exactly what you mean.
>>>>> The Profiles folder (say, \profiles$) should allow users full
>>>>> control. This allows the profile creation process, running in the
>>>>> user context, to create a profile and then set the correct
>>>>> permissions on it, which are exclusive control of the profile.
>>>>> This way, no-one else can get into another persons profile.
>>>>> An administrator (only) can take ownership of an individual
>>>>> profile, but this breaks the profile.
>>>>> So if you have those permissions you don't need to do anything,
>>>>> and you might want to explain more what you are trying to achieve,
>>>>> Hope that helps,
>>>>> Anthony,
>>>>> http://www.airdesk.com
>>>>>
>>>>>
>>>>>
>>>>> "John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in message
>>>>> news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
>>>>>> I have serveral users, with roaming profiles, that use the same
>>>>>> folder as Domain Admininstartors.
>>>>>>
>>>>>> Now I want to take the administrator privledge away from them and
>>>>>> still let
>>>>>> them use the same folder.
>>>>>>
>>>>>> How do I set all users as "Owners" of the folder?
>>>>>>
>>>>>> Would I set up another Group (non-administrator group) and add
>>>>>> the users to
>>>>>> that?
>>>>>>
>>>>>> thx
>>>>>>
>>>>>>
>>>>>> --
>>>>>> John D. Leonard -- Sage

 

[North Coast Sea Foods]

Re: Help with Owner of a romaing profile folder

Lanwench

Sorry for not getting back to you.

I have gone further into my problem and found out that the users (several of
them!)misdirected me re their problem.

Let me try to explain my problem now!

I have removed these users from the Domain Admin group, where they have been
for some time now!

Now when they log on, they are getting a different looking DeskTop? As if it
is being set up with another users profile (EACH USER I S DIFFERENT)??

When I add them back into the Domain Admin Group - all is ok. It has nothing
to do with the shared work folder in the logon bat!

I can not figure out what is wrong with their profile? I have set up a
test PC and everything is working perfectly - when in Domain Admin Group and
when taken out of it - ALL IS WORKING CORRECTLY -- PROFILES AND ALL?

I DO NOT KNOW WHAT IS HAPPENING TO DESTROY THEIR ROMAING PROFILE -- BY THE
WAY THIS IS ON THE SAME COMPUTER THEY USE DAILY, NOT ON ONE THEY HAVE MOVED
TOO.

ANY HELP APPRECIATED - SORRY FOR THE CONFUSION.

I have
"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:Obe51986HHA.3624@TK2MSFTNGP05.phx.gbl...
> North Coast Sea Foods <jleonard@northcoastseafoods.com> wrote:
>> Lanwench
>>
>> I appreciate your response.
>>
>> I have a logon BAT that maps a shared folder - that is the folder I am
>> trying to control.
>
> What *is* that folder?
>>
>> This folder was setup with Domain Admin ownership, seems when I take
>> the users out of the Admin group, they loose their roaming profile?
>
> If this is a mapped drive pointing at a share you use for roaming profile
> storage, stop mapping that drive ASAP.
> Users should *never* be in any domain admin groups. You'll need to check
> the ownership on their roaming profile folder (the parent) and correct it
> to Administrators - and then reset the NTFS permissions as I already
> mentiond (Administrators & System & %username% = full control on each
> folder)
>>
>> I do not know how the maped drive/folder (with Domain Admin Owner) is
>> changing things, but it is?? I was asking if I should set up the
>> users in their own group and give them Full Permissions. Would this
>> eliminate the roaming profile problem?
>
> Unfortunately, I still don't understand exactly what the roaming profile
> problem *is*
>>
>> Again, I do not see how the roaming profile is even entering into the
>> problem>
>
> Nor do I - but you brought it up. I think you'll need to be much more
> specific about where things are - paths, share names, login scripts, and
> both share & NTFS permissions. Also exact symptoms & error messages.
>>
>> thx
>>
>>
>>
>> "Lanwench [MVP - Exchange]"
>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
>> message news:eLjY1go5HHA.5184@TK2MSFTNGP03.phx.gbl...
>>> John D. Leonard -- Sage <sage.grp@comcast.net> wrote:
>>>> Sorry meant to say Profiles not Home
>>>>
>>>
>>> I'm a bit confused. You don't usually map a drive to your profiles
>>> share, and users shouldn't be "working" in it at all. You need to
>>> use folder redirection, for My Documents at the very least - you can
>>> use the home directories for that. You can also redirect Application
>>> Data and Desktop (I'd avoid redirecting the start menu, for
>>> performance reasons and so forth). The profile folders should be in
>>> a hidden share, and Administrators + the System account + %username%
>>> would need full control. Users shouldn't be accessing the profile
>>> folders directly at all. I'm posting my boilerplate on roaming profiles
>>> below. Hope this
>>> helps. 1. Set up a share on the server. For example - d:\profiles,
>>> shared as
>>> profiles$ to make it hidden from browsing. Make sure this share is
>>> not set to allow offline files/caching!
>>> 2. Make sure the share permissions on profiles$ indicate
>>> everyone=full control. Set the NTFS security to administrators,
>>> system, and users=full control.
>>> 3. In the users' ADUC properties, specify
>>> \\server\profiles$\%username% in the profiles field
>>> 4. Have each user log into the domain once from their usual
>>> workstation (where their existing profile lives) and log out. The
>>> profile is now roaming.
>>> 5. If you want the administrators group to automatically have
>>> permissions to the profiles folders, you'll need to make the
>>> appropriate change in group policy. Look in computer
>>> configuration/administrative templates/system/user profiles -
>>> there's an option to add administrators group to the roaming
>>> profiles permissions. Notes:
>>>
>>> * Make sure users understand that they should never log into multiple
>>> computers at the same time when they have roaming profiles (unless
>>> you make
>>> the profiles mandatory by renaming ntuser.dat to ntuser.man so they
>>> can't change them). Explain that the
>>> last one out
>>> wins, when it comes to uploading the final, changed copy of the
>>> profile. * Keep your profiles TINY. Redirect My Documents at the very
>>> least;
>>> usually best done to the user's home directory on the server -
>>> either via group policy (folder redirection) or manually (far less
>>> advisable). If you aren't going to also redirect the desktop using
>>> policies, tell users that they are not to store any files on the
>>> desktop or you will beat them with a
>>> stick. Big profile=slow login/logout, and possible profile
>>> corruption. * Note that user profiles are not compatible between
>>> different OS
>>> versions,
>>> even between W2k/XP. Keep all your computers. Keep your workstations
>>> as identical as possible - meaning, OS version is the same, SP level
>>> is the same, app load is (as much as possible) the same.
>>>
>>> * Do not let people store any data locally - all data belongs on the
>>> server.
>>>
>>> * The User Profile Hive Cleanup Utility should be running on all your
>>> computers. You can download it here:
>>> http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en
>>>
>>>
>>>
>>>>> John,
>>>>> Its hard to be sure exactly what you mean.
>>>>> The Profiles folder (say, \profiles$) should allow users full
>>>>> control. This allows the profile creation process, running in the
>>>>> user context, to create a profile and then set the correct
>>>>> permissions on it, which are exclusive control of the profile. This
>>>>> way, no-one else can get into another persons profile.
>>>>> An administrator (only) can take ownership of an individual
>>>>> profile, but this breaks the profile.
>>>>> So if you have those permissions you don't need to do anything, and
>>>>> you might want to explain more what you are trying to achieve,
>>>>> Hope that helps,
>>>>> Anthony,
>>>>> http://www.airdesk.com
>>>>>
>>>>>
>>>>>
>>>>> "John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in message
>>>>> news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
>>>>>> I have serveral users, with roaming profiles, that use the same
>>>>>> folder as Domain Admininstartors.
>>>>>>
>>>>>> Now I want to take the administrator privledge away from them and
>>>>>> still let
>>>>>> them use the same folder.
>>>>>>
>>>>>> How do I set all users as "Owners" of the folder?
>>>>>>
>>>>>> Would I set up another Group (non-administrator group) and add the
>>>>>> users to
>>>>>> that?
>>>>>>
>>>>>> thx
>>>>>>
>>>>>>
>>>>>> --
>>>>>> John D. Leonard -- Sage
>
>
>

