Group Policy Setting of the Week 15 – Add the Administrator security group to roaming users profiles

This week I have decided to chose “Add the Administrator security group to roaming users profiles” as the setting of the week. This setting can be found under “Computer Configuration > Policies > Administrative Templates > System > User Profiles” and applied to Windows XP / 2003 or later.

image

This setting adds the administrator ACL to the users roaming profile path on the server when it is first created. This greatly helps your user administrator as they don’t need to perform complicated take ownership and permission changes when they need to access a users profile to do something like a file restore or profile move.

In my experience unless the privacy of the users personal files on your companies file server needs to be guaranteed this option is normally enabled.

BUT!!!! Be very sure that you enable this option as soon as possible as this setting does NOT apply retrospectively to existing users profiles as it only applied the administrators group to the profile when the roaming profile when  it is created on the server for the first time.

Author: Alan Burchill

Microsoft MVP (Group Policy)

11 thoughts on “Group Policy Setting of the Week 15 – Add the Administrator security group to roaming users profiles

  1. Excellent post,
    Clear with good explaination. I have been trying to find the GP setting for sometime.

  2. Can I just say what a relief to find someone who truly understands what they are discussing over the internet.
    You definitely realize how to bring an issue to light
    and make it important. More people have to check this out and understand this
    side of your story. It’s surprising you’re not more popular because you certainly have the gift.

  3. I know this is a 6 year old topic, but this is one of the pages that came up in my research on the subject to correct where this wasn’t previously set. Wanted to provide the same fix that I found elsewhere:

    Per this page (https://www.microsoftpressstore.com/articles/article.aspx?p=2225079&seqNum=3) You can put a user logoff script in place that will allow you to get the already created folders permissioned so your administrators can access and it’s basically one command that gets run:

    icacls.exe \\servername.domain.tld\share\%username%.%userdomain%.v2 /grant “DomainName\AdminGroupName”:F /T /Q

    1. Brilliant. I keep meaning to knock a scrip like this up but that’s perfect thank you for sharing.

Leave a Reply to Trond E HaavarsteinCancel reply