[spoofer]

Hello,

I'm looking for the right procedure to implement roaming profiles and homedirs.
Currently i set up a home test lab with a server and a client

I made a script that creates my OU's and users.
Now when it creates the users, it grabs the data from an excel spreadsheet.
I also included a line in this script that automatically sets the path to the profile and the homedir
(\\server\userData\homes$ and \\server\userData\profiles$)
I shared these two folders (share permissions - read)

1) Does this folder need everyone - Full Control ?

Now i want to use these account, so logon from a client with a random user account
What i thought would happen is, the user profiles gets created and gets copied to the profiles folder on the server, same for the homedir.

Now when i logon from the client this goes very slow, too slow i think.
So is there something wrong with the way i set it up ? If so, what am i doing wrong ?

Thanx in advance everyone.

[jasonboche]

Quote:

Originally Posted by spoofer

Hello,

I'm looking for the right procedure to implement roaming profiles and homedirs.
Currently i set up a home test lab with a server and a client

I made a script that creates my OU's and users.
Now when it creates the users, it grabs the data from an excel spreadsheet.
I also included a line in this script that automatically sets the path to the profile and the homedir
(\\server\userData\homes$ and \\server\userData\profiles$)
I shared these two folders (share permissions - read)

1) Does this folder need everyone - Full Control ?

A. Never use the "everyone" group

B. The roaming profiles share (and underlying NTFS permissions) will need to be ACLd for modify permissions for the user ID who owns the folder. It does not need full control. That's another thing to stay away from. Granting your users Full Controll allows them to play with NTFS permissions and that's a recipe for their own demise. The only one who ever needs full control is an administrator. I have yet to ever come across an application that would need full control. At most they will need MODIFY. The only 2 things that FULL CONTROL gives someone beyond MODIFY is the ability to change permissions and the ability to take ownership of files and folders.

C. If that data folder is their home folder, you are going to need more than just READ permissions on that guy too. MODIFY should do the trick.

Quote:

Originally Posted by spoofer

Now i want to use these account, so logon from a client with a random user account
What i thought would happen is, the user profiles gets created and gets copied to the profiles folder on the server, same for the homedir.

Now when i logon from the client this goes very slow, too slow i think.
So is there something wrong with the way i set it up ? If so, what am i doing wrong ?

Thanx in advance everyone.

[spoofer]

Quote:

Originally Posted by jasonboche

A. Never use the "everyone" group

B. The roaming profiles share (and underlying NTFS permissions) will need to be ACLd for modify permissions for the user ID who owns the folder. It does not need full control. That's another thing to stay away from. Granting your users Full Controll allows them to play with NTFS permissions and that's a recipe for their own demise. The only one who ever needs full control is an administrator. I have yet to ever come across an application that would need full control. At most they will need MODIFY. The only 2 things that FULL CONTROL gives someone beyond MODIFY is the ability to change permissions and the ability to take ownership of files and folders.

C. If that data folder is their home folder, you are going to need more than just READ permissions on that guy too. MODIFY should do the trick.

Ok so what i basicly have to do is
1) create the needed groups (place global groups in domain local groups, where i put the permissions on)
2) place the domain local groups in the share acl for both the folders
3) set the share permission to change

is this correct ?

// ok i did the steps as above and think there is still something wrong

Now the folder for the user gets created in the profiles folder on my server
But on the client side, i keep seeing, Loading personal data (setting up the new profile on the server probably ?)

For NTFS permissions on both the folders
I just had to add the correct group to the ACL of the homes share and give that usergroup modify, right ?
Profiles share just needed the standard NTFS permissions ?