1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Roaming Profiles

Discussion in 'Windows Server 2003 / 2008 / 2012 Exams' started by Ally, Jan 21, 2006.

  1. Ally

    Ally Byte Poster

    127
    1
    22
    Quick question here!! If i set up roaming profiles for my users on a network server, what is the permissions they need to simply allow there profile to be downloaded and uploaded, if that makes sense??
    Was out last night and not even sure if im making sense to myself!
     
    Certifications: 70-270, 70-290, 70-291 & 70-294
    WIP: 70-293
  2. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    Ally the answer is complex, so I have linked to what Microsoft say...

    Security Recommendations for Roaming User Profiles Shared Folders


    http://www.microsoft.com/technet/pr...Kit/20b15453-f7c9-4cf0-9131-78924af77655.mspx
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  3. Jellyman_4eva

    Jellyman_4eva Byte Poster

    213
    4
    34
    This is an interesting topic I meant to post about myself...

    According to MS Press Book 70-290, setting up a roaming profile has the following note attached:

    "Be sure to configure share permissions allowing Everyone Full Control. The Windows Server 2003 default share permissions allow Read, which is not sufficient for a roaming profile share."

    Now this seems a little lax in security??

    Anyone clear this up?!
     
    Certifications: MCDST, MCITP-EDST/EDA/EA/SA/ MCSA 2K3/2K8, MCSE+M 2K3/2K8, ISA/TMG, VCP3/4, CCNA, Exchange, SQL, Citrix, A+, N+, L+, Sec+, Ser+, JNCIA-SSL, JNCIS-SSL
    WIP: Lots
  4. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    let me try have a go.. if you setup the profile with read this means everytime a user creates a desktop icon for example and then shuts down or logs off that icon isnt saved cause the profile is "read-only"

    where as full control would allow you to create the icon or shortcut and it will still be there when you log on again.
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  5. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    'read' permissions is too restricted, 'full control' permissions is too much.

    on the share just give the user 'change' permissions, on ntfs give the user 'write' or 'modify' permissions.
    and whatever you do, never ever give 'full control' permissions to the everyone group.
     
  6. Tyler D

    Tyler D Gigabyte Poster

    1,224
    8
    85

    So if you set up the profile with read-only,and what you mentioned above happens,this is the same outcome as setting up a mandatory profile and renaming the Ntuser.dat file to Ntuser.man.

    Correct??? :blink
     
    Certifications: A+,70-270
    WIP: 70-290
  7. Liqua

    Liqua Bit Poster

    48
    3
    17
    Roaming profiles :
    From a Microsoft "passing the exams" point of view, Everyone has full control is the correct way of doing it. I believe even for Win2K3.

    From a real world working point of view, Everyone should not have full control due to inherrant security risks.

    Bit like after a default installation of Windows 2K Server "Everyone" has full control to all drives - which as we know is wrong. :)
     
    Certifications: CCNA, SND, ITIL Foundation
    WIP: CISSP
  8. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    you're talking about ntfs permissions. this was more geared towards share permissions. but even on the subject of ntfs permissions in windows 2000 you'd be surprised: http://support.microsoft.com/kb/244600/EN-US/
     
  9. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    From your link d-Faktor I found this right at the bottom...

    I didn't realise that :eek:
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  10. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
  11. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    Very interesting read d-Faktor thanks a lot :D
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  12. Liqua

    Liqua Bit Poster

    48
    3
    17
    I am not quite sure what has happened to our servers then .. NTFS drives by default, Everyone had full control .. even from a clean install.

    This, I think, needs further investigatation.

    Cheers for the links d-Faktor, very interesting read and apologies for the derail on subject Ally :)
     
    Certifications: CCNA, SND, ITIL Foundation
    WIP: CISSP

Share This Page

Loading...