Link to home
Start Free TrialLog in
Avatar of kmaynard
kmaynardFlag for New Zealand

asked on

W2K/XP Application Data folder when created by apps excludes administrator access

We have 2 x W2K domain controllers, and XP and W2K workstations. We have a VBS script which creates new users + (empty) home dir from a text file. There is a GPO which redirects 'Application Data' to a subfolder of the home dir. The home dir allows the user and administrators full control. If a user creates a sub-directory, it correctly inherits these permissions. The problem is that apps (the first one run is usually Thunderbird) create 'Application Data\<whatever>' but with user full control, and administrators with no access. The result of this is that the folder doesn't get virus scanned, or backed up (?), and is difficult to delete when the user account is closed. (You have to grab ownership manually - scripts don't seem to handle it). Is there a way to make such subfolders inherit permissions? The only workround I can think of is to have a logoff script that fixes the permissions - not a very clever answer. Please help!
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image
Xcacls or Cacls can be used to create and set permissions on folders and ensure that subfolders will inherit the permissions.  There is a Xcacls.vbs script too
http://support.microsoft.com/kb/825751 Might also see if the GPO is correct or perhaps can set the permissions properly, I've not done GPO redirects...
http://www.google.com/search?hl=en&lr=&safe=off&q=site%3Amicrosoft.com+GPO+folder+redirect&btnG=Search (but I can search on them ;)
-rich
Avatar of kmaynard
kmaynard
Flag of New Zealand image

ASKER

All user dirs are subfolders of 'Users' which has admiinistrator full control. The account creation script creates the user folder, and uses xcacls to give that user full permission. It inherits administrator:full from the parent 'Users' folder, and if I look at (say) Users\Fred, fred has full permission for administrators, and it says child objects will inherit this. If a user uses (say) Explorer to create a subfolder, it has the correct permissions.

The problem is that if an app (probably Thunderbird) creates a folder inside Users\Fred (eg Users\Fred\Application Data), then Application Data does NOT inherit administrators:full.

I will try creating Users\Fred\Application Data at account creation time, and see if that will fix it (for new users at least)
Avatar of kmaynard
kmaynard
Flag of New Zealand image

ASKER

I think I have answered my own question. It was the GPO setting for Folder Redirection. For Application Data, I had 'Grant exclusive use' checked. I unchecked this, and it fixed the problem (including retrospectively for the hundreds of users with the wrong setting!)
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image
Good to know, you can have the moderators PAQ and refund the points. Ask a question here: https://www.experts-exchange.com/Community_Support/
-rich
ASKER CERTIFIED SOLUTION
Avatar of RomMod
RomMod
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial