Roaming Profile Folders Problem 1

[cranebill]

Hi,
I have written a script to copy all files and folders as a backup. Problem is when it gets to the Profiles folder(which is used for roaming profiles ) the admin does not have rights to these folders and therefore halts the script. I have tried changing ownership of these file to the local admin of our server(DC) and also to myself(Domain Admin). When i do this however when a user logs on the client is unable to find the roaming profile.. even though he still has rights. To fix this i delete the profile on the server and have the client relogin and logout to save his local profile on the server. My question is how can i grant myself rights to others profile folders without corrupting it so i can back it up?

Bill

 

[jrIStech]

-do what you did, taken ownership - if not working then go to the permissions tab and there should be on the bottom "take ownership and auditting something like that" check both of those and you will see what im talking about
-administartors dont usually corrupt files by taking over ownership; maybe the users profile is already corrupted and just delete it and recreate it by logging back in

 

[AlexIT]

There was a mistake in the Default Domain Security Policy before Win2kSP2. Look at M$ knowledge base article #222043. After you install the SP2 and enable the policy you must delete the root folders for the roaming profile users' and let them be re-created at next login.

Roaming Profile Folders Do Not Allow Administrative Access
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional

This article was previously published under Q222043
SYMPTOMS
When a roaming profile is written for the first time, permissions for the created folder (\\Server\Profile\Username) that contains the roaming profile are set as follows:
System: Full Control
Username: Full Control

Therefore, administrators do not have control of this area.
CAUSE
In Microsoft Windows NT 4.0, when the Administrators group is listed for the parent folder of the new user profile folder, this permission is inherited by the folder and files for the new user profile. In Windows 2000, this permission is applied to System and the user only, without inheritance from the parent.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later: Date Time Version Size File name
-------------------------------------------------------
07/26/2000 09:36a 738,586 System.adm
01/19/2001 05:57a 5.0.2195.2780 370,448 Userenv.dll


You must apply this hotfix to all domain controllers and clients. The hotfix adds a new "Add the Administrators security group to roaming user profiles" policy that must be applied by using Group Policy. To enable this new policy:
Start Microsoft Management Console (MMC). On the Console menu, click Add/Remove Snap-in.
Add the Group Policy snap-in for the default domain policy. To do so, click Browse when you are prompted to select a Group Policy object (GPO). The default GPO is "Local Computer." Click Browse, and then click Default Domain Policy. You can also add GPOs for other domain partitions (specifically, organizational units).
Double-click the following items to open them: Computer Configuration, Administrative Templates, System, and Logon.
Click to select the Add the Administrators security group to roaming user profiles check box.
Click either Enable or Disable to enable or disable the new policy.
WORKAROUND
To work around this behavior, create the user profile folder ahead of time with the appropriate permissions.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.
MORE INFORMATION
The default location of the System.adm file for a default domain policy is:
%SystemRoot%\Sysvol\Sysvol\DomainName\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm\System.adm

The contents of these folders are replicated throughout a domain by the File Replication service (FRS). Note that the Adm folder is not populated until the default domain policy is loaded for the first time.

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

NOTE: Changes to a group policy object are not immediately imposed upon the target systems. To update this policy on the client, run the following command on the client:
Secedit /RefreshPolicy Machine_Policy /Enforce

For additional information about how this operates, please see the following article in the Microsoft Knowledge Base:
227302 Using SECEDIT to Force a Group Policy Refresh Immediately

 

[enigma174]

I found the "Add the Administrators security group to roaming user profiles" option in Computer Configuration -> Administrative Templates -> System -> User Profiles

This is under win2k-SP3.

Also, for the ownership problem, you will find an option "Do not check for user ownership of roaming profile objects" in the same place. Enabling this will fix the error message you described.