At work we currently have many users with roaming profiles and I am generally happy with the way those are configured (ie which folders to ignore etc.), the one thing that worries me is the share permissions. The folder is shared as profiles$ with Everyone full control on the share. Permissions on that folder are then set as "Users" full control of that folder, SYSTEM (is this needed?), <localmachine>\Administrators have full control of that folder and subdirectories and files. and CREATOR OWNER has full control of subfolders and files only... is this agood way to go? I know Administrators should generally have full access but do we have too much power? Same goes for documents, in AD users and computers we map a drive to a network share with similar permissions - there is nothing to stop us checking out directors documents - it doesn't feel right? But if we stop Administrators being able to check these folders then it makes it hard for us to manage them, it just seems very bad for security even though I am very used to locking my console even if I turn away. How do you guys have yours setup?