Solved

W2K/XP Application Data folder when created by apps excludes administrator access

Posted on 2006-11-01
6
540 Views
Last Modified: 2013-12-04
We have 2 x W2K domain controllers, and XP and W2K workstations. We have a VBS script which creates new users + (empty) home dir from a text file. There is a GPO which redirects 'Application Data' to a subfolder of the home dir. The home dir allows the user and administrators full control. If a user creates a sub-directory, it correctly inherits these permissions. The problem is that apps (the first one run is usually Thunderbird) create 'Application Data\<whatever>' but with user full control, and administrators with no access. The result of this is that the folder doesn't get virus scanned, or backed up (?), and is difficult to delete when the user account is closed. (You have to grab ownership manually - scripts don't seem to handle it). Is there a way to make such subfolders inherit permissions? The only workround I can think of is to have a logoff script that fixes the permissions - not a very clever answer. Please help!
0
Comment
Question by:kmaynard
  • 2
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17849594
Xcacls or Cacls can be used to create and set permissions on folders and ensure that subfolders will inherit the permissions.  There is a Xcacls.vbs script too
http://support.microsoft.com/kb/825751 Might also see if the GPO is correct or perhaps can set the permissions properly, I've not done GPO redirects...
http://www.google.com/search?hl=en&lr=&safe=off&q=site%3Amicrosoft.com+GPO+folder+redirect&btnG=Search (but I can search on them ;)
-rich
0
 

Author Comment

by:kmaynard
ID: 17854052
All user dirs are subfolders of 'Users' which has admiinistrator full control. The account creation script creates the user folder, and uses xcacls to give that user full permission. It inherits administrator:full from the parent 'Users' folder, and if I look at (say) Users\Fred, fred has full permission for administrators, and it says child objects will inherit this. If a user uses (say) Explorer to create a subfolder, it has the correct permissions.

The problem is that if an app (probably Thunderbird) creates a folder inside Users\Fred (eg Users\Fred\Application Data), then Application Data does NOT inherit administrators:full.

I will try creating Users\Fred\Application Data at account creation time, and see if that will fix it (for new users at least)
0
 

Author Comment

by:kmaynard
ID: 18220677
I think I have answered my own question. It was the GPO setting for Folder Redirection. For Application Data, I had 'Grant exclusive use' checked. I unchecked this, and it fixed the problem (including retrospectively for the hundreds of users with the wrong setting!)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18221177
Good to know, you can have the moderators PAQ and refund the points. Ask a question here: http://www.experts-exchange.com/Community_Support/
-rich
0
 

Accepted Solution

by:
RomMod earned 0 total points
ID: 18293817
Question closed - 250 points refunded.

Best regards,
RomMod
Experts Exchange
Community Support Moderator
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Has this user really been infected by Ransomware? 3 141
how to mitigate against $ theft from ATM machines 5 130
Group Policies review 1 90
Endpoint security products 4 61
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question