Copying local profile folders to a shared folder

Say I have the following users; John, Jim and Scott
John and Jim are members of the global security group RUP.
Domain users are members of local admins group on the server02 member server

I create a folder named profiles on Server01, share it, and set the share permission "everyone - full control".

Now I log on as Scott on Server02, and configure the profile as I wish. Then I log on as John on Server02. And I wish to copy the preconfigured "Scott" profile to the profiles folder on Server01, so I go to the advanced tab on system properties and click user profiles settings. But when I try to copy the Scott profile folder to server01\profiles\RUP (by giving the RUP domain group permissions to use it), it won't allow me to do so.

To try and fix this, I give John the full control NTFS permission on \\Server01\profiles. Still I'm not allowed to copy content to \\server01\profiles\RUP.

Now I do know the reason for that, its simply because the folder I create under \\server01\profiles called "RUP" does not have the check mark ticked on "allow inheritable..", so even though the RUP folder itself sets the Domain group RUP's NTFS permission to full control, I still can't access it as John. Thats what I don't get.

The strange thing is, as its creator owner, John can easily set the check mark on "allow inheritable" after the folder has been created, and then copy the Scott profile folder to it if he wishes to do so.

And if I log on as domain admin on Server02, I can easily copy the Scott profile to the \\server01\profiles\RUP folder. Must one be logged on as a domain admin to copy profiles to a shared folder?

Find more posts tagged with

Comments

Dracula28

Ok, now I'm totally confused, after I logged on as domain administrator, and copied the profile, I'm suddenly allowed to copy profiles as the Albertini user as well.

I have no idea what I was doing wrong previously.

Edit: I guess you have to be logged on as a domain admin when copying a profile, because to be able to use that profile, the administrator group or the user using it must be the owner. But the thing is, even if I modify the owner after having copied the profile, with another user than domain admins, it still won't allow the user to log on.

So you have to copy the profile to the share path as a domain admin. Which brings me to my final question on this matter, hehe, say you want to preconfigure an XP workstation profile, does that mean you have to log on as a domain admin on that Xp workstation to do so, would that not be a breach of security? Shouldn't domain admins, as a best security practice, not log on to workstations?

sprkymrk

Maybe it's the names you were using, but you certainly got me confused.

If you want to use preconfigured profiles, the best way is to control it through local or group policy, and you can set granular stuff using the "All Users" or "Default User" profiles, which can be set up on a baseline machine and then use imaging software to deploy. You would never have to use a domain admin account (although it wouldn't hurt if you did, just delete the profile when you're done configuring it), as you can use the local admin account for this procedure.

As an aside, the only real reason you wouldn't want to log in as a domain admin (or any priveledged account for that matter) is in the case of suspected keystroke loggers, shoulder surfers, or dumb admins forgetting to log out when they are done. That's where the use of Smart Cards (or other token based multi factor authentication) methods really shine.

Dracula28

Maybe I should edit the names.

The training kit did not mention GPO when it came to user profiles, so I guess I'll have to have a look at that.

sprkymrk

Dracula28 wrote:

Maybe I should edit the names.

The training kit did not mention GPO when it came to user profiles, so I guess I'll have to have a look at that.

Also, I wasn't thinking of the 290 when I replied, just the way I do it. You can't manage user profiles per se with GPO, but you can configure many settings that way INSTEAD of doing it with profiles.

Sorry if I confused you, John, Jim, or Scott, or those other guys who are no longer with us. :P

Dracula28

I understand what you mean, I remember configuring Win95 user profiles through policies and such (the registry) about ten years ago.

Btw, I use the names of Italian football (soccer) players, coaches and teams in my lab AD, it makes it easier for me to keep track of the different users and groups.