Solved

Reapplying Correct NTFS Folder Permissions to Redirected Folders

Posted on 2010-09-14
3
1,725 Views
Last Modified: 2012-05-10
Hello,

I have been hard pressed to find an answer to this question, despite many hours of web searcing.

We have the following situation.  We have a file server running Windows Server 2003 SP2, which happens to also be the location for our redirected user folders (i.e. Application Data, Desktop, and My Documents).  On the D: of this server is a folder UserData which is shared and contains a subfolder for each user, which in turn contains their redirected folders.  So for the user swolf we have D:\UserData\swolf.  

It was setup in such a way that when a user first logs in and creates there user folder the appropriate ownership and permissions are applied to their subsequent redirected folders (My Documents, Application Data, Desktop).  However, as of yesterday the ownership of permissions of each users folder have gone missing and we have still not located the reason.  However right now, no one owns their folders and has permission to them.

Therefore, is there a way to propagate permissions to each of these 100 folders or so by setting appropriate permissions on each user folder or even the root folder of UserData.  Otherwise we will have to go into each user manually an reapply correct permissions, which will take forever.

Basically each user folder needs to be owned by user, and have full control for Admins, user, creator owner, and system, but I haven't been able to find any way of setting and propragating permissions.

Any suggestions on getting us back up and running are greatly appreciated!  We have just begun to experience a slew of problems related to folder permissions and I know many more are to come...
0
Comment
Question by:LGsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
jlar310 earned 500 total points
ID: 33673903
At the very least, you will have to manually set the owner for each folder. Maybe some VBscript can do it based on the folder name, but that's another issue. As for the permissions, we use the following for the root folder for redirection (after removing inherited permissions).

Administrators Group - Full Control - This folder, subfolders and files
SYSTEM - Full Control - This folde,r subfolders and files
CREATOR OWNER - Full Control - Subfolders and files only
Authenticated Users - Read Attributes - This folder only
Authenticated Users - Read Extended Attributes - This folder only
Authenticated Users - Create Folders / Append Data - This folder only
Authenticated Users - Read Permissions - This folder only

This setup has the added benefit of allowing administrators access to the user files as long as you deselect the "Grant exclusive rights" checkbox in the redirection GPO.

Try setting those permissions at the top level, and the owner on each top-level user folder. You may need to force propagation for each top-level user folder, but that should be manageable. Remember, you need to close the properties dialog and re-open it after changing the owner.



0
 

Author Comment

by:LGsupport
ID: 33674261
Thanks for the advice, this is somewhat on par with what I figured I would have to do.  Just wanted to make sure I'm on the same page.

So I would want to disable inheritance on UserData (i.e. no permissions received from D:)?  Then setup the permissions you have specified above manually on the UserData folder.

Then I would set owner on each top level user folder to the user themselves then close out.  Then I would go back in and propagate permissions on the top level user folders?

Also, had one quick question for you on the permissions you listed above.  If I understand correctly the authenticated user permissions will only be applied to the UserData folder and no subfolders correct?  Is this so that new users can create a new top level folder?  I was concerned at first because it looked like any authenticated user would be able to gain access to other users desktop, my docs, etc., but I am guessing the authenticated users permissions are so that new AD users can create a redirected folder on first login?

 
0
 
LVL 4

Expert Comment

by:jlar310
ID: 33674691
Yes, it seems you understand the process.  Good luck, I'm not 100% sure it's going to work, but I think it's as close as you are going to get without restoring from a backup or writing some vbscript.

Yes, the "Authenticated User" permission is just for new users to be able to create a new folder tree for their account in the UserData folder. Because the "Authenticated User" permissions are "This folder only", they should not propagate to the user sub-folders.

As with all advice given by strangers on the internet, proceed with caution.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question