I am running Win 2k8 R2, and I have an issue that I just can't seem to get around. When new profile folders are created, SYSTEM, the user, and local administrators are all assigned full rights (we have the GPO enabled to add administrators). But what I'd like to do is to add another security group to this, so that each time the fodlers are created, a specific AD group also gets full rights to these folders. I'm sure that this can be done via a recursive script on a scheduled basis, but for troubleshooting purposes, we need this to happen in real time. Plus, I don't want to take up system resources running a script to parse through all of the users we have. Any suggestions are welcome, thank you.

Hi, circumstances that add users or security groups in permissions on folders of roaming profiles can lead to mistakes and failures, the only way to get what you want is to include the group in the domain admins group. HTHEdoardo Benussi - Microsoft MVP Management Infrastructure - Systems Administration https://mvp.support.microsoft.com/Profile/Benussi Windows Server Italian Forum Moderator edo[at]mvps[dot]org

What you're suggesting is extremely dangerous and poses many security risks. It seems irresponsible to me to avoid the potential for mistakes and/or failures by bypassing security. If we wanted to do that, we'd just add this group to the local administrators group on the file server. If anyone else has any suggestions on how to accomplish this, please let me know.

What you're suggesting is extremely dangerous and poses many security risks. It seems irresponsible to me to avoid the potential for mistakes and/or failures by bypassing security. If we wanted to do that, we'd just add this group to the local administrators group on the file server. even add another security group in roaming profiles permissions is dangerous but especially extremely useless, imVho.Edoardo Benussi - Microsoft MVP Management Infrastructure - Systems Administration https://mvp.support.microsoft.com/Profile/Benussi Windows Server Italian Forum Moderator edo[at]mvps[dot]org

Why not just add another security group to the parent folder, a security group ACL which will be inherited when a new user logs in and the user profile directory is created? For the ones that are already created you could use the command line tool "icacls" to create a script to add the security groups once and for all, after thourough testing I might add.Blogging about Windows for IT pros at www.theexperienceblog.com

I guess I've never addressed this type of issue on these forums. Edoardo, if you think this is useless, that's fine, but you're not us, and for us, it's absolutely not useless. Your comments simply aren't productive. Andreas, I have added the group at the parent level, but the mechanism within Windows when it creates the folder removes inheritable permissions and assigns its own. If there was a way for the Profiles folder to work more like a home folder (from an inheritable permissions standpoint), that would work for us as well. But so far, I've found nothing.

I guess I've never come across this type of issue on these forums. Edoardo, if you think this is useless, that's fine, but you're not us, and for us, it's absolutely not useless. Your comments simply aren't productive. Andreas, I have added the group at the parent level, but the mechanism within Windows when it creates the folder removes inheritable permissions and assigns its own. If there was a way for the Profiles folder to work more like a home folder (from an inheritable permissions standpoint), that would work for us as well. But so far, I've found nothing.

You are absolutely right about the inheritance of the permissions when using roaming profiles I've got my mind at folder redirection, my mistake, sorry about that. What you could do is to create a scheduled task which for instance activates on logon events (on the domain controller(s)), which then runs a script setting the necessary persmissions if not already there.Blogging about Windows for IT pros at www.theexperienceblog.com

That's an interesting idea. I'll look into that. Thanks! If MS is watching this, it would be nice to be able to be able to apply a GPO allowing additional groups to be added besides local administrators.