 

[Lanwench [MVP - Exchange]]

Re: Help with Owner of a romaing profile folder

North Coast Sea Foods <jleonard@northcoastseafoods.com> wrote:
> Lanwench
>
> Sorry for not getting back to you.
>
> I have gone further into my problem and found out that the users
> (several of them!)misdirected me re their problem.

That happens

>
> Let me try to explain my problem now!
>
> I have removed these users from the Domain Admin group, where they
> have been for some time now!

Good - they should not have any admin rights anywhere at all.

>
> Now when they log on, they are getting a different looking DeskTop?
> As if it is being set up with another users profile (EACH USER I S
> DIFFERENT)??

Event logs?

>
> When I add them back into the Domain Admin Group - all is ok. It has
> nothing to do with the shared work folder in the logon bat!

Remember, domain admins are by default also LOCAL admins - so something may
be funky in the profile and expect local admin rights. As a test, add a
domain user to the local Administrators group and test.

>
> I can not figure out what is wrong with their profile? I have set up a
> test PC and everything is working perfectly -

For one of these same users? If so, I'd remove the cached profiles from
their actual workstations & let them re-download on login.

> when in Domain
> Admin Group and when taken out of it - ALL IS WORKING CORRECTLY --
> PROFILES AND ALL?
> I DO NOT KNOW WHAT IS HAPPENING TO DESTROY THEIR ROMAING PROFILE --
> BY THE WAY THIS IS ON THE SAME COMPUTER THEY USE DAILY, NOT ON ONE
> THEY HAVE MOVED TOO.
>
> ANY HELP APPRECIATED - SORRY FOR THE CONFUSION.

No prob, but pls lose the caps lock - it means you're "shouting"

>
> I have
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
> message news:Obe51986HHA.3624@TK2MSFTNGP05.phx.gbl...
>> North Coast Sea Foods <jleonard@northcoastseafoods.com> wrote:
>>> Lanwench
>>>
>>> I appreciate your response.
>>>
>>> I have a logon BAT that maps a shared folder - that is the folder I
>>> am trying to control.
>>
>> What *is* that folder?
>>>
>>> This folder was setup with Domain Admin ownership, seems when I take
>>> the users out of the Admin group, they loose their roaming profile?
>>
>> If this is a mapped drive pointing at a share you use for roaming
>> profile storage, stop mapping that drive ASAP.
>> Users should *never* be in any domain admin groups. You'll need to
>> check the ownership on their roaming profile folder (the parent) and
>> correct it to Administrators - and then reset the NTFS permissions
>> as I already mentiond (Administrators & System & %username% = full
>> control on each folder)
>>>
>>> I do not know how the maped drive/folder (with Domain Admin Owner)
>>> is changing things, but it is?? I was asking if I should set up the
>>> users in their own group and give them Full Permissions. Would this
>>> eliminate the roaming profile problem?
>>
>> Unfortunately, I still don't understand exactly what the roaming
>> profile problem *is*
>>>
>>> Again, I do not see how the roaming profile is even entering into
>>> the problem>
>>
>> Nor do I - but you brought it up. I think you'll need to be much more
>> specific about where things are - paths, share names, login scripts,
>> and both share & NTFS permissions. Also exact symptoms & error
>> messages.
>>>
>>> thx
>>>
>>>
>>>
>>> "Lanwench [MVP - Exchange]"
>>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
>>> message news:eLjY1go5HHA.5184@TK2MSFTNGP03.phx.gbl...
>>>> John D. Leonard -- Sage <sage.grp@comcast.net> wrote:
>>>>> Sorry meant to say Profiles not Home
>>>>>
>>>>
>>>> I'm a bit confused. You don't usually map a drive to your profiles
>>>> share, and users shouldn't be "working" in it at all. You need to
>>>> use folder redirection, for My Documents at the very least - you
>>>> can use the home directories for that. You can also redirect
>>>> Application Data and Desktop (I'd avoid redirecting the start
>>>> menu, for performance reasons and so forth). The profile folders
>>>> should be in a hidden share, and Administrators + the System account +
>>>> %username% would need full control. Users shouldn't be accessing
>>>> the profile folders directly at all. I'm posting my boilerplate on
>>>> roaming profiles below. Hope this
>>>> helps. 1. Set up a share on the server. For example - d:\profiles,
>>>> shared as
>>>> profiles$ to make it hidden from browsing. Make sure this share is
>>>> not set to allow offline files/caching!
>>>> 2. Make sure the share permissions on profiles$ indicate
>>>> everyone=full control. Set the NTFS security to administrators,
>>>> system, and users=full control.
>>>> 3. In the users' ADUC properties, specify
>>>> \\server\profiles$\%username% in the profiles field
>>>> 4. Have each user log into the domain once from their usual
>>>> workstation (where their existing profile lives) and log out. The
>>>> profile is now roaming.
>>>> 5. If you want the administrators group to automatically have
>>>> permissions to the profiles folders, you'll need to make the
>>>> appropriate change in group policy. Look in computer
>>>> configuration/administrative templates/system/user profiles -
>>>> there's an option to add administrators group to the roaming
>>>> profiles permissions. Notes:
>>>>
>>>> * Make sure users understand that they should never log into
>>>> multiple computers at the same time when they have roaming
>>>> profiles (unless you make
>>>> the profiles mandatory by renaming ntuser.dat to ntuser.man so they
>>>> can't change them). Explain that the
>>>> last one out
>>>> wins, when it comes to uploading the final, changed copy of the
>>>> profile. * Keep your profiles TINY. Redirect My Documents at the
>>>> very least;
>>>> usually best done to the user's home directory on the server -
>>>> either via group policy (folder redirection) or manually (far less
>>>> advisable). If you aren't going to also redirect the desktop using
>>>> policies, tell users that they are not to store any files on the
>>>> desktop or you will beat them with a
>>>> stick. Big profile=slow login/logout, and possible profile
>>>> corruption. * Note that user profiles are not compatible between
>>>> different OS
>>>> versions,
>>>> even between W2k/XP. Keep all your computers. Keep your
>>>> workstations as identical as possible - meaning, OS version is the
>>>> same, SP level is the same, app load is (as much as possible) the
>>>> same. * Do not let people store any data locally - all data belongs on
>>>> the server.
>>>>
>>>> * The User Profile Hive Cleanup Utility should be running on all
>>>> your computers. You can download it here:
>>>> http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en
>>>>
>>>>
>>>>
>>>>>> John,
>>>>>> Its hard to be sure exactly what you mean.
>>>>>> The Profiles folder (say, \profiles$) should allow users full
>>>>>> control. This allows the profile creation process, running in the
>>>>>> user context, to create a profile and then set the correct
>>>>>> permissions on it, which are exclusive control of the profile.
>>>>>> This way, no-one else can get into another persons profile.
>>>>>> An administrator (only) can take ownership of an individual
>>>>>> profile, but this breaks the profile.
>>>>>> So if you have those permissions you don't need to do anything,
>>>>>> and you might want to explain more what you are trying to
>>>>>> achieve, Hope that helps,
>>>>>> Anthony,
>>>>>> http://www.airdesk.com
>>>>>>
>>>>>>
>>>>>>
>>>>>> "John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in message
>>>>>> news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
>>>>>>> I have serveral users, with roaming profiles, that use the same
>>>>>>> folder as Domain Admininstartors.
>>>>>>>
>>>>>>> Now I want to take the administrator privledge away from them
>>>>>>> and still let
>>>>>>> them use the same folder.
>>>>>>>
>>>>>>> How do I set all users as "Owners" of the folder?
>>>>>>>
>>>>>>> Would I set up another Group (non-administrator group) and add
>>>>>>> the users to
>>>>>>> that?
>>>>>>>
>>>>>>> thx
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> John D. Leonard -- Sage

