?
Solved

Administrator access to redirected folders on Windows Server 2008

Posted on 2009-12-30
11
Medium Priority
?
2,249 Views
Last Modified: 2012-06-27
Hello -
I have successfully setup folder redirection from a Windows 7 client to a Windows Server 2008.  I can log into any computer and all of my desktop icons, My Documents and favorites are there.  I currently have about 10 of us here in the shop that are setup this way.  My concern is that I don't have any access to the users folders on the network drive.  I am the network administrator and when a user quits the department I am asked to burn the users data to a DVD and give it to the supervisor.  I have figured out that I can grant myself ownership of the folder and that will allow me access to the users data.  At the same time it takes away acces to the folder for the user.  I need a way to have full access to the folder and not interupt the access that the user has.  When I try to access the users folder I get the two screens that are attached.  According to what I see in the security settings the network admin group has full access to the folder so I see no reason why I don't have access.  

Any ideas?  Thank you!
denied.jpg
denied1.jpg
0
Comment
Question by:MO_ITSD
  • 5
  • 3
  • 3
11 Comments
 
LVL 11

Expert Comment

by:nordtorp
ID: 26148094
Couldn't you just add yourself to the access list and then give the ownership back to the user?

Short and maybe stupid question, but I had to ask.
0
 

Author Comment

by:MO_ITSD
ID: 26148102
I thought that it would be that easy, but it didn't work.  I have full access to the folders according to the security settings.
0
 
LVL 11

Expert Comment

by:nordtorp
ID: 26148129
What if you give the Domain Users group ownership. That would give both you and the user ownership.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:MO_ITSD
ID: 26148167
This is what I just found out. I did check the box "Allow the user exclusive rights" when I setup the GPO. I went into the GPO again and unchecked that option and tried to change the security settings allowing the Creator/Owner access along with the network administrator and I keep getting access denied??? How do I get access to make the security changes on the current folders that have already been created?

It is incredibly useful to allow a data custodian the ability to maintain certain departments, as well as allowing the owners (end-users in the case of folder redirection) full access.

If you don't specify "Allow the user exclusive rights", one way to solve this problem is to use "Creator/Owner" with full control as an inheritable permission at the root where the user's folders are being created. Then, you can append an additional Security Group with specific access to maintain the folders from the technical end.

This way, as the user creates files, they automatically have the correct access to them without having to add each user to their 'home' folder's permissions - or, in the case of "Grant the user exclusive rights", it automatically gives the users rights but with their actual account in the ACL (and the folders won't inherit anything!).

Another note - you can always take ownership of a My Documents or Desktop that's redirected if you have sufficient domain privileges - if the "Exclusive Rights" thing seemed like a good idea at one point in time. In the case where you need to obtain information (termed employee had documents and their manager wants them, but doesn't want to bother with logging onto their account), you can take ownership of the directory and re-configure permissions after you do the necessary legwork.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 26148609
Yes, it's the effect of 'Grant users exclusive rights' option is selected by default in the redirection policy. Untick the option to have it unselected when it's applied in the future to let NTFS permissions configured on parent folder grant admins access to the folder.

To fix the previously affected user folders, use subinacl.exe command to grant the access to the folder structure.
subinacl /subdirectories "C:\path\to\parent\folder" /grant=administrators=F

subinacl.exe is downloadable resourcekit tool
http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
0
 

Author Comment

by:MO_ITSD
ID: 26148874
henjoh09 - I tried just what you posted and got the following error....

SeSecurityPrivilege : Access is denied.

WARNING :Unable to set SeSecurityPrivilege privilege. This privilege may be required.
e:\DIFP_User_Data - CreateFile Error : 1314 A required privilege is not held by the client.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 26152911
When using Win2008/Vista/Win7, you nead to use a admin elevated command prompt (right-click shortcut in startmenu -> run as administrator)
0
 

Author Comment

by:MO_ITSD
ID: 26155992
ok, I did just that and it appeared to work.  Do I need to reboot the server for the changes to take effect?  I got the below screen when running the file.  I am not logged in with a built-in administrator account.  Should that make a difference?  I tried to open the users data folder and still do not have access.  Thank U for your help!!
Capture.JPG
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 2000 total points
ID: 26156489
No, file permissions are affected when applied to filesystem without nead for reboot.
In the screenshot, it looks like it did only process the parent folder without processing the subfolders.
As the folder redirection with grant users exclusive rights to the folder has broken the inheritance from the parent, it will not have any effect if not processing the subfolders.
Use the command against e:\DIFF_User_Data\* instead of the parent folder.

subinacl /subdirectories e:\DIFF_USER_Data\* /grant=administrators=F
0
 

Author Closing Comment

by:MO_ITSD
ID: 31671334
Awesome!  Thank you very much to take the time to help me with this.  It is people like you that help make Experts-Exchange a great place for IT resources.  Have a Happy New Year!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Assume you have an outside contractor who comes in seasonally or once a week to do some work in your office, but you only want to give him access to the programs and files he needs and keep all other documents and programs private. Can you do this o…
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question