Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Folder redirection - root folder security setting

Posted on 2004-10-28
Medium Priority
Last Modified: 2010-04-19
I have usd group policy to setup folder redirection on my Win 2003 server.  I selected the option 'Grant the User Exclusive Rights to My Documents' and everything works great.  However, I now want to security group for backup operators (users on the server) so that they can 'see' the contents of the domain users My Documents so that they can do their backup & restore operations.

I created a new security group and gave it full control of the root folder used for redirection and set the permissions to apply to 'this folder, subfolders and files'.  

Even after I add backup users to this security group, the backup user can not access the contents of the individual redirected My DOcuments folders.  The backup operators can see the root folder, the subfolders for each user and can see that each user subfolder has a My Documents subfolder, but that's as far down the tree as I can go.

What am I missing ?

I realize that when setting up folder redirection there is another setting - to NOT 'Grant the User Exclusive Rights to My Documents' , but I'm not sure what the implications are for this setting.

Question by:Rockjodo
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 15

Expert Comment

ID: 12433093
Ownership - if you have not taken ownership of the files and folders they will be owned by the creator, so you do not have permission to change permissions. :)

You need to take ownership of everything, then repply the permissions.

New files added after you do this will be owned by the creator, but it won't matter as they will inherit the permissions you assign now, so backups will still happen.

Author Comment

ID: 12437294
Doesn't group policy folder redirection need the network user to be the owner of his / her version of My Documents ?  

In addition, it seems like every time GP folder redirection adds a new user I would have to manually go through the take owner for the new folder.  

There must be a better  way ?
LVL 15

Expert Comment

ID: 12438623
No, and no.

Ownership is really only used to decide if you have permissions beyod those listed in the security tab. If you do not own something, but have full control over it you can do anything you want to that item, including stripping everyone of their rights and taking owership.

If a new user is added the only action is to check that your new folder has the permissions you need down the track - full access for them, your backup group and system. Any new files will gain this permission regardless of who owns them.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 12448749
I'm still having problems with this - maybe they're conceptual - but here's the story

The administrators group owns the volume where user 'My Documents' are being redirected. (E:\) by group policy
The administrators group also owns the root folder where user 'My Documents' are being redirected (\User_Documents)
The administrators group has full control on the volumne and  the root folder.

Now, everytime a domain user logs on to the network for the first time, Windows creates a folder for this user - as in
E:\User_documents\Joe\My Documents

Windows makes the domain user Joe the owner of 'Joe' and 'Joe\My Documents'

If I understand your note correctly, the local adminstrator on the server where the redirected share is located needs to take ownership of the folder
(E:\User_documents\Joe) and then apply the security settings that I want (i.e. allow the backup_group to read and write).  After I do this, do I turn ownership back to Joe ?

This seems like a tedious process since we have quite a few users; so I suspect that I am missing something

Thanks again for your help.

LVL 15

Expert Comment

ID: 12450017
Yes, Yes, Yes to the first 3 statements.

Yes to both the next, Folder is created, Joe is owner and sole rightholder, although system will be there, too (to allow backups)

the local (or domain) admin will have permission to take ownership, but that is all. After taking over you can then apply permissions. I wouldn't bother changing the ownership back, as who owns it does not matter to the end user in this case.

It is easier to grant full rights to \user documents then manually create the folder for the new user as it will inherit \user documents permission. Then you just add the user to the folder and they are good to go...

Author Comment

ID: 12450502
On your last sentence 'It is easier to grant full rights .....'  -  this seems to be the crux of the problem:

The adminstrators group, and my new backup operators group alrady have full rights to \user documents, but when Windows creates the new users folder - John\My Documents - the adminstrators group, and my new backup operators group righs to R+W are not getting inherited by the new John\My Documents. I'm sorry to be dense about this

Are you saying that if I manually create the folder for the user instead of letting group policy create the folder that the administators & backup operators will be able to R+W the folder contents without having to take ownership?

LVL 15

Accepted Solution

harleyjd earned 2000 total points
ID: 12450817
Yep, exaclty.

The creator of the folder is automatically its owner. If it's autocreated then it's not going to get the perms you need, the only way is by manually adding it, or going back later. It's a bummer...


Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Screencast - Getting to Know the Pipeline
Suggested Courses

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question