 

[Northcoastseafoods]

Re: Help with Owner of a romaing profile folder

Hi

I'm back with some more interesting results. At this time, I'm thinking the
user is up to no good!

I tested myself - I took them out of the Domain Admin group and did a log
on. Yup! the profiles are bad/corrupted - shows the Icons and background -
no My Documents and the Icons are not lined up properly?

When I add them back to the Domain Admin group - ALL IS WELL?

I do not know what they have done? Is there anyway, short of deleting them
and re-establishing the profile? Remember they are Roaming Profiles.

thx for your help.

When
"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:%23TSeiSI9HHA.4784@TK2MSFTNGP05.phx.gbl...
> North Coast Sea Foods <jleonard@northcoastseafoods.com> wrote:
>> Lanwench
>>
>> Sorry for not getting back to you.
>>
>> I have gone further into my problem and found out that the users
>> (several of them!)misdirected me re their problem.
>
> That happens
>
>>
>> Let me try to explain my problem now!
>>
>> I have removed these users from the Domain Admin group, where they
>> have been for some time now!
>
> Good - they should not have any admin rights anywhere at all.
>
>>
>> Now when they log on, they are getting a different looking DeskTop?
>> As if it is being set up with another users profile (EACH USER I S
>> DIFFERENT)??
>
> Event logs?
>
>>
>> When I add them back into the Domain Admin Group - all is ok. It has
>> nothing to do with the shared work folder in the logon bat!
>
> Remember, domain admins are by default also LOCAL admins - so something
> may be funky in the profile and expect local admin rights. As a test, add
> a domain user to the local Administrators group and test.
>
>>
>> I can not figure out what is wrong with their profile? I have set up a
>> test PC and everything is working perfectly -
>
> For one of these same users? If so, I'd remove the cached profiles from
> their actual workstations & let them re-download on login.
>
>> when in Domain
>> Admin Group and when taken out of it - ALL IS WORKING CORRECTLY --
>> PROFILES AND ALL?
>> I DO NOT KNOW WHAT IS HAPPENING TO DESTROY THEIR ROMAING PROFILE --
>> BY THE WAY THIS IS ON THE SAME COMPUTER THEY USE DAILY, NOT ON ONE
>> THEY HAVE MOVED TOO.
>>
>> ANY HELP APPRECIATED - SORRY FOR THE CONFUSION.
>
> No prob, but pls lose the caps lock - it means you're "shouting"
>
>>
>> I have
>> "Lanwench [MVP - Exchange]"
>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
>> message news:Obe51986HHA.3624@TK2MSFTNGP05.phx.gbl...
>>> North Coast Sea Foods <jleonard@northcoastseafoods.com> wrote:
>>>> Lanwench
>>>>
>>>> I appreciate your response.
>>>>
>>>> I have a logon BAT that maps a shared folder - that is the folder I
>>>> am trying to control.
>>>
>>> What *is* that folder?
>>>>
>>>> This folder was setup with Domain Admin ownership, seems when I take
>>>> the users out of the Admin group, they loose their roaming profile?
>>>
>>> If this is a mapped drive pointing at a share you use for roaming
>>> profile storage, stop mapping that drive ASAP.
>>> Users should *never* be in any domain admin groups. You'll need to
>>> check the ownership on their roaming profile folder (the parent) and
>>> correct it to Administrators - and then reset the NTFS permissions
>>> as I already mentiond (Administrators & System & %username% = full
>>> control on each folder)
>>>>
>>>> I do not know how the maped drive/folder (with Domain Admin Owner)
>>>> is changing things, but it is?? I was asking if I should set up the
>>>> users in their own group and give them Full Permissions. Would this
>>>> eliminate the roaming profile problem?
>>>
>>> Unfortunately, I still don't understand exactly what the roaming
>>> profile problem *is*
>>>>
>>>> Again, I do not see how the roaming profile is even entering into
>>>> the problem>
>>>
>>> Nor do I - but you brought it up. I think you'll need to be much more
>>> specific about where things are - paths, share names, login scripts,
>>> and both share & NTFS permissions. Also exact symptoms & error
>>> messages.
>>>>
>>>> thx
>>>>
>>>>
>>>>
>>>> "Lanwench [MVP - Exchange]"
>>>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
>>>> message news:eLjY1go5HHA.5184@TK2MSFTNGP03.phx.gbl...
>>>>> John D. Leonard -- Sage <sage.grp@comcast.net> wrote:
>>>>>> Sorry meant to say Profiles not Home
>>>>>>
>>>>>
>>>>> I'm a bit confused. You don't usually map a drive to your profiles
>>>>> share, and users shouldn't be "working" in it at all. You need to
>>>>> use folder redirection, for My Documents at the very least - you
>>>>> can use the home directories for that. You can also redirect
>>>>> Application Data and Desktop (I'd avoid redirecting the start
>>>>> menu, for performance reasons and so forth). The profile folders
>>>>> should be in a hidden share, and Administrators + the System account +
>>>>> %username% would need full control. Users shouldn't be accessing
>>>>> the profile folders directly at all. I'm posting my boilerplate on
>>>>> roaming profiles below. Hope this
>>>>> helps. 1. Set up a share on the server. For example - d:\profiles,
>>>>> shared as
>>>>> profiles$ to make it hidden from browsing. Make sure this share is
>>>>> not set to allow offline files/caching!
>>>>> 2. Make sure the share permissions on profiles$ indicate
>>>>> everyone=full control. Set the NTFS security to administrators,
>>>>> system, and users=full control.
>>>>> 3. In the users' ADUC properties, specify
>>>>> \\server\profiles$\%username% in the profiles field
>>>>> 4. Have each user log into the domain once from their usual
>>>>> workstation (where their existing profile lives) and log out. The
>>>>> profile is now roaming.
>>>>> 5. If you want the administrators group to automatically have
>>>>> permissions to the profiles folders, you'll need to make the
>>>>> appropriate change in group policy. Look in computer
>>>>> configuration/administrative templates/system/user profiles -
>>>>> there's an option to add administrators group to the roaming
>>>>> profiles permissions. Notes:
>>>>>
>>>>> * Make sure users understand that they should never log into
>>>>> multiple computers at the same time when they have roaming
>>>>> profiles (unless you make
>>>>> the profiles mandatory by renaming ntuser.dat to ntuser.man so they
>>>>> can't change them). Explain that the
>>>>> last one out
>>>>> wins, when it comes to uploading the final, changed copy of the
>>>>> profile. * Keep your profiles TINY. Redirect My Documents at the
>>>>> very least;
>>>>> usually best done to the user's home directory on the server -
>>>>> either via group policy (folder redirection) or manually (far less
>>>>> advisable). If you aren't going to also redirect the desktop using
>>>>> policies, tell users that they are not to store any files on the
>>>>> desktop or you will beat them with a
>>>>> stick. Big profile=slow login/logout, and possible profile
>>>>> corruption. * Note that user profiles are not compatible between
>>>>> different OS
>>>>> versions,
>>>>> even between W2k/XP. Keep all your computers. Keep your
>>>>> workstations as identical as possible - meaning, OS version is the
>>>>> same, SP level is the same, app load is (as much as possible) the
>>>>> same. * Do not let people store any data locally - all data belongs on
>>>>> the server.
>>>>>
>>>>> * The User Profile Hive Cleanup Utility should be running on all
>>>>> your computers. You can download it here:
>>>>> http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en
>>>>>
>>>>>
>>>>>
>>>>>>> John,
>>>>>>> Its hard to be sure exactly what you mean.
>>>>>>> The Profiles folder (say, \profiles$) should allow users full
>>>>>>> control. This allows the profile creation process, running in the
>>>>>>> user context, to create a profile and then set the correct
>>>>>>> permissions on it, which are exclusive control of the profile.
>>>>>>> This way, no-one else can get into another persons profile.
>>>>>>> An administrator (only) can take ownership of an individual
>>>>>>> profile, but this breaks the profile.
>>>>>>> So if you have those permissions you don't need to do anything,
>>>>>>> and you might want to explain more what you are trying to
>>>>>>> achieve, Hope that helps,
>>>>>>> Anthony,
>>>>>>> http://www.airdesk.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in message
>>>>>>> news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
>>>>>>>> I have serveral users, with roaming profiles, that use the same
>>>>>>>> folder as Domain Admininstartors.
>>>>>>>>
>>>>>>>> Now I want to take the administrator privledge away from them
>>>>>>>> and still let
>>>>>>>> them use the same folder.
>>>>>>>>
>>>>>>>> How do I set all users as "Owners" of the folder?
>>>>>>>>
>>>>>>>> Would I set up another Group (non-administrator group) and add
>>>>>>>> the users to
>>>>>>>> that?
>>>>>>>>
>>>>>>>> thx
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> John D. Leonard -- Sage
>
>
>

