Solved

Folder Redirection permissions vis-a-vis backup

Posted on 2008-10-13
3
418 Views
Last Modified: 2013-12-01
I am preparing a new server for a 25-user network. The current network uses a workgroup environment, so the project will involve joining all the workstation to the new domain without demotions or promotions being necessary. One objective is to utilize Folder Redirection of My Documents and Desktop folders to a share on the server in order to facilitate backup of the data files using Retrospect.

I have run into the permissions issues that are discussed, among other places, at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22109789.html

In order to avoid the permissions glitches that result from Folder Redirection, I set up my test users using default settings which block Administrator's access to the contents of the user folders in the share. Then I used Microsoft Backup to create a backup of the files and folders. I was able to perform the backup without fiddling with permissions or ownership, and I was also able to restore the files and folders to alternate locations and then open the files as Administrator. I had been expecting the Backup program to be unable to access and backup the files within the user folders, because I had not changed the permissions from the restrictive defaults as advised by http://support.microsoft.com/kb/288991 (a procedure which does not seem to resolve the rights issues it addresses without additional tinkering with permissions).

My question is whether there might be caveats or concerns about the integrity and utility of backups made with Retrospect if I do not change the default premissions for the redirected folders. Specifically, I do not wish to be required to specify the user login to the user folder in the share in order to backup the data files and folders that the user creates as owner of the folder. And I would like for the Administrator to be allowed to retrieve files and folders from backup sets without any security problems that might carry over from the permissions settings of the user folders. The Microsoft Backup program allows the deselection of the option to restore security settings.

My next step is to test the backup after installing Retrospect, but I would appreciate any insights or recommendations from folks who have had experience with this scenario.

Many thanks.

 
0
Comment
Question by:wcsch
  • 2
3 Comments
 
LVL 63

Accepted Solution

by:
SysExpert earned 250 total points
ID: 22702571
The backup administrator and services should always be able to backup all data on a server.

That is how the permissions should be set up, and are probably default.


I hope this helps !
0
 

Author Comment

by:wcsch
ID: 22703609
Thank you for pointing out the distinction of backup administrator and services, as opposed to the user Administrator. This is good news operationally, but raises a concern pertaining to the security of sensitive documents. According to my test, a knowledgeable user could use Backup to gain access the private and sensitive files of another user: for example, the personnel records or financial spreadsheets. Must a user be in the Administrators group to run Backup? Retrospect has some builtin security tools, as I recall, to tighten security.
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 22703960
You need to limit who can be  a backup Admin based on your Corp. Security model. Usually it is just the Backup operators, and Admins, - and no one else., and this is usually close to the Default setup.

no one should be able to access your servers, and certainly not be able to run backups without the proper permissions.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is an update and follow-up of my previous article:   Storage 101: common concepts in the IT enterprise storage This time, I expand on more frequently used storage concepts.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now