Solved

Folder Redirection permissions vis-a-vis backup

Posted on 2008-10-13
3
417 Views
Last Modified: 2013-12-01
I am preparing a new server for a 25-user network. The current network uses a workgroup environment, so the project will involve joining all the workstation to the new domain without demotions or promotions being necessary. One objective is to utilize Folder Redirection of My Documents and Desktop folders to a share on the server in order to facilitate backup of the data files using Retrospect.

I have run into the permissions issues that are discussed, among other places, at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22109789.html

In order to avoid the permissions glitches that result from Folder Redirection, I set up my test users using default settings which block Administrator's access to the contents of the user folders in the share. Then I used Microsoft Backup to create a backup of the files and folders. I was able to perform the backup without fiddling with permissions or ownership, and I was also able to restore the files and folders to alternate locations and then open the files as Administrator. I had been expecting the Backup program to be unable to access and backup the files within the user folders, because I had not changed the permissions from the restrictive defaults as advised by http://support.microsoft.com/kb/288991 (a procedure which does not seem to resolve the rights issues it addresses without additional tinkering with permissions).

My question is whether there might be caveats or concerns about the integrity and utility of backups made with Retrospect if I do not change the default premissions for the redirected folders. Specifically, I do not wish to be required to specify the user login to the user folder in the share in order to backup the data files and folders that the user creates as owner of the folder. And I would like for the Administrator to be allowed to retrieve files and folders from backup sets without any security problems that might carry over from the permissions settings of the user folders. The Microsoft Backup program allows the deselection of the option to restore security settings.

My next step is to test the backup after installing Retrospect, but I would appreciate any insights or recommendations from folks who have had experience with this scenario.

Many thanks.

 
0
Comment
Question by:wcsch
  • 2
3 Comments
 
LVL 63

Accepted Solution

by:
SysExpert earned 250 total points
ID: 22702571
The backup administrator and services should always be able to backup all data on a server.

That is how the permissions should be set up, and are probably default.


I hope this helps !
0
 

Author Comment

by:wcsch
ID: 22703609
Thank you for pointing out the distinction of backup administrator and services, as opposed to the user Administrator. This is good news operationally, but raises a concern pertaining to the security of sensitive documents. According to my test, a knowledgeable user could use Backup to gain access the private and sensitive files of another user: for example, the personnel records or financial spreadsheets. Must a user be in the Administrators group to run Backup? Retrospect has some builtin security tools, as I recall, to tighten security.
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 22703960
You need to limit who can be  a backup Admin based on your Corp. Security model. Usually it is just the Backup operators, and Admins, - and no one else., and this is usually close to the Default setup.

no one should be able to access your servers, and certainly not be able to run backups without the proper permissions.
0

Join & Write a Comment

Suggested Solutions

How to update Firmware and Bios in Dell Equalogic PS6000 Arrays and Hard Disks firmware update.
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now