 

[Lanwench [MVP - Exchange]]

Re: Help with Owner of a romaing profile folder

Northcoastseafoods <jleonard@northcoastseafoods.com> wrote:
> Hi
>
> I'm back with some more interesting results. At this time, I'm
> thinking the user is up to no good!

This is unlikely to have anything to do with a misbehaving user.
>
> I tested myself - I took them out of the Domain Admin group and did a
> log on. Yup! the profiles are bad/corrupted - shows the Icons and
> background - no My Documents and the Icons are not lined up properly?
>
> When I add them back to the Domain Admin group - ALL IS WELL?

What about adding them to the *local* Administrators group, as I suggested
in my last post?
>
> I do not know what they have done? Is there anyway, short of deleting
> them and re-establishing the profile? Remember they are Roaming
> Profiles.

Did you try what I suggested?

1) Make 100% sure the roaming profile folder for that user has the following
settings:

Owner: Administrators (and propagate the settings to all subfolders)
NTFS: Administrators + System + %username% = full control (and propagate
the settings to all subfolders)

2) Log in to the workstation as an admin, remove the user's cached profile
(either use delprof from the resource kit or go to control panel | system |
advanced ...etc)
3) Log into the workstation as the user and see

If the profile doesn't load, check the application event log for errors.

It may be easier to recreate the user's profile than spend more time on
this. Just copy out data they need (IE favorites, etc). Rename the server
copy of the user's profile, log into a workstation as the user (where it
isn't cached anymore), let it be recreated.

