Solved

Folder Redirection Problem Windows 2003 Server

Posted on 2010-09-22
18
714 Views
Last Modified: 2012-05-10
Hi All,

We are achieving Folder Redirection through GPO, we have a couple of problems and questions.

We have created firstly a folder and applied the following NTFS and Sharing Policy;

Folder Created and NTFS permissions applied are :
we romved the following check box under the advanced button under security tab.
"Allow inheritanle permissions from the parent to propogate to this object and all child objrects. Include these with entries explicitly defined here."

We then added Adminitrators and Domain Admins full controll was appled, then it was allowed to apply to "this folder, subfolder and files"
We then added Domain Users and only allowed List Folder / Read Data, and only applied it to this folder only.


We then shared the folder and also made is a hidden share using the share$.
We then shared the folder, applied adminitrators, domain admin and domain users and gave them full control.

Now my question is as follows :
When using Group Policy Management and creating a policy for folder redirection, once settings are applied like so,( see image below ) why is the folder not automatically generated like when creating a home folder ? once we manually creted the users folder only then would the sycnronisation take place ?:
 fodler redirection options which are set
One last question, we need offilne folder sync performed, how do we also set this up on the redirected folders ?
Would we go the the file on the server, select the folder ( root share folder ), go options, caching and allow offline sync ?


Sorry we forgot to mention>

When we had to create the users folder in side our share, we created folder with name, and applied the followig security permission :
Administartors and Domain Admins : full controll
User in question : Full controll

Once other question we would like an answer to is, why can we not open the i.e. desktop or documents folder on the server, when we are logged on as a administrator with full rights, we cannot access the users folder, is it because we do not have owenership permission to the contents within the folder ? error recieved on server "F:\Folder\Redirection\user\sedktop is not accesible, access is denied "

User can see there own files of course if navigating to the share.

Thanks Dav
0
Comment
Question by:spiraldav
  • 9
  • 5
  • 4
18 Comments
 

Author Comment

by:spiraldav
ID: 33732400
Sorry we forgot to mention>

When we had to create the users folder in side our share, we created folder with name, and applied the followig security permission :
Administartors and Domain Admins : full controll
User in question : Full controll

Once other question we would like an answer to is, why can we not open the i.e. desktop or documents folder on the server, when we are logged on as a administrator with full rights, we cannot access the users folder, is it because we do not have owenership permission to the contents within the folder ? error recieved on server "F:\Folder\Redirection\user\sedktop is not accesible, access is denied "


Thanks again.
Dav

User can see there own files of course if navigating to the share.
0
 
LVL 6

Expert Comment

by:Porka
ID: 33733883
Folder redirection will create the folder automatically as the logged on user, so if the user has no write access the request to create the folder will fail. I have a similar setup where users will create their my docs automatically at first logon, it sounds like you adjusted the rights more or less correct at the end of the post, my rights are Domain admins, system and owner user have full acl rights, and the default everyone full rights on the share object (Can be a security issue and can be changed to the same as the acl security). To troubleshoot the issues log onto a computer as the user then check the local machuine event log andf it will have the failure reason (Ie access denied or path not found etc)

With offline folder sync, you could either set the grouip policy settings to automatically take redirected folders offline or there are options to set specifc ones. I wouldnt touch each folder individually as ive got in excess of 3000 users.

With the access denied, in the folder redirection properites, goto the settings tab and untick the allow users exclusive access to folder as it will lock you out of it

Hope this helps
0
 

Author Comment

by:spiraldav
ID: 33734076
Hi Porka,

Hopefully you see this ,

So how would I setup the NTFS and Sharing permissions then, if I setup from scratch ?
You mention Domain Admins, System and Creator Owner.

What is the system "user" in the greater scheme of things ?

For folder Redirection Offline setting, where in a GPO would I find that option ?

