Folder redirection permission question
Im playing with a test Windows Server 2003 domain controller with romaing profiles and folder redirection. I have a folder C:\Users\username where it stores the desktop and my documents contents etc. How do I set the permissions so that the users can only see whats in their folder when they browse the network? If I take permissions off of the Users folder then the files dont get copied to thier username folder. But if I leave permissions as is on the Users folder then they can see each others files.
Do I have to go to each username folder and change the permissions so that only that particular user can see his files? I would think you can do it all at once.
Do I have to go to each username folder and change the permissions so that only that particular user can see his files? I would think you can do it all at once.
ASKER
Same thing with the Profiles\username folders
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think I may have messed something up when playing with it. If I logon a new user that hasnt logged on yet it will make the username folder under Users and I cant access it when browsing as a different user which is what I want.
I have 2 other users that I can view their folder contents while browsing (I was playing with those 2 uses permsissions). I changed the permissions to match the user that cant be browsed but I can still see their files so I wonder what Im missing?
Also when logged on as administrator locally on the server I still can't access the users files without taking control of the username folder. The administrator acct has full control under the security properties though. Is this normal?
I have 2 other users that I can view their folder contents while browsing (I was playing with those 2 uses permsissions). I changed the permissions to match the user that cant be browsed but I can still see their files so I wonder what Im missing?
Also when logged on as administrator locally on the server I still can't access the users files without taking control of the username folder. The administrator acct has full control under the security properties though. Is this normal?
As far as changing the permissions, try logging off and on again - sometimes permissions changes don't take effect immediately.
What you said in your last paragraph doesn't make any sense. If you are logged on to the server with the Administrator account, and that account has NTFS "full control" permissions to the folder, you should at least be able to open the folder. You may not be able to go any further, though, if the individual files and/or folders at the lower levels are not inheriting their permissions. Did you check this?
What you said in your last paragraph doesn't make any sense. If you are logged on to the server with the Administrator account, and that account has NTFS "full control" permissions to the folder, you should at least be able to open the folder. You may not be able to go any further, though, if the individual files and/or folders at the lower levels are not inheriting their permissions. Did you check this?
ASKER
It says I dont have permission to view or edit the permsissions but can take ownership. I can open the Users folder and see the Desktop and My Documents folder but cant open them. Should I be able to open them if I have full control? There is NTFS full contol applied to the Users folder. I cant see whats applied to the subfolders without taking ownership.
That sounds like what has happened is that you have permissions to the user's folder, but not to the Desktop or My Documents folders inside that folder. That would be normal behavior, since the system will give only the user ownership and full control of the redirected folders. You can change this, but it has to be manually and carefully. If you need to have access as administrator to these folders, you would have to:
1. Take ownership.
2. Add the Administrator account or Domain Admins group to the security tab with full permissions.
3. Change ownership back to the user's account.
Then you would be able to access the files/folders but the user would still be the owner which is necessary for folder redirection to work.
1. Take ownership.
2. Add the Administrator account or Domain Admins group to the security tab with full permissions.
3. Change ownership back to the user's account.
Then you would be able to access the files/folders but the user would still be the owner which is necessary for folder redirection to work.
ASKER
So here is where we are at.
I set a profile path, home directory mapped to a drive letter and folder redirection.
When I login a new user for the first time it makes the profile and home/username folders and the users cannot see each others documents. So that is good.
It maps my assigned drive letter to their home directory which is good too.
For one of the 2 users who has his files accessible to everyone, I deleted the username folder and had Windows recreate when I logged him in. It didnt fix the permissions though. I suppose I can delete the account and start over but would like to know what happened to the permissions.
When logged in as admin locally on the server I can see the Users\username folders and their subfolders such as My Documents but cannot see the contents of My Documents unless I take ownership.
I set a profile path, home directory mapped to a drive letter and folder redirection.
When I login a new user for the first time it makes the profile and home/username folders and the users cannot see each others documents. So that is good.
It maps my assigned drive letter to their home directory which is good too.
For one of the 2 users who has his files accessible to everyone, I deleted the username folder and had Windows recreate when I logged him in. It didnt fix the permissions though. I suppose I can delete the account and start over but would like to know what happened to the permissions.
When logged in as admin locally on the server I can see the Users\username folders and their subfolders such as My Documents but cannot see the contents of My Documents unless I take ownership.
That's weird - I don't know why you would be having that permissions problem except that maybe there is some corruption in his profile. I would try deleting his user folder again, and then also rename the local copy of his profile that is stored on his workstation (or wherever you are logging him on), so that won't interfere. This will give him a completely new profile from scratch both locally and on the server. See if the permissions are correct at that point. Then, you can copy the documents and favorites or anything else you need to preserve from the old profile into the new profile, and the files will take on the security settings of the new set of profile folders.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I deleted one of the users AD account, profile and users folders and then recreated the account. That solved the problem of other users being able to access his files. I would still like to know what the problem was. Deleteing the local profile along with the server profile didnt help.
As for the administrator not being able to access the folders locally it was because the ownership of the Users and Profiles root folders was set to Administrator instead of AdministratorS.
Jay Jay70, I saw that article earlier this morning. Its a good one.
As for the administrator not being able to access the folders locally it was because the ownership of the Users and Profiles root folders was set to Administrator instead of AdministratorS.
Jay Jay70, I saw that article earlier this morning. Its a good one.
couldnt tell you why that happened like that, very odd that you would need to delete the user...
ASKER
Now Im getting a strange thing happening. If I make a new user acct, log it in and then out and check the Users\username folder on the server I can see the My Documents etc but cant access them. If I log in one of my existing accounts that hasnt been logged in yet I can access the My Documents folder just fine after logging off.
Also the accts that dont let me access them have My Pictures and My Music in the My Documents folder while the other accts dont have anything.
Also the accts that dont let me access them have My Pictures and My Music in the My Documents folder while the other accts dont have anything.
ASKER
Also when I log in with an account it a different OU (Users OU) that doesnt have folder redirection or roaming profiles it does a sync when I log off. Is that normal? The accts with the roaming profiles and folder redirection are in their own OU.
ASKER
I deleted all of the profiles and username folders and recreated everything and now its working fine... for now.
In order to be able to access the Profiles\username folders I have to give the administrator acct ownership all the way down, then grant the admin acct full control access then give the original user ownership all the way down again. ntbackup will back it up without having to do this but I cant copy and paste the folders without giving the admin acct permissions manually first.
In order to be able to access the Profiles\username folders I have to give the administrator acct ownership all the way down, then grant the admin acct full control access then give the original user ownership all the way down again. ntbackup will back it up without having to do this but I cant copy and paste the folders without giving the admin acct permissions manually first.
yes, the ownership trick is fairly common when dealing with roaming profiles, i have had to use it a few times
ASKER
Since its working now we can consider this done. Thanks for all the help!
excellent :)
Did you have to delete the active directory user profiles or just the user folders?
ASKER