>
> thx for your help.
>
> When
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
> message news:%23TSeiSI9HHA.4784@TK2MSFTNGP05.phx.gbl...
>> North Coast Sea Foods <jleonard@northcoastseafoods.com> wrote:
>>> Lanwench
>>>
>>> Sorry for not getting back to you.
>>>
>>> I have gone further into my problem and found out that the users
>>> (several of them!)misdirected me re their problem.
>>
>> That happens
>>
>>>
>>> Let me try to explain my problem now!
>>>
>>> I have removed these users from the Domain Admin group, where they
>>> have been for some time now!
>>
>> Good - they should not have any admin rights anywhere at all.
>>
>>>
>>> Now when they log on, they are getting a different looking DeskTop?
>>> As if it is being set up with another users profile (EACH USER I S
>>> DIFFERENT)??
>>
>> Event logs?
>>
>>>
>>> When I add them back into the Domain Admin Group - all is ok. It has
>>> nothing to do with the shared work folder in the logon bat!
>>
>> Remember, domain admins are by default also LOCAL admins - so
>> something may be funky in the profile and expect local admin rights.
>> As a test, add a domain user to the local Administrators group and
>> test.
>>>
>>> I can not figure out what is wrong with their profile? I have set
>>> up a test PC and everything is working perfectly -
>>
>> For one of these same users? If so, I'd remove the cached profiles
>> from their actual workstations & let them re-download on login.
>>
>>> when in Domain
>>> Admin Group and when taken out of it - ALL IS WORKING CORRECTLY --
>>> PROFILES AND ALL?
>>> I DO NOT KNOW WHAT IS HAPPENING TO DESTROY THEIR ROMAING PROFILE --
>>> BY THE WAY THIS IS ON THE SAME COMPUTER THEY USE DAILY, NOT ON ONE
>>> THEY HAVE MOVED TOO.
>>>
>>> ANY HELP APPRECIATED - SORRY FOR THE CONFUSION.
>>
>> No prob, but pls lose the caps lock - it means you're "shouting"
>>
>>>
>>> I have
>>> "Lanwench [MVP - Exchange]"
>>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
>>> message news:Obe51986HHA.3624@TK2MSFTNGP05.phx.gbl...
>>>> North Coast Sea Foods <jleonard@northcoastseafoods.com> wrote:
>>>>> Lanwench
>>>>>
>>>>> I appreciate your response.
>>>>>
>>>>> I have a logon BAT that maps a shared folder - that is the folder
>>>>> I am trying to control.
>>>>
>>>> What *is* that folder?
>>>>>
>>>>> This folder was setup with Domain Admin ownership, seems when I
>>>>> take the users out of the Admin group, they loose their roaming
>>>>> profile?
>>>>
>>>> If this is a mapped drive pointing at a share you use for roaming
>>>> profile storage, stop mapping that drive ASAP.
>>>> Users should *never* be in any domain admin groups. You'll need to
>>>> check the ownership on their roaming profile folder (the parent)
>>>> and correct it to Administrators - and then reset the NTFS
>>>> permissions as I already mentiond (Administrators & System &
>>>> %username% = full control on each folder)
>>>>>
>>>>> I do not know how the maped drive/folder (with Domain Admin Owner)
>>>>> is changing things, but it is?? I was asking if I should set up
>>>>> the users in their own group and give them Full Permissions.
>>>>> Would this eliminate the roaming profile problem?
>>>>
>>>> Unfortunately, I still don't understand exactly what the roaming
>>>> profile problem *is*
>>>>>
>>>>> Again, I do not see how the roaming profile is even entering into
>>>>> the problem>
>>>>
>>>> Nor do I - but you brought it up. I think you'll need to be much
>>>> more specific about where things are - paths, share names, login
>>>> scripts, and both share & NTFS permissions. Also exact symptoms &
>>>> error messages.
>>>>>
>>>>> thx
>>>>>
>>>>>
>>>>>
>>>>> "Lanwench [MVP - Exchange]"
>>>>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote
>>>>> in message news:eLjY1go5HHA.5184@TK2MSFTNGP03.phx.gbl...
>>>>>> John D. Leonard -- Sage <sage.grp@comcast.net> wrote:
>>>>>>> Sorry meant to say Profiles not Home
>>>>>>>
>>>>>>
>>>>>> I'm a bit confused. You don't usually map a drive to your
>>>>>> profiles share, and users shouldn't be "working" in it at all.
>>>>>> You need to use folder redirection, for My Documents at the very
>>>>>> least - you
>>>>>> can use the home directories for that. You can also redirect
>>>>>> Application Data and Desktop (I'd avoid redirecting the start
>>>>>> menu, for performance reasons and so forth). The profile folders
>>>>>> should be in a hidden share, and Administrators + the System
>>>>>> account + %username% would need full control. Users shouldn't be
>>>>>> accessing the profile folders directly at all. I'm posting my
>>>>>> boilerplate
>>>>>> on roaming profiles below. Hope this
>>>>>> helps. 1. Set up a share on the server. For example -
>>>>>> d:\profiles, shared as
>>>>>> profiles$ to make it hidden from browsing. Make sure this share
>>>>>> is not set to allow offline files/caching!
>>>>>> 2. Make sure the share permissions on profiles$ indicate
>>>>>> everyone=full control. Set the NTFS security to administrators,
>>>>>> system, and users=full control.
>>>>>> 3. In the users' ADUC properties, specify
>>>>>> \\server\profiles$\%username% in the profiles field
>>>>>> 4. Have each user log into the domain once from their usual
>>>>>> workstation (where their existing profile lives) and log out. The
>>>>>> profile is now roaming.
>>>>>> 5. If you want the administrators group to automatically have
>>>>>> permissions to the profiles folders, you'll need to make the
>>>>>> appropriate change in group policy. Look in computer
>>>>>> configuration/administrative templates/system/user profiles -
>>>>>> there's an option to add administrators group to the roaming
>>>>>> profiles permissions. Notes:
>>>>>>
>>>>>> * Make sure users understand that they should never log into
>>>>>> multiple computers at the same time when they have roaming
>>>>>> profiles (unless you make
>>>>>> the profiles mandatory by renaming ntuser.dat to ntuser.man so
>>>>>> they can't change them). Explain that the
>>>>>> last one out
>>>>>> wins, when it comes to uploading the final, changed copy of the
>>>>>> profile. * Keep your profiles TINY. Redirect My Documents at the
>>>>>> very least;
>>>>>> usually best done to the user's home directory on the server -
>>>>>> either via group policy (folder redirection) or manually (far
>>>>>> less advisable). If you aren't going to also redirect the
>>>>>> desktop using policies, tell users that they are not to store
>>>>>> any files on the desktop or you will beat them with a
>>>>>> stick. Big profile=slow login/logout, and possible profile
>>>>>> corruption. * Note that user profiles are not compatible between
>>>>>> different OS
>>>>>> versions,
>>>>>> even between W2k/XP. Keep all your computers. Keep your
>>>>>> workstations as identical as possible - meaning, OS version is
>>>>>> the same, SP level is the same, app load is (as much as
>>>>>> possible) the same. * Do not let people store any data locally -
>>>>>> all data belongs on the server.
>>>>>>
>>>>>> * The User Profile Hive Cleanup Utility should be running on all
>>>>>> your computers. You can download it here:
>>>>>> http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> John,
>>>>>>>> Its hard to be sure exactly what you mean.
>>>>>>>> The Profiles folder (say, \profiles$) should allow users full
>>>>>>>> control. This allows the profile creation process, running in
>>>>>>>> the user context, to create a profile and then set the correct
>>>>>>>> permissions on it, which are exclusive control of the profile.
>>>>>>>> This way, no-one else can get into another persons profile.
>>>>>>>> An administrator (only) can take ownership of an individual
>>>>>>>> profile, but this breaks the profile.
>>>>>>>> So if you have those permissions you don't need to do anything,
>>>>>>>> and you might want to explain more what you are trying to
>>>>>>>> achieve, Hope that helps,
>>>>>>>> Anthony,
>>>>>>>> http://www.airdesk.com
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> "John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in
>>>>>>>> message news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
>>>>>>>>> I have serveral users, with roaming profiles, that use the
>>>>>>>>> same folder as Domain Admininstartors.
>>>>>>>>>
>>>>>>>>> Now I want to take the administrator privledge away from them
>>>>>>>>> and still let
>>>>>>>>> them use the same folder.
>>>>>>>>>
>>>>>>>>> How do I set all users as "Owners" of the folder?
>>>>>>>>>
>>>>>>>>> Would I set up another Group (non-administrator group) and add
>>>>>>>>> the users to
>>>>>>>>> that?
>>>>>>>>>
>>>>>>>>> thx
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> John D. Leonard -- Sage

 

[John D. Leonard -- Sage]

Re: Help with Owner of a romaing profile folder


No I did not try the Local Administrators Group. I'm trying to eliminate the
Administrator rights/permissions.

I will try it next Tuesday.

I will follow your other instructions!

Let you know how I make out.