Then with your last statement,
"With the access denied, in the folder redirection properites, goto the settings tab and untick the allow users exclusive access to folder as it will lock you out of it"

Am i correct in saying by taking that tick off, only administrators, domain admins and creator owner have access to that file, so incase someone on the network browses to folder for userx they cannot access dy doc's or desktop?

Thanks again, I will trying going through all when im back in the office today or tomorrow.

Dav
0
 
LVL 6

Accepted Solution

by:
Porka earned 300 total points
ID: 33734194
With the security I usually have a base folder for the home folders to reside that has only Domain admins and system with full control then under that folder is each persons home folder. Each of those home folders inherits security from the base folder (So gets domain admins and system) and then the user is added as full control to their folder. The users home folder is shared with a $ sign and the security for that share is set to either eveyone full control (Default for win2003) or we set the same security as the folder (ie domain admin, system and the user full control). Be careful with creator owner at this point as that will probably be a problem if you created the folder or are demmed the owner, I usually have the user directly listed instead of creator owner. The system account is a default account for the server itself to have access to the folder for system operations (Might not be mandatory but ive always had it there as a default). Then for folder redirection i point to \\server\sharename$\my documents

With the group policy, in active directory you modify the group policy object that is tied to the users in question. Under User setiings, administrative templates, network, offlines files, there is the option for automatically take redirected folders offline which you can enable or you can use the administratvely assigned offline files (usually the take redirected folders offline automatically is sufficient)

With the last statement, when you tick allow users exclusive access (My wording could be slightly wrong as im doing it from memory), it replaces the security on the folder so the owner is the user and the only person with access is the user, so it removes all security but that of the user, so unticking the box means it leaves it how you set it. So provided you set the security correctly to begin with its fine

Hope this helpls
0
 
LVL 6

Expert Comment

by:Porka
ID: 33734206
Just realised i type wrong path with redirection, should be

\\server\%USERNAME%$\my documeents
0
 

Author Comment

by:spiraldav
ID: 33761965
thanks, will try all on monday, we had a public holiday on friday, and received an email today to keep post active i must postsomething etcd.
0
 

Author Comment

by:spiraldav
ID: 33768241
HI Porka:

I have two questions :

> I do not see the option you mention of : " there is the option for automatically take redirected folders offline "

I do see the other but seems a bit more tricky.

> If a laptop user goes off site and connects to the office lets say via VPN, will offline syncronisation use slow link detection ,and then only sync files when the connection is better, i.e. when they are back at the office ?


offline-settings.jpg
0
 
LVL 6

Expert Comment

by:Porka
ID: 33768656
Sorry was doing it from memory at the time from home, the last setting that says "Do not automatically make redirected folder available offline", set to disabled to force it to take any redirected folders offline. You can also use the sync all files when logging on or off if you choose (I often force it for logoffs to make sure its always sync'd but have a play and see how it goes).

In answer to second question, I havent used it before but if you go back to the group policy and goto computer config / administrative templates / network / offline files / configure slow link speed (Or slow link mode if using server 2008 and higher with vista) you can set the thresholld for what speed you need to have to be able to use offline sync. Hope this helps
0
 

Author Comment

by:spiraldav
ID: 33776893
Hi Porka,

Thanks for that, I have the GPO sorted now, I must be doing something wrong.

I created a new folder on the drive where we will be storing redirected folder.
Security permissions I applied are as follows.
SYSTEM and DOMAIN ADMINs = FULL CONTROLL
I did the same for the folder for share permissions

But the user permission is not being pulled in hence a permission denied comes up.
What other user or group should I be adding to share and NTFS permission side, also what settings should I be applying to that user.

Thanks for all your help, its much appreciated.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:spiraldav
ID: 33776916
Sorry we're getting the permission denied, when we are logging onto test machine, when i add domain users, If i add read and write access etc under NTFS and share, folder gets created, but then any domain users can then access the file, where as under the home folder setup for a user, it creates the folder no problem and adds our setup of users there, i.e. administrators, domain admins, and the user in question. I think that works is because when you edit a user profile in AD users and computers,the AD creates the folder and assigns the user there.
0
 
LVL 5

Assisted Solution

by:QEMS
QEMS earned 200 total points
ID: 33776948
Under standard sharing - give everyone full control and then lock down with NTFS permissions.

