Solved

Folder Redirection - root folder permissions

Posted on 2008-10-28
6
806 Views
Last Modified: 2012-08-13
Hello,

I have one question I'd like to discuss with the experts.
I'm implementing the folder redirection using group policies for one of my customers. Something what I've done many times before.
But what never came to my mind - the customer complains, that if I set the root folder permissions as they are required (Users - List Folders/ Read Data, Create folders / Append Data - for this folder only), the users will be able to create a new subfolders in the root folder manually - which the customer wants to prevent.

Can anybody help me with justification of this fact? I mean - does it really matter when users are allowed to create some unwanted folders? Or is there a kind of workaround, that would work the way that there will be created only folders required by group policy and user will not be able to create some additional ones? (on the same level, eg. there are folders like jsmith, abrown, jdoe...and on the same level could appear a new folders created manually by users).

Any advice would be appreciated.
TIA
Martin
0
Comment
Question by:martin_babarik
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 22827651
I cannot see any justification in not allowing users to create folders within their own root folder - indeed it should be encouraged to that users can organise their data more efficiently.
0
 
LVL 13

Author Comment

by:martin_babarik
ID: 22829291
Hi KCTS,

not sure if I made myself clear. Of course users are allowed to create subfolders in \\server\userdata\%username%\
But the customer doesn't want the users to create sufolders in \\server\userdata
If I don't use the default folder creation by folder redirection policy, it would mean that the admins will have to create user folders manualy and also set the permissions manually, which IMO gives a huge amount for human errors.
Thank you.
Martin
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22829379
You should not normally need to creat folders manually at the root - the folder re-direction polict wii do this - and set the  permissions automatically to give the new user access to their own folder
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 13

Author Comment

by:martin_babarik
ID: 22829582
Yes, that's what I'm talking about:) But if I leave the folder creation on GP, I will have to rely on the root folder permissions thus allowing users to create new folders on the same level where their personal folders are.
I can prevent by using more strict ntfs permissions on the user folders root folder not allowing users to create new folders here - but in this scenario the GP folder creation will not work and I'd have to create each user personal folder manually - which doesn't seem to be very clear and correct solution for me.
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 500 total points
ID: 22858032
The permissions nead to let the user create folder to let the GPO create the folder, or you'll get the extra admin work to pre-create each user's folder with the correct permissions set.

If not wanting to let users create their own folders in the share, it might work to revoke the list folder permission on the parent folder. Not sure if it works when the requirement list states that the user shall be granted list access, but it's worth a try...

To be sure that the users don't use "md \\server\userdata\MyOwnFolder", you nead to revoke the folder creation right from the users and automate the folder creation with a scheduled script that also sets the correct permissions on the folder.
http://technet.microsoft.com/en-us/library/cc775853.aspx
0
 
LVL 13

Author Closing Comment

by:martin_babarik
ID: 31510685
Thank you for the advice. There doesn't exist a simple solution to meet the customer's needs, so I guess I will choose the direction with scripted folder creation, eventhough I don't like it much.
Martin
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question