Solved

W2K/XP Application Data folder when created by apps excludes administrator access

Posted on 2006-11-01
6
538 Views
Last Modified: 2013-12-04
We have 2 x W2K domain controllers, and XP and W2K workstations. We have a VBS script which creates new users + (empty) home dir from a text file. There is a GPO which redirects 'Application Data' to a subfolder of the home dir. The home dir allows the user and administrators full control. If a user creates a sub-directory, it correctly inherits these permissions. The problem is that apps (the first one run is usually Thunderbird) create 'Application Data\<whatever>' but with user full control, and administrators with no access. The result of this is that the folder doesn't get virus scanned, or backed up (?), and is difficult to delete when the user account is closed. (You have to grab ownership manually - scripts don't seem to handle it). Is there a way to make such subfolders inherit permissions? The only workround I can think of is to have a logoff script that fixes the permissions - not a very clever answer. Please help!
0
Comment
Question by:kmaynard
  • 2
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17849594
Xcacls or Cacls can be used to create and set permissions on folders and ensure that subfolders will inherit the permissions.  There is a Xcacls.vbs script too
http://support.microsoft.com/kb/825751 Might also see if the GPO is correct or perhaps can set the permissions properly, I've not done GPO redirects...
http://www.google.com/search?hl=en&lr=&safe=off&q=site%3Amicrosoft.com+GPO+folder+redirect&btnG=Search (but I can search on them ;)
-rich
0
 

Author Comment

by:kmaynard
ID: 17854052
All user dirs are subfolders of 'Users' which has admiinistrator full control. The account creation script creates the user folder, and uses xcacls to give that user full permission. It inherits administrator:full from the parent 'Users' folder, and if I look at (say) Users\Fred, fred has full permission for administrators, and it says child objects will inherit this. If a user uses (say) Explorer to create a subfolder, it has the correct permissions.

The problem is that if an app (probably Thunderbird) creates a folder inside Users\Fred (eg Users\Fred\Application Data), then Application Data does NOT inherit administrators:full.

I will try creating Users\Fred\Application Data at account creation time, and see if that will fix it (for new users at least)
0
 

Author Comment

by:kmaynard
ID: 18220677
I think I have answered my own question. It was the GPO setting for Folder Redirection. For Application Data, I had 'Grant exclusive use' checked. I unchecked this, and it fixed the problem (including retrospectively for the hundreds of users with the wrong setting!)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18221177
Good to know, you can have the moderators PAQ and refund the points. Ask a question here: http://www.experts-exchange.com/Community_Support/
-rich
0
 

Accepted Solution

by:
RomMod earned 0 total points
ID: 18293817
Question closed - 250 points refunded.

Best regards,
RomMod
Experts Exchange
Community Support Moderator
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now