Rockjodo
asked on
Folder redirection - root folder security setting
I have usd group policy to setup folder redirection on my Win 2003 server. I selected the option 'Grant the User Exclusive Rights to My Documents' and everything works great. However, I now want to security group for backup operators (users on the server) so that they can 'see' the contents of the domain users My Documents so that they can do their backup & restore operations.
I created a new security group and gave it full control of the root folder used for redirection and set the permissions to apply to 'this folder, subfolders and files'.
Even after I add backup users to this security group, the backup user can not access the contents of the individual redirected My DOcuments folders. The backup operators can see the root folder, the subfolders for each user and can see that each user subfolder has a My Documents subfolder, but that's as far down the tree as I can go.
What am I missing ?
I realize that when setting up folder redirection there is another setting - to NOT 'Grant the User Exclusive Rights to My Documents' , but I'm not sure what the implications are for this setting.
dmcentee@ktis.net
I created a new security group and gave it full control of the root folder used for redirection and set the permissions to apply to 'this folder, subfolders and files'.
Even after I add backup users to this security group, the backup user can not access the contents of the individual redirected My DOcuments folders. The backup operators can see the root folder, the subfolders for each user and can see that each user subfolder has a My Documents subfolder, but that's as far down the tree as I can go.
What am I missing ?
I realize that when setting up folder redirection there is another setting - to NOT 'Grant the User Exclusive Rights to My Documents' , but I'm not sure what the implications are for this setting.
dmcentee@ktis.net
ASKER
Doesn't group policy folder redirection need the network user to be the owner of his / her version of My Documents ?
In addition, it seems like every time GP folder redirection adds a new user I would have to manually go through the take owner for the new folder.
There must be a better way ?
In addition, it seems like every time GP folder redirection adds a new user I would have to manually go through the take owner for the new folder.
There must be a better way ?
No, and no.
Ownership is really only used to decide if you have permissions beyod those listed in the security tab. If you do not own something, but have full control over it you can do anything you want to that item, including stripping everyone of their rights and taking owership.
If a new user is added the only action is to check that your new folder has the permissions you need down the track - full access for them, your backup group and system. Any new files will gain this permission regardless of who owns them.
Ownership is really only used to decide if you have permissions beyod those listed in the security tab. If you do not own something, but have full control over it you can do anything you want to that item, including stripping everyone of their rights and taking owership.
If a new user is added the only action is to check that your new folder has the permissions you need down the track - full access for them, your backup group and system. Any new files will gain this permission regardless of who owns them.
ASKER
I'm still having problems with this - maybe they're conceptual - but here's the story
The administrators group owns the volume where user 'My Documents' are being redirected. (E:\) by group policy
The administrators group also owns the root folder where user 'My Documents' are being redirected (\User_Documents)
The administrators group has full control on the volumne and the root folder.
Now, everytime a domain user logs on to the network for the first time, Windows creates a folder for this user - as in
E:\User_documents\Joe\My Documents
Windows makes the domain user Joe the owner of 'Joe' and 'Joe\My Documents'
If I understand your note correctly, the local adminstrator on the server where the redirected share is located needs to take ownership of the folder
(E:\User_documents\Joe) and then apply the security settings that I want (i.e. allow the backup_group to read and write). After I do this, do I turn ownership back to Joe ?
This seems like a tedious process since we have quite a few users; so I suspect that I am missing something
Thanks again for your help.
The administrators group owns the volume where user 'My Documents' are being redirected. (E:\) by group policy
The administrators group also owns the root folder where user 'My Documents' are being redirected (\User_Documents)
The administrators group has full control on the volumne and the root folder.
Now, everytime a domain user logs on to the network for the first time, Windows creates a folder for this user - as in
E:\User_documents\Joe\My Documents
Windows makes the domain user Joe the owner of 'Joe' and 'Joe\My Documents'
If I understand your note correctly, the local adminstrator on the server where the redirected share is located needs to take ownership of the folder
(E:\User_documents\Joe) and then apply the security settings that I want (i.e. allow the backup_group to read and write). After I do this, do I turn ownership back to Joe ?
This seems like a tedious process since we have quite a few users; so I suspect that I am missing something
Thanks again for your help.
Yes, Yes, Yes to the first 3 statements.
Yes to both the next, Folder is created, Joe is owner and sole rightholder, although system will be there, too (to allow backups)
the local (or domain) admin will have permission to take ownership, but that is all. After taking over you can then apply permissions. I wouldn't bother changing the ownership back, as who owns it does not matter to the end user in this case.
It is easier to grant full rights to \user documents then manually create the folder for the new user as it will inherit \user documents permission. Then you just add the user to the folder and they are good to go...
Yes to both the next, Folder is created, Joe is owner and sole rightholder, although system will be there, too (to allow backups)
the local (or domain) admin will have permission to take ownership, but that is all. After taking over you can then apply permissions. I wouldn't bother changing the ownership back, as who owns it does not matter to the end user in this case.
It is easier to grant full rights to \user documents then manually create the folder for the new user as it will inherit \user documents permission. Then you just add the user to the folder and they are good to go...
ASKER
On your last sentence 'It is easier to grant full rights .....' - this seems to be the crux of the problem:
The adminstrators group, and my new backup operators group alrady have full rights to \user documents, but when Windows creates the new users folder - John\My Documents - the adminstrators group, and my new backup operators group righs to R+W are not getting inherited by the new John\My Documents. I'm sorry to be dense about this
Are you saying that if I manually create the folder for the user instead of letting group policy create the folder that the administators & backup operators will be able to R+W the folder contents without having to take ownership?
Thanks
The adminstrators group, and my new backup operators group alrady have full rights to \user documents, but when Windows creates the new users folder - John\My Documents - the adminstrators group, and my new backup operators group righs to R+W are not getting inherited by the new John\My Documents. I'm sorry to be dense about this
Are you saying that if I manually create the folder for the user instead of letting group policy create the folder that the administators & backup operators will be able to R+W the folder contents without having to take ownership?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to take ownership of everything, then repply the permissions.
New files added after you do this will be owned by the creator, but it won't matter as they will inherit the permissions you assign now, so backups will still happen.