Set these permissions on the root of a profile share to enable it for roaming profile storage. When Windows creates a new roaming profile it acts on behalf of the user, it “impersonates” that user. Therefore we must make sure that on the one hand each user may create new folders while on the other hand ensuring that each user may access only his own profile folder.
These permissions apply both to traditional Windows roaming profiles as well as to the user store where Citrix Profile Management keeps its profiles.
NTFS permissions:
These permissions apply both to traditional Windows roaming profiles as well as to the user store where Citrix Profile Management keeps its profiles.
NTFS permissions:
- Administrators: full control
- SYSTEM: full control
- Authenticated users: list folder/read data & create folders/append data, this folder only
- Creator/Owner: full control, subfolders and files only
- Everyone: change
- Administrators: full control
- Do not check for user ownership of Roaming Profile Folders
in Computer Configuration \ Administrative Templates \ System \ User Profiles
Disabling this check speeds up logons slightly and may greatly reduce profile problems. - Add the Administrators security group to roaming user profiles
in Computer Configuration \ Administrative Templates \ System \ User Profiles
When a new roaming profile directory is created, Windows disables permission inheritance and grants SYSTEM and the profile’s user account full control. That makes user profiles inaccessible to administrators which prevents them from performing maintenance. If this policy setting is enabled the group “Administrators” is given full control on new profile folders, tool.
Note that this applies to new profiles only. Profiles created before this policy settings was in place lack the entry for “Administrators”.
No comments:
Post a Comment