|
Posted by Marcus Fredriksson on April 12, 2006, 4:24 am
Please log in for more thread options Steven,
Thanks for your input. I have used xcacls.vbs quite a bit and am familiar
with it. Fileacl I didn't know about. Will check that out, thanks!
My main concern when manipulating profile ACLs is as I stated before
unexpected consequences, and I am not very comfortable with implementing a
bunch of scheduled scripts to manipulate ACLs. But since this might greatly
reduce the time needed for our TS guys to troubleshoot a user profile, and
at the same time eliminate the need to make the them member of the
Administrators group on all file servers, I guess we'll test it and give it
a try.
Thanks and regards,
Marcus
--
The views and opinions expressed above are strictly
those of the author(s). The content of this message has
not been reviewed nor approved by any entity whatsoever.
>I myself have never heard of a way to specify an extra group be
>automatically be added to a newly created profile. You could however use
>command line tools such as filial or xcacls.vbs to add such permissions and
>you would need to do so each time a new profile was created. I see know
>reason why that would cause a problem [other then privacy] as long as the
>user still had their permissions and was the owner. Of course like anything
>else test it on a few user accounts first and backup your server before you
>try changing permissions so that you can always get back to where you were.
>Xcacls.vbs and fileacl are powerful tools so be sure to try them out on a
>test computer first if you are interested in trying them. --- Steve
>
> http://www.gbordier.com/gbtools/fileacl.htm --- fileacl
>
>> Hello all,
>>
>> We are managing a large Windows 2003 server environment with Terminal
>> Servers that store the users' roaming (mandatory) profiles on a file
>> share on the network. According to
>>
http://technet2.microsoft.com/WindowsServer/en/Library/20b15453-f7c9-4cf0-9131-78924af776551033.mspx,
>> the default file permissions for a users' roaming profile folder is Full
>> Control for the user and Local system and nothing else. We have also
>> through a GPO enabled the "Add the Administrators security group to
>> roaming user profiles" setting to grant Administrators permissions on the
>> user folders.
>>
>> So far, so good, but now as the environment grows large, we need our
>> Terminal Server guys to have permissions on the roaming profiles to be
>> able to troubleshoot end user problems. We do not want to add the
>> Terminal Server administrators to the Administrators group on the file
>> servers, but instead add another group to the ACL of the roaming profile
>> folders.
>>
>> My question: Is there a way to pre-define which permissions gets set on
>> newly created roaming profile user folders? If not, what problems could
>> we run into if we add this extra group to the roaming profile folders
>> afterwards?
>>
>> Thanks,
>>
>> Marcus
>>
>> --
>> The views and opinions expressed above are strictly
>> those of the author(s). The content of this message has
>> not been reviewed nor approved by any entity whatsoever.
>>
>>
>>
>
>
| 
XML Sitemap