Solved

W2K/XP Application Data folder when created by apps excludes administrator access

Posted on 2006-11-01
6
539 Views
Last Modified: 2013-12-04
We have 2 x W2K domain controllers, and XP and W2K workstations. We have a VBS script which creates new users + (empty) home dir from a text file. There is a GPO which redirects 'Application Data' to a subfolder of the home dir. The home dir allows the user and administrators full control. If a user creates a sub-directory, it correctly inherits these permissions. The problem is that apps (the first one run is usually Thunderbird) create 'Application Data\<whatever>' but with user full control, and administrators with no access. The result of this is that the folder doesn't get virus scanned, or backed up (?), and is difficult to delete when the user account is closed. (You have to grab ownership manually - scripts don't seem to handle it). Is there a way to make such subfolders inherit permissions? The only workround I can think of is to have a logoff script that fixes the permissions - not a very clever answer. Please help!
0
Comment
Question by:kmaynard
  • 2
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17849594
Xcacls or Cacls can be used to create and set permissions on folders and ensure that subfolders will inherit the permissions.  There is a Xcacls.vbs script too
http://support.microsoft.com/kb/825751 Might also see if the GPO is correct or perhaps can set the permissions properly, I've not done GPO redirects...
http://www.google.com/search?hl=en&lr=&safe=off&q=site%3Amicrosoft.com+GPO+folder+redirect&btnG=Search (but I can search on them ;)
-rich
0
 

Author Comment

by:kmaynard
ID: 17854052
All user dirs are subfolders of 'Users' which has admiinistrator full control. The account creation script creates the user folder, and uses xcacls to give that user full permission. It inherits administrator:full from the parent 'Users' folder, and if I look at (say) Users\Fred, fred has full permission for administrators, and it says child objects will inherit this. If a user uses (say) Explorer to create a subfolder, it has the correct permissions.

The problem is that if an app (probably Thunderbird) creates a folder inside Users\Fred (eg Users\Fred\Application Data), then Application Data does NOT inherit administrators:full.

I will try creating Users\Fred\Application Data at account creation time, and see if that will fix it (for new users at least)
0
 

Author Comment

by:kmaynard
ID: 18220677
I think I have answered my own question. It was the GPO setting for Folder Redirection. For Application Data, I had 'Grant exclusive use' checked. I unchecked this, and it fixed the problem (including retrospectively for the hundreds of users with the wrong setting!)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18221177
Good to know, you can have the moderators PAQ and refund the points. Ask a question here: http://www.experts-exchange.com/Community_Support/
-rich
0
 

Accepted Solution

by:
RomMod earned 0 total points
ID: 18293817
Question closed - 250 points refunded.

Best regards,
RomMod
Experts Exchange
Community Support Moderator
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Folder Permissions 7 83
Cannot run application on Windows 10 client connected to Server 2012 r2. 5 50
Monitoring software... 2 52
Compromised PC? 17 171
Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now