Hello, so I am having an issue with Windows roaming profiles and TrueNAS.
I have:
Windows server 2022 Standard edition Evaluation (AD Controller)
TrueNAS (installed two weeks ago so id say latest)
And two clients (win 10 and win 11)
I am trying to set up roaming profiles where:
`\\truenas\Share` is the root share directory (Where users with the security group `Share Data Access` have full control rights)
`\\truenas\Profiles` is the share for roaming profiles, is located in `\\truenas\Share\Profiles` and has the hidden and system attributes
`\\truenas\Home` is the share for the user Home drive, is located in `\\truenas\Share\Home` and has the hidden and system attributes
What I want:
Users in the `Share Data Access` group have the `\\truenas\Share` directory and their respective Home directory from `\\truenas\Home` auto-mounted on login
Users in the `Roaming User Profile Users` group have a roaming profile located at `\\truenas\Profiles`
Users in the `Domain Admins` built-in group have read-only access to User profiles and home directories
Users in the `Administrators` built-in group have full access to User profiles and home directories
The issue:
The access to the `\\truenas\Share` directory works fine, then I followed this to set up roaming profiles: https://learn.microsoft.com/en-us/w...lder-redirection/deploy-roaming-user-profiles
I set the permissions of the `Roaming User Profile Users` on the `Profiles` folder to `List folder / read data` and `Create folders / append data` from the AD server and set the owner to the disabled built-in `Administrator` account.
Testing with my admin profile who is a member of all previously mentioned groups everything seems to work fine, but when I tried to check with a user without the `Administrators` group Access to `\\truenas\Home` and `\\truenas\Profiles` is denied, but they can still access the `\\truenas\Share` directory. (Its denied too if browsing to those folders from the Share directory).
After some testing I determined that the only way to gain access from an unprivileged account is to give a group or the user almost full control access over the directory (Share or Home). This includes ability to write, delete and change permissions too, which is a no-no. Users also only see directories where they are owner, so `Administrators` and `Domain Admins` only see their own folders. (Enumeration view is disabled, so no idea why this is happening)
How do I make this work, if it even is possible?
Thank you
P.S: All machines mentioned are virtualized under Hyper-V for testing and connected together via a single Private Switch
P.S 2: I can post screenshots or if someone here uses Parsec you can check it out directly yourselves if you want / need to. English in not my first language so if something is unclear, ask.
I have:
Windows server 2022 Standard edition Evaluation (AD Controller)
TrueNAS (installed two weeks ago so id say latest)
And two clients (win 10 and win 11)
I am trying to set up roaming profiles where:
`\\truenas\Share` is the root share directory (Where users with the security group `Share Data Access` have full control rights)
`\\truenas\Profiles` is the share for roaming profiles, is located in `\\truenas\Share\Profiles` and has the hidden and system attributes
`\\truenas\Home` is the share for the user Home drive, is located in `\\truenas\Share\Home` and has the hidden and system attributes
What I want:
Users in the `Share Data Access` group have the `\\truenas\Share` directory and their respective Home directory from `\\truenas\Home` auto-mounted on login
Users in the `Roaming User Profile Users` group have a roaming profile located at `\\truenas\Profiles`
Users in the `Domain Admins` built-in group have read-only access to User profiles and home directories
Users in the `Administrators` built-in group have full access to User profiles and home directories
The issue:
The access to the `\\truenas\Share` directory works fine, then I followed this to set up roaming profiles: https://learn.microsoft.com/en-us/w...lder-redirection/deploy-roaming-user-profiles
I set the permissions of the `Roaming User Profile Users` on the `Profiles` folder to `List folder / read data` and `Create folders / append data` from the AD server and set the owner to the disabled built-in `Administrator` account.
Testing with my admin profile who is a member of all previously mentioned groups everything seems to work fine, but when I tried to check with a user without the `Administrators` group Access to `\\truenas\Home` and `\\truenas\Profiles` is denied, but they can still access the `\\truenas\Share` directory. (Its denied too if browsing to those folders from the Share directory).
After some testing I determined that the only way to gain access from an unprivileged account is to give a group or the user almost full control access over the directory (Share or Home). This includes ability to write, delete and change permissions too, which is a no-no. Users also only see directories where they are owner, so `Administrators` and `Domain Admins` only see their own folders. (Enumeration view is disabled, so no idea why this is happening)
How do I make this work, if it even is possible?
Thank you
P.S: All machines mentioned are virtualized under Hyper-V for testing and connected together via a single Private Switch
P.S 2: I can post screenshots or if someone here uses Parsec you can check it out directly yourselves if you want / need to. English in not my first language so if something is unclear, ask.
