I have searched all over and can't seem to find anything similar to what I am trying to do. I am using Windows server 2003 with Active Directory. When we create a new user account on the domain, we use the Profile tab to specify a Home Directory for the user. When the user logs in for the first time, Active Directory creates the folder in the specified path. This is all working correctly. My problem is that it gives the user Full Control over the folder. This has caused us a lot of problems because some "clever" users have discovered thay can change the permission on the folder or subfolders beneath it. They sometimes do this because they don't want IT staff to be looking at their "sensitive" files. Of course this doesn't work since I can just take ownership of the file and give myself permissions. Where this causes trouble is failed backups, the inability to scan these folders for viruses, migration to new storage etc. On occasion one of these users will call me and ask for a file or folder to be restored, and it is only at that point that I discover that I do not have a good backup of the files and cannot restore them. I always give them a good lecture, but I have over 2500 users, and I can't talk to them all. Right now we have to create the account and then login with it so teh folder is created, then go take away the Full Control permission and then reset the password again and set it to force the user to change the password at next login. Isn't there some way to change this so the Domain Controller gives the user Modify and not Full Control?

One additional note. The people who create the user accounts do not have access to the directory that holds the home folders. The files are in fact very sensitive. My staff end up creating the accounts and thenI have to step in to get the permissions right. It would be far easier ifa Domain Admindid not have to personally assist with each new user account on a Domain of over 2500 users. There have been lots of reads on this posting, but no replies as of yet. Anyone have any idea where I could start searching for an answer to this or an alternative way of doing this?

Have a look at thishttp://www.1stbyte.com/2008/03/19/folder-redirection-user-permissions-block-access-to-administrators/

Hello,In my network we have the user of the profile to modify permissions to folders and subfolders and files. NEVER givea user full control on things like that, they can take ownership, prevents admin from accessing etc. we have a script the we have help desk use in creating account and the script sets the permissions as well. At some point you may have to trust th accoount creation staff by delegating the proper permissions to edit users ACL.Isaac Oben MCITP:EA, MCSE

Thanks for the comment. I had looked at that, but it only seems to apply to folder redirection for roaming profiles. I cannotuse roaming profiles on my network due to the number of subnets (45)and the poor network speed between them all (Mostly T1). I need to change only the default permissions assigned by Active Directorywhen it createsthe Home Folder listed under the Profile tab in AD.

You may post this in AD forum, they are dedicated to Directory Services.

Hello,Make sure in the folder redirection GPO: select clear the Grant the user exclusive rights to My Documents check box and then follow the guidelines below: Log on as an administrator to the server that can host the user's redirected folders. Locate the top-level folder that can hold the user's redirected documents (for example, D:\Redirected, which is shared as \\Server\Redirected\) by using Windows Explorer. Right-click the folder, and then click Properties. Click the Security tab. Click Advanced. Click to clear the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here. check box. When you are prompted to copy or remove permissions, click Remove. If the Administrators group is not present, click Add, type Administrators, and then click OK. Select the Administrators group, and then click Edit. Verify that the Full Control permission is set to Allow, and then click OK. Click Add, and add System and Creator Owner to the Permissions entries. Verify that the System and Creator Owner objects have the Full Control / Allow permission. Click Add, add Authenticated Users, and then set the following permissions to Allow: Create Folders / Append Data Read Permissions Read Attributes Read Extended Attributes Isaac Oben MCITP:EA, MCSE

Hmm....the same question with respect to windows xp pro. How to set a list of permissions granted to the user profile folder, usually, under Documents and Settings. By default, user has a full control permissions. I want to restrict it to the read and write but NOT EXECUTE. And also there is an idea to customise installation cd.

Hi,By default user will have full access to the their profile(might be roaming or local).All will help you is create a group add list of user whom you want to restrict,Apply policies on that group check the below option on applying group policies.Do not check for user ownership of Roaming Profile FoldersAdd the Administrators security group to roaming user profilesRegardsDharshan S

Is that all? Nothing else? The problem is that %UserProfile% do not inherit permissions from Documents and Settings, anyway I will need to manually assign permissions for EACH folder under Documents and Settings (no matter for group or for user). The matter is if a new user will be created administrator will be needed to manually handle permissions...potentially unsafe. On the other hand there is an advantages of using groups based solution, like denying permissions has higher prioritet and that way I will be more confident that a) user will not be able to execute files; b) take ownership and manage permissions by themself. I'm looking up for the job doing by winlogon and even traced it by procmon but didn't yet find anything usefull. Also I encountered while surfing web security templates but need more time to sort it out. Anyway, thanks for you reply, I will be glad to see further discussion. P.S. I want to implement in on windows XP (at installation cd) and windows server 2003 (Terminal server). Windows Vista and server 2008 are also considered but I never worked with them tight.

Oh you would like to use "do not inherit permissions" then good (not great work), instead of configuring manual for all hundred users etc,you can apply GPO right. As updated previously .Which will minimize the work and other errors..

ROR did you ever figure this out? Isaac I tried this and full control of the folder was given to the new user.

Hello,Are you using GPO folder redirection or just roaming profile?Isaac Oben MCITP:EA, MCSE

We do not use roaming profiles and the folder redirection settings in the GPO are not configured (but since we do not use roaming profiles would they matter?). What is it that assigns these permissions?

Did you resolve this I am having the same issue. Thanks in advance.

I hope I made sense, we use local profiles and do not do folder redirection. Should those two matter if I'm just talking about creating a new user in AD and assigning a home folder? I assign to \\servername\people\%username% and they automatically get full control of the folder. Hope this helps, it would really be helpful if I could take that right away from our users. We have seen users remove Domain Admins and also some assign other users rights to "look at a file"...not good. Thanks in advance.Patrick

Modify the permissions on the parent folder so that the newly created home folder will automatically inherit the customized permissions. In Windows Explorer, right-click the parent folder, and then click Properties . On the Security tab, click Advanced . Click Allow inheritable permissions from the parent to propagate to this object and all child objects check box. Click OK . The other option is to modify the existing home folders with a script similar to: http://www.edugeek.net/wiki/index.php/Reset_the_file_permissions_on_homedrives Then create a logon script that will set the permissions for a new user.