Looking at changing the way we manage roaming profiles, home drives and folder redirection.
Our last sysadmin was lazy and set everyone access to everything to get around the headache of setting up permissions on folders.
I am wanting these folders to be automatically created when I set the path in AD. At the moment the Home folder is created fine, however when Profile is created I need to take ownership of each folder to view/modify files which is a headache and not viable long term.
I have set up 3 shares for these features with the following permissions
HomeStore and ProfileStore
Security:
Creator Owner - Full
Domain Admin - Full
Authenticated Users - Read
Sharing:
Authenticated Users (This Folder Only) - Full
Domain Admin - Full
System - Full
FolderStore
Creator Owner - Full
Domain Admin - Full
Authenticated Users - Read
Sharing:
Everyone (This Folder Only) - Full
Domain Admin - Full
System - Full
Are these set correctly? I know there are issues with Admin having access to user files but we are a small company and this is requested of me often.
Without parsing the permissions you listed (because it makes my hear hurt) I would suggest following this article:
http://technet.microsoft.com/en-us/library/cc737633(WS.10).aspx
In addition, in Group Policy there's a setting to add the Administrators security group to roaming profiles which will grant the Administrators group the appropriate permissions to the roaming profiles, negating the need for you to take ownership when accessing the profiles, which will surely cause problems eventually.
Note 1: The aforementioned GP setting will affect only newly created profiles, not existing profiles.
Note 2: The GP setting needs to be set in the GPO that applies to the client computer object, not the profile server computer object.