Admin access to profiles.

  • Thread starter Thread starter Anteaus
  • Start date Start date
A

Anteaus

Just wondered what other admins do about problems with user profiles,
especially roaming copies on server shares.

The key issue is that the permissions on profile folders are set such that
not even the Administrator or Domain Admin accounts can see or access the
contents. Thus if there is a problem within a profile, the only action
available is to forcibly take possession of the folder, and then over-write
its permissions. Yet, doing so is the functional equivalent of 'wrecking-bar
engineering' and is likely to lead to further damage/trouble.

In these circumstances, do we just say to the user, "Sorry, but we can't
help you, as Microsoft have declared that Adminstrators are not trustworthy
enough to be allowed access to users' files" - Or... what?
 
Yes, it seems like a good idea to do this when setting-up a domain,
unfortunately it doesn't help when you're dealing with a problem on an
existing server, as it only applies to new accounts.

You wonder why the system was designed like this in the first place.
Commonsense dictates that there should at least be a way (other than hacking)
for an admin to delete expired and useless data. Even this is difficult as it
stands.
 
Anteaus said:
Yes, it seems like a good idea to do this when setting-up a domain,
unfortunately it doesn't help when you're dealing with a problem on an
existing server, as it only applies to new accounts.

You wonder why the system was designed like this in the first place.
Commonsense dictates that there should at least be a way (other than
hacking) for an admin to delete expired and useless data. Even this
is difficult as it stands.
Click to expand...

Agreed, it should be that way by default (or the gpo should also make the
changes to the existing folders).
Time for xcacls.
 
Back
Top