Under the security advanced settings, everyone should have traverse folder / execute file, list folder / read data, read attributes, create folders / append data - dont grant anything else to "everyone" and apply it to "This folder only"

Administrators and System should both have full control for "this folder, sub folders and files"

Creator Owner should have full control for "sub folders and files only"

That should allow the system to create the folder named %username% under your share, but only allow permission to that folder to the required user.

You can check the effective permissions on the folders for a given user to be sure things are set correctly.
0
 

Author Comment

by:spiraldav
ID: 33777283
Hi QEMS,

Thanks for that, is there a reason you use everyone instead of domain users or they part and parsel the same thing at the end of the day ?

Also what is the reason for adding Creator Owner to the list of permissions ? is that to give %username% the permission to work with files in the folder that the system creates ?

I will try your steps above and apply them to the root folder, then logon from the test machine to see if all works.
0
 
LVL 5

Expert Comment

by:QEMS
ID: 33777893
The NTFS permissions will win out when it comes to deciding what users have what level of access to the shares so your files will be secured, this way one point which often causes confusion can be removed from the equation.

You could use domain users instead of everyone, but it shouldn't make any difference when it actually comes to accessing the files as long as the NTFS permissions are set correctly.

Yes adding creator owner to the permissions will give %username% the right to deal with their own subfolder but not other user's subfolders.

As long as your redirects are set up to point to \\server\share$\%username%\documents and you don't allow them to browse the network they shouldn't be able to find anyone else's area anyway.
0
 

Author Comment

by:spiraldav
ID: 33778539
Hi QEMS,

Thanks for that, im just trying to get to grips of which groups to assign to shares etc, as I dont have tons of experience on this. I was aware of NTFS permissions ultimately take preference/ most restrictive settings rule like deny super seeds allow.

q: when are good cases to add creater owner ?

Thanks.

0
 
LVL 5

Expert Comment

by:QEMS
ID: 33779997
It all depends on what you are trying to achieve.

This KB should help: http://support.microsoft.com/kb/274443

This one may apply to the problem you are seeing: http://support.microsoft.com/kb/232692

And some other information you may find useful:
Folder Redirection - http://technet.microsoft.com/en-us/library/cc781907(WS.10).aspx

Security Considerations when Configuring Folder Redirection - http://technet.microsoft.com/en-us/library/cc775853(WS.10).aspx
0
 
LVL 6

Expert Comment

by:Porka
ID: 33784584
Everything QEMS said is correct, the differnce in my scenario is that we bulk create users via script which adds the users acl at create tiime to their home folder that will be redirected (All i feed the script is a first name and last name and it does the rest based on the sites desin) so hence security is not compromised since we never use everyone nor domain  users, but if using a/d to creatre the folders then creator owner would work (As I said above it all depends on how you decide to create the users and their folders)
0
 
LVL 5

Expert Comment

by:QEMS
ID: 33786713
Porka's approach would also work - as long as you can write the script =)

I think it's easier to allow active directory to create it on demand and use csvde where large numbers of new users are required.

While it could be argued that not granting the everyone group any permissions at all, I wouldn't agree that security is compromised however as they can only create folders in the top level of the share.

Quote from http://support.microsoft.com/kb/274443
"Because the Everyone group has the Create Folder/Append Data right, the group members have the proper permissions to create the folder; however, the members are not able to read the data afterwards. The Username group is the name of the user that was logged on when you created the folder. Because the folder is a child of the parent folder, it inherits the permissions that you assigned to FLDREDIR. Also, because the user is creating the folder, the user gains full control of the folder because of the Creator Owner Permission setting."
0
 

Author Closing Comment

by:spiraldav
ID: 33796696
all is working and more is understood due to great answers above
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now