Solved

Folder Redirection permissions vis-a-vis backup

Posted on 2008-10-13
3
419 Views
Last Modified: 2013-12-01
I am preparing a new server for a 25-user network. The current network uses a workgroup environment, so the project will involve joining all the workstation to the new domain without demotions or promotions being necessary. One objective is to utilize Folder Redirection of My Documents and Desktop folders to a share on the server in order to facilitate backup of the data files using Retrospect.

I have run into the permissions issues that are discussed, among other places, at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22109789.html

In order to avoid the permissions glitches that result from Folder Redirection, I set up my test users using default settings which block Administrator's access to the contents of the user folders in the share. Then I used Microsoft Backup to create a backup of the files and folders. I was able to perform the backup without fiddling with permissions or ownership, and I was also able to restore the files and folders to alternate locations and then open the files as Administrator. I had been expecting the Backup program to be unable to access and backup the files within the user folders, because I had not changed the permissions from the restrictive defaults as advised by http://support.microsoft.com/kb/288991 (a procedure which does not seem to resolve the rights issues it addresses without additional tinkering with permissions).

My question is whether there might be caveats or concerns about the integrity and utility of backups made with Retrospect if I do not change the default premissions for the redirected folders. Specifically, I do not wish to be required to specify the user login to the user folder in the share in order to backup the data files and folders that the user creates as owner of the folder. And I would like for the Administrator to be allowed to retrieve files and folders from backup sets without any security problems that might carry over from the permissions settings of the user folders. The Microsoft Backup program allows the deselection of the option to restore security settings.

My next step is to test the backup after installing Retrospect, but I would appreciate any insights or recommendations from folks who have had experience with this scenario.

Many thanks.

 
0
Comment
Question by:wcsch
  • 2
3 Comments
 
LVL 63

Accepted Solution

by:
SysExpert earned 250 total points
ID: 22702571
The backup administrator and services should always be able to backup all data on a server.

That is how the permissions should be set up, and are probably default.


I hope this helps !
0
 

Author Comment

by:wcsch
ID: 22703609
Thank you for pointing out the distinction of backup administrator and services, as opposed to the user Administrator. This is good news operationally, but raises a concern pertaining to the security of sensitive documents. According to my test, a knowledgeable user could use Backup to gain access the private and sensitive files of another user: for example, the personnel records or financial spreadsheets. Must a user be in the Administrators group to run Backup? Retrospect has some builtin security tools, as I recall, to tighten security.
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 22703960
You need to limit who can be  a backup Admin based on your Corp. Security model. Usually it is just the Backup operators, and Admins, - and no one else., and this is usually close to the Default setup.

no one should be able to access your servers, and certainly not be able to run backups without the proper permissions.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question