Thx again
--
John D. Leonard -- Sage
"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:OsdD49T9HHA.5712@TK2MSFTNGP04.phx.gbl...
> Northcoastseafoods <jleonard@northcoastseafoods.com> wrote:
>> Hi
>>
>> I'm back with some more interesting results. At this time, I'm
>> thinking the user is up to no good!
>
> This is unlikely to have anything to do with a misbehaving user.
>>
>> I tested myself - I took them out of the Domain Admin group and did a
>> log on. Yup! the profiles are bad/corrupted - shows the Icons and
>> background - no My Documents and the Icons are not lined up properly?
>>
>> When I add them back to the Domain Admin group - ALL IS WELL?
>
> What about adding them to the *local* Administrators group, as I suggested
> in my last post?
>>
>> I do not know what they have done? Is there anyway, short of deleting
>> them and re-establishing the profile? Remember they are Roaming
>> Profiles.
>
> Did you try what I suggested?
>
> 1) Make 100% sure the roaming profile folder for that user has the
> following settings:
>
> Owner: Administrators (and propagate the settings to all subfolders)
> NTFS: Administrators + System + %username% = full control (and propagate
> the settings to all subfolders)
>
> 2) Log in to the workstation as an admin, remove the user's cached profile
> (either use delprof from the resource kit or go to control panel | system
> | advanced ...etc)
> 3) Log into the workstation as the user and see
>
> If the profile doesn't load, check the application event log for errors.
>
> It may be easier to recreate the user's profile than spend more time on
> this. Just copy out data they need (IE favorites, etc). Rename the server
> copy of the user's profile, log into a workstation as the user (where it
> isn't cached anymore), let it be recreated.
>
>>
>> thx for your help.
>>
>> When
>> "Lanwench [MVP - Exchange]"
>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
>> message news:%23TSeiSI9HHA.4784@TK2MSFTNGP05.phx.gbl...
>>> North Coast Sea Foods <jleonard@northcoastseafoods.com> wrote:
>>>> Lanwench
>>>>
>>>> Sorry for not getting back to you.
>>>>
>>>> I have gone further into my problem and found out that the users
>>>> (several of them!)misdirected me re their problem.
>>>
>>> That happens
>>>
>>>>
>>>> Let me try to explain my problem now!
>>>>
>>>> I have removed these users from the Domain Admin group, where they
>>>> have been for some time now!
>>>
>>> Good - they should not have any admin rights anywhere at all.
>>>
>>>>
>>>> Now when they log on, they are getting a different looking DeskTop?
>>>> As if it is being set up with another users profile (EACH USER I S
>>>> DIFFERENT)??
>>>
>>> Event logs?
>>>
>>>>
>>>> When I add them back into the Domain Admin Group - all is ok. It has
>>>> nothing to do with the shared work folder in the logon bat!
>>>
>>> Remember, domain admins are by default also LOCAL admins - so
>>> something may be funky in the profile and expect local admin rights.
>>> As a test, add a domain user to the local Administrators group and
>>> test.
>>>>
>>>> I can not figure out what is wrong with their profile? I have set
>>>> up a test PC and everything is working perfectly -
>>>
>>> For one of these same users? If so, I'd remove the cached profiles
>>> from their actual workstations & let them re-download on login.
>>>
>>>> when in Domain
>>>> Admin Group and when taken out of it - ALL IS WORKING CORRECTLY --
>>>> PROFILES AND ALL?
>>>> I DO NOT KNOW WHAT IS HAPPENING TO DESTROY THEIR ROMAING PROFILE --
>>>> BY THE WAY THIS IS ON THE SAME COMPUTER THEY USE DAILY, NOT ON ONE
>>>> THEY HAVE MOVED TOO.
>>>>
>>>> ANY HELP APPRECIATED - SORRY FOR THE CONFUSION.
>>>
>>> No prob, but pls lose the caps lock - it means you're "shouting"
>>>
>>>>
>>>> I have
>>>> "Lanwench [MVP - Exchange]"
>>>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
>>>> message news:Obe51986HHA.3624@TK2MSFTNGP05.phx.gbl...
>>>>> North Coast Sea Foods <jleonard@northcoastseafoods.com> wrote:
>>>>>> Lanwench
>>>>>>
>>>>>> I appreciate your response.
>>>>>>
>>>>>> I have a logon BAT that maps a shared folder - that is the folder
>>>>>> I am trying to control.
>>>>>
>>>>> What *is* that folder?
>>>>>>
>>>>>> This folder was setup with Domain Admin ownership, seems when I
>>>>>> take the users out of the Admin group, they loose their roaming
>>>>>> profile?
>>>>>
>>>>> If this is a mapped drive pointing at a share you use for roaming
>>>>> profile storage, stop mapping that drive ASAP.
>>>>> Users should *never* be in any domain admin groups. You'll need to
>>>>> check the ownership on their roaming profile folder (the parent)
>>>>> and correct it to Administrators - and then reset the NTFS
>>>>> permissions as I already mentiond (Administrators & System &
>>>>> %username% = full control on each folder)
>>>>>>
>>>>>> I do not know how the maped drive/folder (with Domain Admin Owner)
>>>>>> is changing things, but it is?? I was asking if I should set up
>>>>>> the users in their own group and give them Full Permissions.
>>>>>> Would this eliminate the roaming profile problem?
>>>>>
>>>>> Unfortunately, I still don't understand exactly what the roaming
>>>>> profile problem *is*
>>>>>>
>>>>>> Again, I do not see how the roaming profile is even entering into
>>>>>> the problem>
>>>>>
>>>>> Nor do I - but you brought it up. I think you'll need to be much
>>>>> more specific about where things are - paths, share names, login
>>>>> scripts, and both share & NTFS permissions. Also exact symptoms &
>>>>> error messages.
>>>>>>
>>>>>> thx
>>>>>>
>>>>>>
>>>>>>
>>>>>> "Lanwench [MVP - Exchange]"
>>>>>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote
>>>>>> in message news:eLjY1go5HHA.5184@TK2MSFTNGP03.phx.gbl...
>>>>>>> John D. Leonard -- Sage <sage.grp@comcast.net> wrote:
>>>>>>>> Sorry meant to say Profiles not Home
>>>>>>>>
>>>>>>>
>>>>>>> I'm a bit confused. You don't usually map a drive to your
>>>>>>> profiles share, and users shouldn't be "working" in it at all.
>>>>>>> You need to use folder redirection, for My Documents at the very
>>>>>>> least - you
>>>>>>> can use the home directories for that. You can also redirect
>>>>>>> Application Data and Desktop (I'd avoid redirecting the start
>>>>>>> menu, for performance reasons and so forth). The profile folders
>>>>>>> should be in a hidden share, and Administrators + the System
>>>>>>> account + %username% would need full control. Users shouldn't be
>>>>>>> accessing the profile folders directly at all. I'm posting my
>>>>>>> boilerplate
>>>>>>> on roaming profiles below. Hope this
>>>>>>> helps. 1. Set up a share on the server. For example -
>>>>>>> d:\profiles, shared as
>>>>>>> profiles$ to make it hidden from browsing. Make sure this share
>>>>>>> is not set to allow offline files/caching!
>>>>>>> 2. Make sure the share permissions on profiles$ indicate
>>>>>>> everyone=full control. Set the NTFS security to administrators,
>>>>>>> system, and users=full control.
>>>>>>> 3. In the users' ADUC properties, specify
>>>>>>> \\server\profiles$\%username% in the profiles field
>>>>>>> 4. Have each user log into the domain once from their usual
>>>>>>> workstation (where their existing profile lives) and log out. The
>>>>>>> profile is now roaming.
>>>>>>> 5. If you want the administrators group to automatically have
>>>>>>> permissions to the profiles folders, you'll need to make the
>>>>>>> appropriate change in group policy. Look in computer
>>>>>>> configuration/administrative templates/system/user profiles -
>>>>>>> there's an option to add administrators group to the roaming
>>>>>>> profiles permissions. Notes:
>>>>>>>
>>>>>>> * Make sure users understand that they should never log into
>>>>>>> multiple computers at the same time when they have roaming
>>>>>>> profiles (unless you make
>>>>>>> the profiles mandatory by renaming ntuser.dat to ntuser.man so
>>>>>>> they can't change them). Explain that the
>>>>>>> last one out
>>>>>>> wins, when it comes to uploading the final, changed copy of the
>>>>>>> profile. * Keep your profiles TINY. Redirect My Documents at the
>>>>>>> very least;
>>>>>>> usually best done to the user's home directory on the server -
>>>>>>> either via group policy (folder redirection) or manually (far
>>>>>>> less advisable). If you aren't going to also redirect the
>>>>>>> desktop using policies, tell users that they are not to store
>>>>>>> any files on the desktop or you will beat them with a
>>>>>>> stick. Big profile=slow login/logout, and possible profile
>>>>>>> corruption. * Note that user profiles are not compatible between
>>>>>>> different OS
>>>>>>> versions,
>>>>>>> even between W2k/XP. Keep all your computers. Keep your
>>>>>>> workstations as identical as possible - meaning, OS version is
>>>>>>> the same, SP level is the same, app load is (as much as
>>>>>>> possible) the same. * Do not let people store any data locally -
>>>>>>> all data belongs on the server.
>>>>>>>
>>>>>>> * The User Profile Hive Cleanup Utility should be running on all
>>>>>>> your computers. You can download it here:
>>>>>>> http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>> John,
>>>>>>>>> Its hard to be sure exactly what you mean.
>>>>>>>>> The Profiles folder (say, \profiles$) should allow users full
>>>>>>>>> control. This allows the profile creation process, running in
>>>>>>>>> the user context, to create a profile and then set the correct
>>>>>>>>> permissions on it, which are exclusive control of the profile.
>>>>>>>>> This way, no-one else can get into another persons profile.
>>>>>>>>> An administrator (only) can take ownership of an individual
>>>>>>>>> profile, but this breaks the profile.
>>>>>>>>> So if you have those permissions you don't need to do anything,
>>>>>>>>> and you might want to explain more what you are trying to
>>>>>>>>> achieve, Hope that helps,
>>>>>>>>> Anthony,
>>>>>>>>> http://www.airdesk.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in
>>>>>>>>> message news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>> I have serveral users, with roaming profiles, that use the
>>>>>>>>>> same folder as Domain Admininstartors.
>>>>>>>>>>
>>>>>>>>>> Now I want to take the administrator privledge away from them
>>>>>>>>>> and still let
>>>>>>>>>> them use the same folder.
>>>>>>>>>>
>>>>>>>>>> How do I set all users as "Owners" of the folder?
>>>>>>>>>>
>>>>>>>>>> Would I set up another Group (non-administrator group) and add
>>>>>>>>>> the users to
>>>>>>>>>> that?
>>>>>>>>>>
>>>>>>>>>> thx
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> John D. Leonard -- Sage
>
>
>

