Options

Profile Permission

EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
in Server 70-290
Going through an MS Press book exercise, I created a user that was nothing more than a domain users group member. Next, I created a folder called Profiles (shared it, gave Everyone full control and permissions). Navigated to the user in AD Users and Comp, provided profile path as \\servero01\profiles\%username%.

I logged in as the user, changed the password, next there were 3 errors, out of which 2 were related to some Netware 2.x logon (dont remember the error exactly) and third one said "the local policy of this system does not allow you to login interactively. I know why this happened.

However, when I logged back in as the admin, browsed to the profiles folder, double-clicked the username of the user, it said "Not possible. Access is Denied". I cannot see the contents or make any profile changes to the folder. WHY?
NSX, NSX, more NSX..

Blog >> http://virtual10.com
· Share on FacebookShare on Twitter

Comments

  • Options
    sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Try taking ownership as admin, then go back to properties and add your ntfs rights.
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • Options
    royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Admins don't have access to user's profile folders.

    Computer Configuration\Administrative Templates\System\ User Profiles
    Add the Administrator security group to the roaming user profile share

    There is setting, but it probably won't work. Asynchronous group policy is on by default which allows winlogon to grant a user to logon before computer policies are defined. There's a good chance the user will logon and get their folder created before that policy is even defined.

    Even if you turn off asyncronous policy, it still won't work cause computers will still have to apply that policy, and that policy won't be applied immediately which means at least 1 asynchronous logon will still happen.

    Only real way to get that policy to work is if you apply it to each local policy on the client. Which is not really going to happen. Even if you apply the policy after the profile is created, it won't go and add admin access to the user's profile. The policy has to be applied on the client side because the client machine creates the profile.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
    · Share on FacebookShare on Twitter
  • Options
    EssendonEssendon Member Posts: 4,546 ■■■■■■■■■■
    I discovered something even more confusing, I created another user giving it admin rights and configured the profile path to be \\server01\profiles\%username% and when I logged in as that user, the user can browse the profile contents of the other users and its own profile. However, logging back as the admin, I cannot do the same thing. Very surprising that the admin cannot access the folders but a user with admin rights is able to .... icon_confused.gif
    NSX, NSX, more NSX..

    Blog >> http://virtual10.com
    · Share on FacebookShare on Twitter
  • Options
    brad-brad- Member Posts: 1,218
    MobilTech wrote:
    I discovered something even more confusing, I created another user giving it admin rights and configured the profile path to be \\server01\profiles\%username% and when I logged in as that user, the user can browse the profile contents of the other users and its own profile. However, logging back as the admin, I cannot do the same thing. Very surprising that the admin cannot access the folders but a user with admin rights is able to .... icon_confused.gif
    Just being admin doesnt mean you can look at everything willy nilly. When the user logs in, it creates the folder and gives rights to THAT USER, not the admin group. The admin group would have to take ownership and add themselves to the ACL.

    Its doing what its supposed to do.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.