RUP's

Hello all. Can someone help me with roaming user profiles? Can I have more than one RUP on a share? Or do you need a different share for each RUP? If I copy a profile up to a share (i.e //server1/shaer/ltop), how do I point to that porfile I copied up to the share?

Find more posts tagged with

Comments

Non-Profit Techie

what study guide are you using?

raied

I am using both Microsoft and Syngress books.

royal

The way it will work in the majority of environments:

1. md C:\ profiles
2. Share profiles directory and give Everyone Full
3. Set all users to have full control to the profiles directory
4. Create a template account in the OU of choice
5. In the profile field for this user do \\server\profiles\%username% (When you apply it will actually change the name to the name of the template account. Don't worry, AD knows you used %username%. Therefore, when you create a new users you can just copy the template account to create the new account and it'll use the %username% and substitute the template user's name with the newly created username.
6. When a user logs in, lets say Joe, it will automatically create a folder in the profiles directory where ONLY Joe can access it. You can configure Group Policy to allow administrators to access these user profiles. This of course depends on company policies regarding privacy.

So taking a look back at step #6. Even though the profiles folder has full permission to pretty much everyone, when a user creates a profile, it does not inherit permission. It restricts access ONLY to that user who is creating the profile (by default) by logging in through AD.

Treg

You can configure Group Policy to allow administrators to access these user profiles. This of course depends on company policies regarding privacy.

Probably a good idea to add anyway for troubleshooting etc.

royal

Just as an FYI, the setting I stated in #6 could be found in the following location:
Computer Configuration > Administrative Templates > System > Logon

And as another FYI, this setting does not exist anymore in Vista. Not sure if it was relocated to another location as I haven't bothered looking yet. IF you do enable this setting, one problem is it might not work due to asynchronous group policy application. Basically, that means that your system is booting up, windows tries to provide a user with the login box and starts the user login while computer configuration is still being applied. Because of this, the user might have logged in and created the profile before the computer configuration setting you modified (to add admins to the ACL) was fully applied. Therefore, you would have a roaming profile created with no Administrator access. If you really want to ensure administrators are added to the ACL, turn off asynchronous mode by setting the "Always wait for the network at computer startup and logon" which is in the same location.