 

[Lanwench [MVP - Exchange]]

Re: Help with Owner of a romaing profile folder

John D. Leonard -- Sage <sage.grp@comcast.net> wrote:
> No I did not try the Local Administrators Group. I'm trying to
> eliminate the Administrator rights/permissions.

Well, but that's one way to eliminate it (really, "isolate" it). The
permissions they "need" are unlikely to be domain admin rights.....I suspect
there's something funky that expects *local* admin rights.
>
> I will try it next Tuesday.
>
> I will follow your other instructions!
>
> Let you know how I make out.

Good; please do. And best of luck.


>
> Thx again
>> Northcoastseafoods <jleonard@northcoastseafoods.com> wrote:
>>> Hi
>>>
>>> I'm back with some more interesting results. At this time, I'm
>>> thinking the user is up to no good!
>>
>> This is unlikely to have anything to do with a misbehaving user.
>>>
>>> I tested myself - I took them out of the Domain Admin group and did
>>> a log on. Yup! the profiles are bad/corrupted - shows the Icons and
>>> background - no My Documents and the Icons are not lined up
>>> properly? When I add them back to the Domain Admin group - ALL IS WELL?
>>
>> What about adding them to the *local* Administrators group, as I
>> suggested in my last post?
>>>
>>> I do not know what they have done? Is there anyway, short of
>>> deleting them and re-establishing the profile? Remember they are
>>> Roaming Profiles.
>>
>> Did you try what I suggested?
>>
>> 1) Make 100% sure the roaming profile folder for that user has the
>> following settings:
>>
>> Owner: Administrators (and propagate the settings to all subfolders)
>> NTFS: Administrators + System + %username% = full control (and
>> propagate the settings to all subfolders)
>>
>> 2) Log in to the workstation as an admin, remove the user's cached
>> profile (either use delprof from the resource kit or go to control
>> panel | system
>>> advanced ...etc)
>> 3) Log into the workstation as the user and see
>>
>> If the profile doesn't load, check the application event log for
>> errors. It may be easier to recreate the user's profile than spend more
>> time
>> on this. Just copy out data they need (IE favorites, etc). Rename
>> the server copy of the user's profile, log into a workstation as the
>> user (where it isn't cached anymore), let it be recreated.
>>
>>>
>>> thx for your help.
>>>
>>> When
>>> "Lanwench [MVP - Exchange]"
>>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
>>> message news:%23TSeiSI9HHA.4784@TK2MSFTNGP05.phx.gbl...
>>>> North Coast Sea Foods <jleonard@northcoastseafoods.com> wrote:
>>>>> Lanwench
>>>>>
>>>>> Sorry for not getting back to you.
>>>>>
>>>>> I have gone further into my problem and found out that the users
>>>>> (several of them!)misdirected me re their problem.
>>>>
>>>> That happens
>>>>
>>>>>
>>>>> Let me try to explain my problem now!
>>>>>
>>>>> I have removed these users from the Domain Admin group, where they
>>>>> have been for some time now!
>>>>
>>>> Good - they should not have any admin rights anywhere at all.
>>>>
>>>>>
>>>>> Now when they log on, they are getting a different looking
>>>>> DeskTop? As if it is being set up with another users profile
>>>>> (EACH USER I S DIFFERENT)??
>>>>
>>>> Event logs?
>>>>
>>>>>
>>>>> When I add them back into the Domain Admin Group - all is ok. It
>>>>> has nothing to do with the shared work folder in the logon bat!
>>>>
>>>> Remember, domain admins are by default also LOCAL admins - so
>>>> something may be funky in the profile and expect local admin
>>>> rights. As a test, add a domain user to the local Administrators
>>>> group and test.
>>>>>
>>>>> I can not figure out what is wrong with their profile? I have set
>>>>> up a test PC and everything is working perfectly -
>>>>
>>>> For one of these same users? If so, I'd remove the cached profiles
>>>> from their actual workstations & let them re-download on login.
>>>>
>>>>> when in Domain
>>>>> Admin Group and when taken out of it - ALL IS WORKING CORRECTLY --
>>>>> PROFILES AND ALL?
>>>>> I DO NOT KNOW WHAT IS HAPPENING TO DESTROY THEIR ROMAING PROFILE
>>>>> -- BY THE WAY THIS IS ON THE SAME COMPUTER THEY USE DAILY, NOT ON
>>>>> ONE THEY HAVE MOVED TOO.
>>>>>
>>>>> ANY HELP APPRECIATED - SORRY FOR THE CONFUSION.
>>>>
>>>> No prob, but pls lose the caps lock - it means you're "shouting"
>>>>
>>>>>
>>>>> I have
>>>>> "Lanwench [MVP - Exchange]"
>>>>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote
>>>>> in message news:Obe51986HHA.3624@TK2MSFTNGP05.phx.gbl...
>>>>>> North Coast Sea Foods <jleonard@northcoastseafoods.com> wrote:
>>>>>>> Lanwench
>>>>>>>
>>>>>>> I appreciate your response.
>>>>>>>
>>>>>>> I have a logon BAT that maps a shared folder - that is the
>>>>>>> folder I am trying to control.
>>>>>>
>>>>>> What *is* that folder?
>>>>>>>
>>>>>>> This folder was setup with Domain Admin ownership, seems when I
>>>>>>> take the users out of the Admin group, they loose their roaming
>>>>>>> profile?
>>>>>>
>>>>>> If this is a mapped drive pointing at a share you use for roaming
>>>>>> profile storage, stop mapping that drive ASAP.
>>>>>> Users should *never* be in any domain admin groups. You'll need
>>>>>> to check the ownership on their roaming profile folder (the
>>>>>> parent) and correct it to Administrators - and then reset the
>>>>>> NTFS permissions as I already mentiond (Administrators & System &
>>>>>> %username% = full control on each folder)
>>>>>>>
>>>>>>> I do not know how the maped drive/folder (with Domain Admin
>>>>>>> Owner) is changing things, but it is?? I was asking if I should
>>>>>>> set up the users in their own group and give them Full
>>>>>>> Permissions. Would this eliminate the roaming profile problem?
