We help IT Professionals succeed at work.

Folder redirection permission question

TSI-WLV
TSI-WLV asked
on
3,106 Views
Last Modified: 2012-06-27
Im playing with a test Windows Server 2003 domain controller with romaing profiles and folder redirection. I have a folder C:\Users\username where it stores the desktop and my documents contents etc. How do I set the permissions so that the users can only see whats in their folder when they browse the network? If I take permissions off of the Users folder then the files dont get copied to thier username folder. But if I leave permissions as is on the Users folder then they can see each others files.

Do I have to go to each username folder and change the permissions so that only that particular user can see his files? I would think you can do it all at once.
Comment
Watch Question

Author

Commented:
Also when Im logged on to the server as administrator and go to the C:\Users\username folder I dont have permission to see whats in the folder or change the security unless I take ownership. Is that the way it is supposed to be? If I take ownership it seems to mess things up.

Author

Commented:
Same thing with the Profiles\username folders
Top Expert 2006
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
President
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I think I may have messed something up when playing with it. If I logon a new user that hasnt logged on yet it will make the username folder under Users and I cant access it when browsing as a different user which is what I want.

I have 2 other users that I can view their folder contents while browsing (I was playing with those 2 uses permsissions). I changed the permissions to match the user that cant be browsed but I can still see their files so I wonder what Im missing?

Also when logged on as administrator locally on the server I still can't access the users files without taking control of the username folder. The administrator acct has full control under the security properties though. Is this normal?
Hypercat (Deb)President
CERTIFIED EXPERT

Commented:
As far as changing the permissions, try logging off and on again - sometimes permissions changes don't take effect immediately.  

What you said in your last paragraph doesn't make any sense.  If you are logged on to the server with the Administrator account, and that account has NTFS "full control" permissions to the folder, you should at least be able to open the folder.  You may not be able to go any further, though, if the individual files and/or folders at the lower levels are not inheriting their permissions. Did you check this?

Author

Commented:
It says I dont have permission to view or edit the permsissions but can take ownership. I can open the Users folder and see the Desktop and My Documents folder but cant open them. Should I be able to open them if I have full control? There is NTFS full contol applied to the Users folder. I cant see whats applied to the subfolders without taking ownership.
Hypercat (Deb)President
CERTIFIED EXPERT

Commented:
That sounds like what has happened is that you have permissions to the user's folder, but not to the Desktop or My Documents folders inside that folder.  That would be normal behavior, since the system will give only the user ownership and full control of the redirected folders.  You can change this, but it has to be manually and carefully.  If you need to have access as administrator to these folders, you would have to:

1.  Take ownership.
2.  Add the Administrator account or Domain Admins group to the security tab with full permissions.
3.  Change ownership back to the user's account.

Then you would be able to access the files/folders but the user would still be the owner which is necessary for folder redirection to work.

Author

Commented:
So here is where we are at.

I set a profile path, home directory mapped to a drive letter and folder redirection.

When I login a new user for the first time it makes the profile and home/username folders and the users cannot see each others documents. So that is good.

It maps my assigned drive letter to their home directory which is good too.

For one of the 2 users who has his files accessible to everyone, I deleted the username folder and had Windows recreate when I logged him in. It didnt fix the permissions though. I suppose I can delete the account and start over but would like to know what happened to the permissions.

When logged in as admin locally on the server I can see the Users\username folders and their subfolders such as My Documents but cannot see the contents of My Documents unless I take ownership.
Hypercat (Deb)President
CERTIFIED EXPERT

Commented:
That's weird - I don't know why you would be having that permissions problem except that maybe there is some corruption in his profile.  I would try deleting his user folder again, and then also rename the local copy of his profile that is stored on his workstation (or wherever you are logging him on), so that won't interfere.  This will give him a completely new profile from scratch both locally and on the server.  See if the permissions are correct at that point.  Then, you can copy the documents and favorites or anything else you need to preserve from the old profile into the new profile, and the files will take on the security settings of the new set of profile folders.
CERTIFIED EXPERT
Top Expert 2006
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
I deleted one of the users AD account, profile and users folders and then recreated the account. That solved the problem of other users being able to access his files. I would still like to know what the problem was. Deleteing the local profile along with the server profile didnt help.

As for the administrator not being able to access the folders locally it was because the ownership of the Users and Profiles root folders was set to Administrator instead of AdministratorS.

Jay Jay70, I saw that article earlier this morning. Its a good one.
CERTIFIED EXPERT
Top Expert 2006

Commented:
couldnt tell you why that happened like that, very odd that you would need to delete the user...

Author

Commented:
Now Im getting a strange thing happening. If I make a new user acct, log it in and then out and check the Users\username folder on the server I can see the My Documents etc but cant access them. If I log in one of my existing accounts that hasnt been logged in yet I can access the My Documents folder just fine after logging off.

Also the accts that dont let me access them have My Pictures and My Music in the My Documents folder while the other accts dont have anything.

Author

Commented:
Also when I log in with an account it a different OU (Users OU) that doesnt have folder redirection or roaming profiles it does a sync when I log off. Is that normal? The accts with the roaming profiles and folder redirection are in their own OU.

Author

Commented:
I deleted all of the profiles and username folders and recreated everything and now its working fine... for now.

In order to be able to access the Profiles\username folders I have to give the administrator acct ownership all the way down, then grant the admin acct full control access then give the original user ownership all the way down again. ntbackup will back it up without having to do this but I cant copy and paste the folders without giving the admin acct permissions manually first.
CERTIFIED EXPERT
Top Expert 2006

Commented:
yes, the ownership trick is fairly common when dealing with roaming profiles, i have had to use it a few times

Author

Commented:
Since its working now we can consider this done. Thanks for all the help!
CERTIFIED EXPERT
Top Expert 2006

Commented:
excellent :)

Commented:
Did you have to delete the active directory user profiles or just the user folders?
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.