?
Solved

Reapplying Correct NTFS Folder Permissions to Redirected Folders

Posted on 2010-09-14
3
Medium Priority
?
1,808 Views
Last Modified: 2012-05-10
Hello,

I have been hard pressed to find an answer to this question, despite many hours of web searcing.

We have the following situation.  We have a file server running Windows Server 2003 SP2, which happens to also be the location for our redirected user folders (i.e. Application Data, Desktop, and My Documents).  On the D: of this server is a folder UserData which is shared and contains a subfolder for each user, which in turn contains their redirected folders.  So for the user swolf we have D:\UserData\swolf.  

It was setup in such a way that when a user first logs in and creates there user folder the appropriate ownership and permissions are applied to their subsequent redirected folders (My Documents, Application Data, Desktop).  However, as of yesterday the ownership of permissions of each users folder have gone missing and we have still not located the reason.  However right now, no one owns their folders and has permission to them.

Therefore, is there a way to propagate permissions to each of these 100 folders or so by setting appropriate permissions on each user folder or even the root folder of UserData.  Otherwise we will have to go into each user manually an reapply correct permissions, which will take forever.

Basically each user folder needs to be owned by user, and have full control for Admins, user, creator owner, and system, but I haven't been able to find any way of setting and propragating permissions.

Any suggestions on getting us back up and running are greatly appreciated!  We have just begun to experience a slew of problems related to folder permissions and I know many more are to come...
0
Comment
Question by:LGsupport
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
jlar310 earned 2000 total points
ID: 33673903
At the very least, you will have to manually set the owner for each folder. Maybe some VBscript can do it based on the folder name, but that's another issue. As for the permissions, we use the following for the root folder for redirection (after removing inherited permissions).

Administrators Group - Full Control - This folder, subfolders and files
SYSTEM - Full Control - This folde,r subfolders and files
CREATOR OWNER - Full Control - Subfolders and files only
Authenticated Users - Read Attributes - This folder only
Authenticated Users - Read Extended Attributes - This folder only
Authenticated Users - Create Folders / Append Data - This folder only
Authenticated Users - Read Permissions - This folder only

This setup has the added benefit of allowing administrators access to the user files as long as you deselect the "Grant exclusive rights" checkbox in the redirection GPO.

Try setting those permissions at the top level, and the owner on each top-level user folder. You may need to force propagation for each top-level user folder, but that should be manageable. Remember, you need to close the properties dialog and re-open it after changing the owner.



0
 

Author Comment

by:LGsupport
ID: 33674261
Thanks for the advice, this is somewhat on par with what I figured I would have to do.  Just wanted to make sure I'm on the same page.

So I would want to disable inheritance on UserData (i.e. no permissions received from D:)?  Then setup the permissions you have specified above manually on the UserData folder.

Then I would set owner on each top level user folder to the user themselves then close out.  Then I would go back in and propagate permissions on the top level user folders?

Also, had one quick question for you on the permissions you listed above.  If I understand correctly the authenticated user permissions will only be applied to the UserData folder and no subfolders correct?  Is this so that new users can create a new top level folder?  I was concerned at first because it looked like any authenticated user would be able to gain access to other users desktop, my docs, etc., but I am guessing the authenticated users permissions are so that new AD users can create a redirected folder on first login?

 
0
 
LVL 4

Expert Comment

by:jlar310
ID: 33674691
Yes, it seems you understand the process.  Good luck, I'm not 100% sure it's going to work, but I think it's as close as you are going to get without restoring from a backup or writing some vbscript.

Yes, the "Authenticated User" permission is just for new users to be able to create a new folder tree for their account in the UserData folder. Because the "Authenticated User" permissions are "This folder only", they should not propagate to the user sub-folders.

As with all advice given by strangers on the internet, proceed with caution.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question