Administrator access to redirected folders on Windows Server 2008
Hello -
I have successfully setup folder redirection from a Windows 7 client to a Windows Server 2008. I can log into any computer and all of my desktop icons, My Documents and favorites are there. I currently have about 10 of us here in the shop that are setup this way. My concern is that I don't have any access to the users folders on the network drive. I am the network administrator and when a user quits the department I am asked to burn the users data to a DVD and give it to the supervisor. I have figured out that I can grant myself ownership of the folder and that will allow me access to the users data. At the same time it takes away acces to the folder for the user. I need a way to have full access to the folder and not interupt the access that the user has. When I try to access the users folder I get the two screens that are attached. According to what I see in the security settings the network admin group has full access to the folder so I see no reason why I don't have access.
Any ideas? Thank you!
denied.jpg
denied1.jpg
I have successfully setup folder redirection from a Windows 7 client to a Windows Server 2008. I can log into any computer and all of my desktop icons, My Documents and favorites are there. I currently have about 10 of us here in the shop that are setup this way. My concern is that I don't have any access to the users folders on the network drive. I am the network administrator and when a user quits the department I am asked to burn the users data to a DVD and give it to the supervisor. I have figured out that I can grant myself ownership of the folder and that will allow me access to the users data. At the same time it takes away acces to the folder for the user. I need a way to have full access to the folder and not interupt the access that the user has. When I try to access the users folder I get the two screens that are attached. According to what I see in the security settings the network admin group has full access to the folder so I see no reason why I don't have access.
Any ideas? Thank you!
denied.jpg
denied1.jpg
ASKER
I thought that it would be that easy, but it didn't work. I have full access to the folders according to the security settings.
What if you give the Domain Users group ownership. That would give both you and the user ownership.
ASKER
This is what I just found out. I did check the box "Allow the user exclusive rights" when I setup the GPO. I went into the GPO again and unchecked that option and tried to change the security settings allowing the Creator/Owner access along with the network administrator and I keep getting access denied??? How do I get access to make the security changes on the current folders that have already been created?
It is incredibly useful to allow a data custodian the ability to maintain certain departments, as well as allowing the owners (end-users in the case of folder redirection) full access.
If you don't specify "Allow the user exclusive rights", one way to solve this problem is to use "Creator/Owner" with full control as an inheritable permission at the root where the user's folders are being created. Then, you can append an additional Security Group with specific access to maintain the folders from the technical end.
This way, as the user creates files, they automatically have the correct access to them without having to add each user to their 'home' folder's permissions - or, in the case of "Grant the user exclusive rights", it automatically gives the users rights but with their actual account in the ACL (and the folders won't inherit anything!).
Another note - you can always take ownership of a My Documents or Desktop that's redirected if you have sufficient domain privileges - if the "Exclusive Rights" thing seemed like a good idea at one point in time. In the case where you need to obtain information (termed employee had documents and their manager wants them, but doesn't want to bother with logging onto their account), you can take ownership of the directory and re-configure permissions after you do the necessary legwork.
It is incredibly useful to allow a data custodian the ability to maintain certain departments, as well as allowing the owners (end-users in the case of folder redirection) full access.
If you don't specify "Allow the user exclusive rights", one way to solve this problem is to use "Creator/Owner" with full control as an inheritable permission at the root where the user's folders are being created. Then, you can append an additional Security Group with specific access to maintain the folders from the technical end.
This way, as the user creates files, they automatically have the correct access to them without having to add each user to their 'home' folder's permissions - or, in the case of "Grant the user exclusive rights", it automatically gives the users rights but with their actual account in the ACL (and the folders won't inherit anything!).
Another note - you can always take ownership of a My Documents or Desktop that's redirected if you have sufficient domain privileges - if the "Exclusive Rights" thing seemed like a good idea at one point in time. In the case where you need to obtain information (termed employee had documents and their manager wants them, but doesn't want to bother with logging onto their account), you can take ownership of the directory and re-configure permissions after you do the necessary legwork.
Maybe any clues in these threads?
http://social.technet.microsoft.com/Forums/en/winserverfiles/thread/a05e9988-ec26-49f3-8542-8c48ce3828eb
http://social.technet.microsoft.com/Forums/en/winserverGP/thread/6b93e71a-edc7-4a90-a045-183d3fe3e0fa
http://www.discussweb.com/operating-systems/13870-folder-redirection.html
http://social.technet.microsoft.com/Forums/en/winserverfiles/thread/a05e9988-ec26-49f3-8542-8c48ce3828eb
http://social.technet.microsoft.com/Forums/en/winserverGP/thread/6b93e71a-edc7-4a90-a045-183d3fe3e0fa
http://www.discussweb.com/operating-systems/13870-folder-redirection.html
Yes, it's the effect of 'Grant users exclusive rights' option is selected by default in the redirection policy. Untick the option to have it unselected when it's applied in the future to let NTFS permissions configured on parent folder grant admins access to the folder.
To fix the previously affected user folders, use subinacl.exe command to grant the access to the folder structure.
subinacl /subdirectories "C:\path\to\parent\folder"
subinacl.exe is downloadable resourcekit tool
http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
To fix the previously affected user folders, use subinacl.exe command to grant the access to the folder structure.
subinacl /subdirectories "C:\path\to\parent\folder"
subinacl.exe is downloadable resourcekit tool
http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
ASKER
henjoh09 - I tried just what you posted and got the following error....
SeSecurityPrivilege : Access is denied.
WARNING :Unable to set SeSecurityPrivilege privilege. This privilege may be required.
e:\DIFP_User_Data - CreateFile Error : 1314 A required privilege is not held by the client.
SeSecurityPrivilege : Access is denied.
WARNING :Unable to set SeSecurityPrivilege privilege. This privilege may be required.
e:\DIFP_User_Data - CreateFile Error : 1314 A required privilege is not held by the client.
When using Win2008/Vista/Win7, you nead to use a admin elevated command prompt (right-click shortcut in startmenu -> run as administrator)
ASKER
ok, I did just that and it appeared to work. Do I need to reboot the server for the changes to take effect? I got the below screen when running the file. I am not logged in with a built-in administrator account. Should that make a difference? I tried to open the users data folder and still do not have access. Thank U for your help!!
Capture.JPG
Capture.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome! Thank you very much to take the time to help me with this. It is people like you that help make Experts-Exchange a great place for IT resources. Have a Happy New Year!
Short and maybe stupid question, but I had to ask.