The appropriate permissions must be configured on the ProfileUnity storage path in order for ProfileUnity to operate properly.
Deployment Path and ProfileUnity Administrator Permissions
| User Account | Recommended Permissions | Target |
|---|---|---|
| Authenticated Users | Read Only | Deployment Paths |
| ProfileUnity Administrators | Modify |
Deployment Paths |
|
ProfileUnity Administrators |
Read Only |
Active Directory, Users, Groups, OUs |
|
ProfileUnity Administrators |
Read Only |
File shares for printers and importing shortcuts or registry keys. |
Home Share Permissions for Portability/ProfileDisk Without CAC
Share Permissions
The recommended share permissions for the share are to match the NTFS permissions or rely solely on NTFS and set the share permissions to Everyone, Full Control.
NTFS Permissions
The following table lists the basic recommended NTFS permissions for each user account for the storage path.
| User Account | Recommended Permissions | Folder |
|---|---|---|
| Administrators | Full Control | This folder, subfolders, and files |
| Authenticated Users | Modify | This folder only |
| Creator/Owner | Modify | Subfolders and files only |
Redirected or Home Folders
Additionally, the Microsoft Support article entitled, "How to dynamically create security-enhanced redirected folders or home folders," suggests using the following steps for configuring settings for security-enhanced redirected folders or home folders:
- Select and share a central location in your environment where you would like to store home folders.
- Set Share Permissions for the Everyone group to Full Control.
- Use the following settings for NTFS Permissions:
- CREATOR OWNER —Full Control (Apply onto: Subfolders and Files Only)
- System —Full Control (Apply onto: This Folder, Subfolders and Files)
- Domain Admins —Full Control (Apply onto: This Folder, Subfolders and Files)
- Everyone —Create Folder/Append Data (Apply onto: This Folder Only)
- Everyone —List Folder/Read Data (Apply onto: This Folder Only)
- Everyone —Read Attributes (Apply onto: This Folder Only)
- Everyone —Traverse Folder/Execute File (Apply onto: This Folder Only)
- Pay attention when configuring the home directory or folder redirection policies. If you enable the setting to give the user exclusive access to the folder, you will override the inherited permissions and you will need to reset the ACL.
FlexApp Share Permissions
Share Permissions
The recommended share permissions for the share are to match the NTFS permissions or rely solely on NTFS and set the share permissions to Everyone, Full Control.
NTFS Permissions
Listed below are the recommended level NTFS permissions for the storage path.
| User Account | Recommended Permissions | Folder |
|---|---|---|
| Administrators | Full Control | This folder, subfolders, and files |
| FlexApp Packaging Account(s) | Modify | This folder, subfolders, and files |
| Authenticated User | Read and Execute | This folder, subfolders, and files |
ProfileDisk Share Permissions With CAC and Secondary Logon Service Enabled
Share Permissions
The recommended share permissions for the share are to match the NTFS permissions or rely solely on NTFS and set the share permissions to Everyone, Full Control.
NTFS Permissions
Listed below are the recommended level NTFS permissions for the storage path.
| User Account | Recommended Permissions | Folder |
|---|---|---|
| Administrators | Full Control | This folder, subfolders, and files |
| ProfileUnity As a Service Account | Modify | This folder, subfolders, and files |
ProfileDisk Share Permissions Secondary Logon Service Disabled
Share Permissions
The recommended share permissions for the share are to match the NTFS permissions or rely solely on NTFS and set the share permissions to Everyone, Full Control.
NTFS Permissions
Listed below are the recommended level NTFS permissions for the storage path.
| User Account | Recommended Permissions | Folder |
|---|---|---|
| Administrators | Full Control | This folder, subfolders, and files |
| Domain Computers | Modify | This folder, subfolders, and files |
Console Service Account Permissions
| User Account | Recommended Permissions | Target |
|---|---|---|
| ProfileUnity Console Service Account | Modify | Deployment Paths |
| ProfileUnity Console Service Account | Read Only | Active Directory, Users, Groups, OUs |
| ProfileUnity Console Service Account | Read Only | File shares for printers and importing shortcuts or registry keys. |
