?
Solved

Folder Redirection permissions vis-a-vis backup

Posted on 2008-10-13
3
Medium Priority
?
429 Views
Last Modified: 2013-12-01
I am preparing a new server for a 25-user network. The current network uses a workgroup environment, so the project will involve joining all the workstation to the new domain without demotions or promotions being necessary. One objective is to utilize Folder Redirection of My Documents and Desktop folders to a share on the server in order to facilitate backup of the data files using Retrospect.

I have run into the permissions issues that are discussed, among other places, at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22109789.html

In order to avoid the permissions glitches that result from Folder Redirection, I set up my test users using default settings which block Administrator's access to the contents of the user folders in the share. Then I used Microsoft Backup to create a backup of the files and folders. I was able to perform the backup without fiddling with permissions or ownership, and I was also able to restore the files and folders to alternate locations and then open the files as Administrator. I had been expecting the Backup program to be unable to access and backup the files within the user folders, because I had not changed the permissions from the restrictive defaults as advised by http://support.microsoft.com/kb/288991 (a procedure which does not seem to resolve the rights issues it addresses without additional tinkering with permissions).

My question is whether there might be caveats or concerns about the integrity and utility of backups made with Retrospect if I do not change the default premissions for the redirected folders. Specifically, I do not wish to be required to specify the user login to the user folder in the share in order to backup the data files and folders that the user creates as owner of the folder. And I would like for the Administrator to be allowed to retrieve files and folders from backup sets without any security problems that might carry over from the permissions settings of the user folders. The Microsoft Backup program allows the deselection of the option to restore security settings.

My next step is to test the backup after installing Retrospect, but I would appreciate any insights or recommendations from folks who have had experience with this scenario.

Many thanks.

 
0
Comment
Question by:wcsch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 63

Accepted Solution

by:
SysExpert earned 1000 total points
ID: 22702571
The backup administrator and services should always be able to backup all data on a server.

That is how the permissions should be set up, and are probably default.


I hope this helps !
0
 

Author Comment

by:wcsch
ID: 22703609
Thank you for pointing out the distinction of backup administrator and services, as opposed to the user Administrator. This is good news operationally, but raises a concern pertaining to the security of sensitive documents. According to my test, a knowledgeable user could use Backup to gain access the private and sensitive files of another user: for example, the personnel records or financial spreadsheets. Must a user be in the Administrators group to run Backup? Retrospect has some builtin security tools, as I recall, to tighten security.
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 22703960
You need to limit who can be  a backup Admin based on your Corp. Security model. Usually it is just the Backup operators, and Admins, - and no one else., and this is usually close to the Default setup.

no one should be able to access your servers, and certainly not be able to run backups without the proper permissions.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question