Taking Ownership of Roaming Profile Folders

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I just wanted to run this up the flagpole because I just
read KV's post on Roaming Profiles...
I too from time to time need to access the files within
our user's network profiles. Typically I do this to find
out how big their profiles are getting.
As Lanwench suggested responding to KV's post, I take
ownership of the user's profile folder and reassign
rights to it: user = all but full control, domain admins
= full control.
The default permissions for a new profile folder is:
SYSTEM = Full Control, User = Full Control.
That being said, I have had a really bad time with user's
profiles becoming corrupt. The user can be fine for
months, then one day when they log in, they get a roaming
profile error to the effect of: "Windows cannot create
profile directory directory name. You will be logged on
with a local profile only. Changes to the profile will
not be propagated to the server. Contact your network
administrator."
I am wondering if I am causing these profile errors
myself by taking ownership of and changing the
permissions of the profiles. I recently read somewhere
(don't remember where) that profile corruption is almost
always caused by permission issues.
Has anyone else seen this or have any comments?
Thanks!
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

If it was a permissions problem I would expect that it would happen right after you
change permissions and ownership. Note that you can use Ntbackup to backup and
restore folders or files [to alternate location] that you do not have permissions to
as long as you are an administrator on that computer. That way you do not alter any
permissions or ownership of the original folders and can gain access to copies of
folders that you should legitimately be able to. --- Steve


"-=gu=-" <anonymous@discussions.microsoft.com> wrote in message
news:08ce01c4a23f$4a844bc0$a501280a@phx.gbl...
>I just wanted to run this up the flagpole because I just
> read KV's post on Roaming Profiles...
> I too from time to time need to access the files within
> our user's network profiles. Typically I do this to find
> out how big their profiles are getting.
> As Lanwench suggested responding to KV's post, I take
> ownership of the user's profile folder and reassign
> rights to it: user = all but full control, domain admins
> = full control.
> The default permissions for a new profile folder is:
> SYSTEM = Full Control, User = Full Control.
> That being said, I have had a really bad time with user's
> profiles becoming corrupt. The user can be fine for
> months, then one day when they log in, they get a roaming
> profile error to the effect of: "Windows cannot create
> profile directory directory name. You will be logged on
> with a local profile only. Changes to the profile will
> not be propagated to the server. Contact your network
> administrator."
> I am wondering if I am causing these profile errors
> myself by taking ownership of and changing the
> permissions of the profiles. I recently read somewhere
> (don't remember where) that profile corruption is almost
> always caused by permission issues.
> Has anyone else seen this or have any comments?
> Thanks!
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for your reply Steve, but backing up all the
profiles and restoring them to an alternate location is a
really lame way of finding out how much disk each one is
taking up!

>-----Original Message-----
>If it was a permissions problem I would expect that it
would happen right after you
>change permissions and ownership. Note that you can use
Ntbackup to backup and
>restore folders or files [to alternate location] that
you do not have permissions to
>as long as you are an administrator on that computer.
That way you do not alter any
>permissions or ownership of the original folders and can
gain access to copies of
>folders that you should legitimately be able to. ---
Steve
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

I just make mention of that as a way to view files you do not have
permissions to if you are having problems with changing
permissions/ownership. You don't need permissions to view the size of a
users profile using it's properties. Disk quotas may be a way for you to
manage users who like to hog disk space. Disk quotas are based on file
ownership. Also take a look at the command line tool fileacl to add
permissions to a folder. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;183322
http://www.microsoft.com/downloads/details.aspx?FamilyID=723f64ea-34f0-4e6d-9a72-004d35de4e64&DisplayLang=en
-- fileacl

<anonymous@discussions.microsoft.com> wrote in message
news:1ff901c4a4a5$84529420$a501280a@phx.gbl...
> Thanks for your reply Steve, but backing up all the
> profiles and restoring them to an alternate location is a
> really lame way of finding out how much disk each one is
> taking up!
>
>>-----Original Message-----
>>If it was a permissions problem I would expect that it
> would happen right after you
>>change permissions and ownership. Note that you can use
> Ntbackup to backup and
>>restore folders or files [to alternate location] that
> you do not have permissions to
>>as long as you are an administrator on that computer.
> That way you do not alter any
>>permissions or ownership of the original folders and can
> gain access to copies of
>>folders that you should legitimately be able to. ---
> Steve
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Steve,
Actually properties is telling me 0 bytes when I know
there's at least 600 mb in there. Perhaps 2003 doesn't
show byte size if you don't have permissions?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

There is a free Resource Kit called diruse that may help available in the
link below. You can use it as in [ diruse "c:\documents and
settings\betty" ] to find disk use of a users folder, Betty in this example,
you do not have permissions to. The \s switch will break it down by
subfolder and there are many other options. You also may want to check Group
Policy for ways to help manage your profiles. Look under both user and
computer configuration/administrative templates/system/user profiles for
options and be sure to read the FULL explanation of the setting and what
operating systems it applies to before implementing. If your domain
controllers are all Windows 2000 and you have XP Pro computers in the domain
you can take advantage of the extra Group Policy settings for XP Pro
computers by managing Group Policy for the domain from an XP Pro domain
computer while logged on as a domain admin. If you do such make sure that XP
Pro computer is secured from general user population. --- Steve

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/diruse-o.asp

<anonymous@discussions.microsoft.com> wrote in message
news:3aee01c4a578$4b4b4860$a301280a@phx.gbl...
> Steve,
> Actually properties is telling me 0 bytes when I know
> there's at least 600 mb in there. Perhaps 2003 doesn't
> show byte size if you don't have permissions?