Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 572
  • Last Modified:

W2K/XP Application Data folder when created by apps excludes administrator access

We have 2 x W2K domain controllers, and XP and W2K workstations. We have a VBS script which creates new users + (empty) home dir from a text file. There is a GPO which redirects 'Application Data' to a subfolder of the home dir. The home dir allows the user and administrators full control. If a user creates a sub-directory, it correctly inherits these permissions. The problem is that apps (the first one run is usually Thunderbird) create 'Application Data\<whatever>' but with user full control, and administrators with no access. The result of this is that the folder doesn't get virus scanned, or backed up (?), and is difficult to delete when the user account is closed. (You have to grab ownership manually - scripts don't seem to handle it). Is there a way to make such subfolders inherit permissions? The only workround I can think of is to have a logoff script that fixes the permissions - not a very clever answer. Please help!
0
kmaynard
Asked:
kmaynard
  • 2
  • 2
1 Solution
 
Rich RumbleSecurity SamuraiCommented:
Xcacls or Cacls can be used to create and set permissions on folders and ensure that subfolders will inherit the permissions.  There is a Xcacls.vbs script too
http://support.microsoft.com/kb/825751 Might also see if the GPO is correct or perhaps can set the permissions properly, I've not done GPO redirects...
http://www.google.com/search?hl=en&lr=&safe=off&q=site%3Amicrosoft.com+GPO+folder+redirect&btnG=Search (but I can search on them ;)
-rich
0
 
kmaynardAuthor Commented:
All user dirs are subfolders of 'Users' which has admiinistrator full control. The account creation script creates the user folder, and uses xcacls to give that user full permission. It inherits administrator:full from the parent 'Users' folder, and if I look at (say) Users\Fred, fred has full permission for administrators, and it says child objects will inherit this. If a user uses (say) Explorer to create a subfolder, it has the correct permissions.

The problem is that if an app (probably Thunderbird) creates a folder inside Users\Fred (eg Users\Fred\Application Data), then Application Data does NOT inherit administrators:full.

I will try creating Users\Fred\Application Data at account creation time, and see if that will fix it (for new users at least)
0
 
kmaynardAuthor Commented:
I think I have answered my own question. It was the GPO setting for Folder Redirection. For Application Data, I had 'Grant exclusive use' checked. I unchecked this, and it fixed the problem (including retrospectively for the hundreds of users with the wrong setting!)
0
 
Rich RumbleSecurity SamuraiCommented:
Good to know, you can have the moderators PAQ and refund the points. Ask a question here: http://www.experts-exchange.com/Community_Support/
-rich
0
 
RomModCommented:
Question closed - 250 points refunded.

Best regards,
RomMod
Experts Exchange
Community Support Moderator
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now