>>>>>>
>>>>>> Unfortunately, I still don't understand exactly what the roaming
>>>>>> profile problem *is*
>>>>>>>
>>>>>>> Again, I do not see how the roaming profile is even entering
>>>>>>> into the problem>
>>>>>>
>>>>>> Nor do I - but you brought it up. I think you'll need to be much
>>>>>> more specific about where things are - paths, share names, login
>>>>>> scripts, and both share & NTFS permissions. Also exact symptoms &
>>>>>> error messages.
>>>>>>>
>>>>>>> thx
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "Lanwench [MVP - Exchange]"
>>>>>>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote
>>>>>>> in message news:eLjY1go5HHA.5184@TK2MSFTNGP03.phx.gbl...
>>>>>>>> John D. Leonard -- Sage <sage.grp@comcast.net> wrote:
>>>>>>>>> Sorry meant to say Profiles not Home
>>>>>>>>>
>>>>>>>>
>>>>>>>> I'm a bit confused. You don't usually map a drive to your
>>>>>>>> profiles share, and users shouldn't be "working" in it at all.
>>>>>>>> You need to use folder redirection, for My Documents at the
>>>>>>>> very least - you
>>>>>>>> can use the home directories for that. You can also redirect
>>>>>>>> Application Data and Desktop (I'd avoid redirecting the start
>>>>>>>> menu, for performance reasons and so forth). The profile
>>>>>>>> folders should be in a hidden share, and Administrators + the
>>>>>>>> System account + %username% would need full control. Users
>>>>>>>> shouldn't be accessing the profile folders directly at all.
>>>>>>>> I'm posting my boilerplate
>>>>>>>> on roaming profiles below. Hope this
>>>>>>>> helps. 1. Set up a share on the server. For example -
>>>>>>>> d:\profiles, shared as
>>>>>>>> profiles$ to make it hidden from browsing. Make sure this share
>>>>>>>> is not set to allow offline files/caching!
>>>>>>>> 2. Make sure the share permissions on profiles$ indicate
>>>>>>>> everyone=full control. Set the NTFS security to administrators,
>>>>>>>> system, and users=full control.
>>>>>>>> 3. In the users' ADUC properties, specify
>>>>>>>> \\server\profiles$\%username% in the profiles field
>>>>>>>> 4. Have each user log into the domain once from their usual
>>>>>>>> workstation (where their existing profile lives) and log out.
>>>>>>>> The profile is now roaming.
>>>>>>>> 5. If you want the administrators group to automatically have
>>>>>>>> permissions to the profiles folders, you'll need to make the
>>>>>>>> appropriate change in group policy. Look in computer
>>>>>>>> configuration/administrative templates/system/user profiles -
>>>>>>>> there's an option to add administrators group to the roaming
>>>>>>>> profiles permissions. Notes:
>>>>>>>>
>>>>>>>> * Make sure users understand that they should never log into
>>>>>>>> multiple computers at the same time when they have roaming
>>>>>>>> profiles (unless you make
>>>>>>>> the profiles mandatory by renaming ntuser.dat to ntuser.man so
>>>>>>>> they can't change them). Explain that the
>>>>>>>> last one out
>>>>>>>> wins, when it comes to uploading the final, changed copy of the
>>>>>>>> profile. * Keep your profiles TINY. Redirect My Documents at
>>>>>>>> the very least;
>>>>>>>> usually best done to the user's home directory on the server -
>>>>>>>> either via group policy (folder redirection) or manually (far
>>>>>>>> less advisable). If you aren't going to also redirect the
>>>>>>>> desktop using policies, tell users that they are not to store
>>>>>>>> any files on the desktop or you will beat them with a
>>>>>>>> stick. Big profile=slow login/logout, and possible profile
>>>>>>>> corruption. * Note that user profiles are not compatible
>>>>>>>> between different OS
>>>>>>>> versions,
>>>>>>>> even between W2k/XP. Keep all your computers. Keep your
>>>>>>>> workstations as identical as possible - meaning, OS version is
>>>>>>>> the same, SP level is the same, app load is (as much as
>>>>>>>> possible) the same. * Do not let people store any data locally
>>>>>>>> - all data belongs on the server.
>>>>>>>>
>>>>>>>> * The User Profile Hive Cleanup Utility should be running on
>>>>>>>> all your computers. You can download it here:
>>>>>>>> http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>> John,
>>>>>>>>>> Its hard to be sure exactly what you mean.
>>>>>>>>>> The Profiles folder (say, \profiles$) should allow users full
>>>>>>>>>> control. This allows the profile creation process, running in
>>>>>>>>>> the user context, to create a profile and then set the
>>>>>>>>>> correct permissions on it, which are exclusive control of
>>>>>>>>>> the profile. This way, no-one else can get into another
>>>>>>>>>> persons profile. An administrator (only) can take ownership of an
>>>>>>>>>> individual
>>>>>>>>>> profile, but this breaks the profile.
>>>>>>>>>> So if you have those permissions you don't need to do
>>>>>>>>>> anything, and you might want to explain more what you are
>>>>>>>>>> trying to achieve, Hope that helps,
>>>>>>>>>> Anthony,
>>>>>>>>>> http://www.airdesk.com
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "John D. Leonard -- Sage" <sage.grp@comcast.net> wrote in
>>>>>>>>>> message news:OavU8fl5HHA.2380@TK2MSFTNGP02.phx.gbl...
>>>>>>>>>>> I have serveral users, with roaming profiles, that use the
>>>>>>>>>>> same folder as Domain Admininstartors.
>>>>>>>>>>>
>>>>>>>>>>> Now I want to take the administrator privledge away from
>>>>>>>>>>> them and still let
>>>>>>>>>>> them use the same folder.
>>>>>>>>>>>
>>>>>>>>>>> How do I set all users as "Owners" of the folder?
>>>>>>>>>>>
>>>>>>>>>>> Would I set up another Group (non-administrator group) and
>>>>>>>>>>> add the users to
>>>>>>>>>>> that?
>>>>>>>>>>>
>>>>>>>>>>> thx
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> John D. Leonard -- Sage