Solved

Reapplying Correct NTFS Folder Permissions to Redirected Folders

Posted on 2010-09-14
3
1,689 Views
Last Modified: 2012-05-10
Hello,

I have been hard pressed to find an answer to this question, despite many hours of web searcing.

We have the following situation.  We have a file server running Windows Server 2003 SP2, which happens to also be the location for our redirected user folders (i.e. Application Data, Desktop, and My Documents).  On the D: of this server is a folder UserData which is shared and contains a subfolder for each user, which in turn contains their redirected folders.  So for the user swolf we have D:\UserData\swolf.  

It was setup in such a way that when a user first logs in and creates there user folder the appropriate ownership and permissions are applied to their subsequent redirected folders (My Documents, Application Data, Desktop).  However, as of yesterday the ownership of permissions of each users folder have gone missing and we have still not located the reason.  However right now, no one owns their folders and has permission to them.

Therefore, is there a way to propagate permissions to each of these 100 folders or so by setting appropriate permissions on each user folder or even the root folder of UserData.  Otherwise we will have to go into each user manually an reapply correct permissions, which will take forever.

Basically each user folder needs to be owned by user, and have full control for Admins, user, creator owner, and system, but I haven't been able to find any way of setting and propragating permissions.

Any suggestions on getting us back up and running are greatly appreciated!  We have just begun to experience a slew of problems related to folder permissions and I know many more are to come...
0
Comment
Question by:LGsupport
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
jlar310 earned 500 total points
Comment Utility
At the very least, you will have to manually set the owner for each folder. Maybe some VBscript can do it based on the folder name, but that's another issue. As for the permissions, we use the following for the root folder for redirection (after removing inherited permissions).

Administrators Group - Full Control - This folder, subfolders and files
SYSTEM - Full Control - This folde,r subfolders and files
CREATOR OWNER - Full Control - Subfolders and files only
Authenticated Users - Read Attributes - This folder only
Authenticated Users - Read Extended Attributes - This folder only
Authenticated Users - Create Folders / Append Data - This folder only
Authenticated Users - Read Permissions - This folder only

This setup has the added benefit of allowing administrators access to the user files as long as you deselect the "Grant exclusive rights" checkbox in the redirection GPO.

Try setting those permissions at the top level, and the owner on each top-level user folder. You may need to force propagation for each top-level user folder, but that should be manageable. Remember, you need to close the properties dialog and re-open it after changing the owner.



0
 

Author Comment

by:LGsupport
Comment Utility
Thanks for the advice, this is somewhat on par with what I figured I would have to do.  Just wanted to make sure I'm on the same page.

So I would want to disable inheritance on UserData (i.e. no permissions received from D:)?  Then setup the permissions you have specified above manually on the UserData folder.

Then I would set owner on each top level user folder to the user themselves then close out.  Then I would go back in and propagate permissions on the top level user folders?

Also, had one quick question for you on the permissions you listed above.  If I understand correctly the authenticated user permissions will only be applied to the UserData folder and no subfolders correct?  Is this so that new users can create a new top level folder?  I was concerned at first because it looked like any authenticated user would be able to gain access to other users desktop, my docs, etc., but I am guessing the authenticated users permissions are so that new AD users can create a redirected folder on first login?

 
0
 
LVL 4

Expert Comment

by:jlar310
Comment Utility
Yes, it seems you understand the process.  Good luck, I'm not 100% sure it's going to work, but I think it's as close as you are going to get without restoring from a backup or writing some vbscript.

Yes, the "Authenticated User" permission is just for new users to be able to create a new folder tree for their account in the UserData folder. Because the "Authenticated User" permissions are "This folder only", they should not propagate to the user sub-folders.

As with all advice given by strangers on the internet, proceed with caution.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Learn about cloud computing and its benefits for small business owners.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now