Hi everyone, we are experimenting with Roaming profiles and folder redirection for our new Vista computers. We have a GPO that does the following : - Sets the roaming profile. -Excludes all the known folders from roaming : appdata;contacts;desktop;documents;downloads;links;pictures;saved games;favorites;music;searches;videos. Which only leaves the ntuser.dat on roaming profile, as this was our goal. Now here is the problem, by default a user has NTFS Full control rights at the root of their profile c:\Users\%userprofile%\ So a user can copy files or create new folders under the profile root. As these folders are not include in the GPO to prevent from roaming they become part of the Roaming Profile. We like to restrict users to creating folders in the know folders only. The Vista Resource kit and Windows 2008 Server Reskits do not deal with this question in all the chapters related to user profiles. I'd like to know if any of you have faced this issue and how you've addressed it ? Naim.

Hi, Based on my research, it seems there is no such tool to prevent users from modifying their own profile recently. You can try to configure the security permission to address the requirement. Here is an example to deny the Administrator account to create folder/file in its profile but allow it to create folder/file in the known folder such as Document: 1. Right click the folder Administrator (the profile), select Properties. 2. Select the Security tab, click Advanced, click Edit. 3. In the Advanced Security settings for Administrator dialog box, click Add, type Everyone under the box Enter the object name to select, and then click OK. 4. Select This folder only, and deny the permissions create files/write data and cerate folders/append data. And then click OK. Note: I suggest that you test the settings in a lab environment or a testing machine before applying it to the production environment. Hope it helps.

Hi Joson, I did something a little bit less radical than your suggestion of applying the Deny permission to the Everyone group but I used the settings you suggested. I created in a logon script that targets our vista computers a UserACL.cmd file with the following : icacls %USERPROFILE% /deny "BUILTIN\USERS"WD,AD) This sets the deny permission >Create files /write data to this folder only to the Authenticated users group. This even works with UAC turned on the Vista computer. I thought I'd have to use AppLauch.wsf but this was not the case. I have tested this and have not found any issue so fare. thank you for your help Naim.

I did find a better solution, there is a GPO setting after all that allows to restrict users from creating files or folder in the profile root. The policy is called "Prevent users from adding files to the root of their Users files folder" and it is located under \\UserConfiguration\Administrative Templates\Windows Componenets/Windows Explorer. I hope this information can help some else. Naim

More recent update. The policy that I described above, "Prevent users from adding files to the root of their Users files folder ", was not a full solution. As this policy only stops users from Creating files and folder using the Windows Explorer, but it does not stop other applications from creating file or folders in the profile root. For example you can use notepad.exe to save file or create new folders. So we at logon we set the proper deny ACL so users cannot create files or folders in the profile root with the following : hstart.exe /noconsole "icacls %userprofile% /deny "%userdomain%\%username%":(WD,AD,WDAC)", We used GPO Preferences to create Regkey that placed this cmd in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (hstart.exe is a 3rd party tool http://www.ntwind.com/software/utilities/hstart.html we used it hide the cmd window) And at logoff we grant the users FC ACL as we use Roaming Profiles and not having FC ACL with a Roaming profile will cause issues (trust me here !) We run a GPO Logoff script that has the followig cmds icacls %userprofile% /remove:d "%userdomain%\%username%" icacls %userprofile% /grant "%userdomain%\%username%":(W,AD) I hope this information can help others Naim.Naim