Folder redirection - root folder security setting

Posted on 2004-10-28
Last Modified: 2010-04-19
I have usd group policy to setup folder redirection on my Win 2003 server.  I selected the option 'Grant the User Exclusive Rights to My Documents' and everything works great.  However, I now want to security group for backup operators (users on the server) so that they can 'see' the contents of the domain users My Documents so that they can do their backup & restore operations.

I created a new security group and gave it full control of the root folder used for redirection and set the permissions to apply to 'this folder, subfolders and files'.  

Even after I add backup users to this security group, the backup user can not access the contents of the individual redirected My DOcuments folders.  The backup operators can see the root folder, the subfolders for each user and can see that each user subfolder has a My Documents subfolder, but that's as far down the tree as I can go.

What am I missing ?

I realize that when setting up folder redirection there is another setting - to NOT 'Grant the User Exclusive Rights to My Documents' , but I'm not sure what the implications are for this setting.
Question by:Rockjodo
    LVL 15

    Expert Comment

    Ownership - if you have not taken ownership of the files and folders they will be owned by the creator, so you do not have permission to change permissions. :)

    You need to take ownership of everything, then repply the permissions.

    New files added after you do this will be owned by the creator, but it won't matter as they will inherit the permissions you assign now, so backups will still happen.

    Author Comment

    Doesn't group policy folder redirection need the network user to be the owner of his / her version of My Documents ?  

    In addition, it seems like every time GP folder redirection adds a new user I would have to manually go through the take owner for the new folder.  

    There must be a better  way ?
    LVL 15

    Expert Comment

    No, and no.

    Ownership is really only used to decide if you have permissions beyod those listed in the security tab. If you do not own something, but have full control over it you can do anything you want to that item, including stripping everyone of their rights and taking owership.

    If a new user is added the only action is to check that your new folder has the permissions you need down the track - full access for them, your backup group and system. Any new files will gain this permission regardless of who owns them.


    Author Comment

    I'm still having problems with this - maybe they're conceptual - but here's the story

    The administrators group owns the volume where user 'My Documents' are being redirected. (E:\) by group policy
    The administrators group also owns the root folder where user 'My Documents' are being redirected (\User_Documents)
    The administrators group has full control on the volumne and  the root folder.

    Now, everytime a domain user logs on to the network for the first time, Windows creates a folder for this user - as in
    E:\User_documents\Joe\My Documents

    Windows makes the domain user Joe the owner of 'Joe' and 'Joe\My Documents'

    If I understand your note correctly, the local adminstrator on the server where the redirected share is located needs to take ownership of the folder
    (E:\User_documents\Joe) and then apply the security settings that I want (i.e. allow the backup_group to read and write).  After I do this, do I turn ownership back to Joe ?

    This seems like a tedious process since we have quite a few users; so I suspect that I am missing something

    Thanks again for your help.

    LVL 15

    Expert Comment

    Yes, Yes, Yes to the first 3 statements.

    Yes to both the next, Folder is created, Joe is owner and sole rightholder, although system will be there, too (to allow backups)

    the local (or domain) admin will have permission to take ownership, but that is all. After taking over you can then apply permissions. I wouldn't bother changing the ownership back, as who owns it does not matter to the end user in this case.

    It is easier to grant full rights to \user documents then manually create the folder for the new user as it will inherit \user documents permission. Then you just add the user to the folder and they are good to go...

    Author Comment

    On your last sentence 'It is easier to grant full rights .....'  -  this seems to be the crux of the problem:

    The adminstrators group, and my new backup operators group alrady have full rights to \user documents, but when Windows creates the new users folder - John\My Documents - the adminstrators group, and my new backup operators group righs to R+W are not getting inherited by the new John\My Documents. I'm sorry to be dense about this

    Are you saying that if I manually create the folder for the user instead of letting group policy create the folder that the administators & backup operators will be able to R+W the folder contents without having to take ownership?

    LVL 15

    Accepted Solution

    Yep, exaclty.

    The creator of the folder is automatically its owner. If it's autocreated then it's not going to get the perms you need, the only way is by manually adding it, or going back later. It's a bummer...


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    When bringing a new server on line, you may see an error that says: The Security System detected an authenticaton error for the server ldap/xxxxxxxt. The failure code from the authentication protocal Kerberos was "There are currently no logon se…
    So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
    Want to pick and choose which updates you receive? Feel free to check out this quick video on how to manage your email notifications.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    845 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now