I'm having a bit of an issue getting roaming profiles setup with Server 2008 R2. Here are the permissions that I have set on the roaming profile share:
Share Permissions
Administrators - Full
SYSTEM - Full
Authenticated Users - Full
NTFS Permissions
Administrators - Full
CREATOR OWNER - Full
SYSTEM - Full
Authenticated Users - List Folder/Read Data, Read, Create Folders/Write Data (This Folder Only)
This seems to be working without a problem, the profile is automatically created for the user when they first login.
The issue that I am having is that I don't want users to be able to just create folders in the roaming profile share, but if I remove that permission, nothing gets created.
Best Answer
If you want the profile folders to be created at first login by the user, then you are stuck with these permissions. While synchronizing a user's profile folder at login/logout to the profile share, the user's security settings are used, so if the user do not have permissions to create a folder on the profile share, you have a problem.
Unfortunately, there is no way to give users permission to create just their own folder and no more.
I think a way around it would be for you to precreate profile folders on the profile share for your users (and give each user full permissions on their own profile folder), before their first logon. The users should then only need permissions to traverse/read contents of the profile share (this folder only).
Note that my experience with this is with Win2k and Win2k3 (for now), not Win2k8, but I don't think it should be that different.