Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 869
  • Last Modified:

Folder Redirector Permissions

Hello,

I have setup Folder Redirector and created a GPO. My settings are below.

Target
Settings: Basic - Redirect everyone's folder to the same location
Target: Create a folder for each user under the root path

Root Path: \\192.168.1.173\Data\Users

Settings
Grant the users exclusive rights to documents <- THIS WAS CHECKED
Move the contents of Documents to new location <- This was checked
Also Apply redirection policy to Windows 2000 <- This was checked

---------------------------------------------------------------------------------------------------------

I applied this to one OU and around 40 users documents moved over successfully. The problem is that when I go to my new Filserver (W/admin rights) it tells me that I do not have permissions.

 Folder Permissions

Now the weird thing is that When I Right Click Users and look at my settings, the share name is users2 and I don't unsderstand why?

Please review pic, its hard to explain.
 Users Properties
I'm looking for a way to fix all of this the right way.

Thanks,

nimdatx
0
Jaime Campos
Asked:
Jaime Campos
  • 10
  • 6
  • 5
3 Solutions
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Hello again.

If you want a nice clean setup, create a new share according to the link I gave you on the other question. Change your folder redirection policy to this new share (on same server). For the options set:

Grant the users exclusive rights to documents: Unchecked
Move the contents of Documents to new location: Checked
Also Apply redirection policy to Windows 2000: Unchecked if you have no Windows 2000 machines
0
 
Jaime CamposAuthor Commented:
Hello Jmoody,
I have alot of questions.....

What will happen to my users documents once I change it all?

Why did this happen in the first place?

Can I create any share name or does it have to be Users?

Any addtional steps that will be helpful?
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
It is no problem. I have a lot of answers. :)

The documents will move from their current location. This means that documents stored on the local computer, file servers, etc will all be moved. This setting is very useful when organizations combine file servers

The Owner permission happened because Microsoft sets "Grant Users Exclusive Permission" automatically. You have to uncheck that in your folde redirection policy or the specific user is the only user that has access (without you seizing ownership).

It can be any share name. Your policy is probably going to look like this:

Setting: Basic - Redirect everyone's folder to the same location

Create a folder for each user under the root path
\\servername\share

Does that make sense?
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
snusgubbenCommented:
I'm not sure how far you have gone with your previous questions, but just a quick link that describes the NTFS/share permissions in a "easy to follow" entry.

http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

(see the Folder redir section)
0
 
Jaime CamposAuthor Commented:
Yes makes sense to a certain point....

A brief description of my environment:

I'm running a ESXi Server that has my new Fileserver (win2k8) on it. I created two VHDs: 1VHD= C: (OS) and 2VHD= D: (Data).

Now within that I created folders for example; My Renal Common (Files/Folders for entire practice), Users which will change now to UsersDocs. These are the two folders I've migrated so far. Thank god cause I would have screwed up other shares.

Ok....I'm looking at the Security Recommendations for Folder Redirecion and a bit confuse.

Assigning permissions for root folders, shares, and users's redirected folder.

NTFS Permissions for Folder Redirection Root Folder <- Is that D: (DATA) or Within D: (Data) and set on UsersDocs and other Folders. Makes more sense to do at the D: Data, but I'm not sure.

What the heck is Creator Owner and is Local system the same as System?

Ok....now, Share level (SMB) Permissions for Folder Redirection Share <- WHERE IS THAT?

Last but not least....NTFS Permissions for Users' Redirected Folders <- WHERE IS THAT?

Thanks so much and if I could I would give you more points!!!!
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
It is no problem at all. I like helping. Let me look over this a bit more in my test environment.

NTFS permissions for folders on the root folder can be D or a subfolder. We have a massive drive (let us say D:\). Inside of it are subfolders such as staff data, student data, etc. We assign the NTFS permissions on those folders. Then when folder redirection creates the users folder redirectio folders, it will get the top permissions.

Creator owner is the coolest thing ever (besides loopback policy processing)! It just means that if I create the file, I am assigned full permission to it because I am the creator/owner. This is the setting that allows you to not worry about "can other users see my documents".

Local System is the same as system. http://msdn.microsoft.com/en-us/library/ms684190(v=vs.85).aspx

SMB is where you right click on the folder (like Staff data) and select share. You then change share permissions to something like everyone: full control.

Last question: see your first question
0
 
snusgubbenCommented:
On the root, ie. D:\, I always give "Domain admins" and "System" full permissions and nobody else.

If you the create a folder, i.e. "D:\FolderRedir", this is the folder that should be considered to be your root folder where you configure permissions. Remember to turn off NTFS inheritance like described in the blog entry.  

And with the cool "CREATOR OWNER" thing :) users will get their folders:

D:\FolderRedir\%username%

\\servername\FldRedir$\%username%
0
 
Jaime CamposAuthor Commented:
We have a massive drive (let us say D:\). Inside of it are subfolders such as staff data, student data, etc. We assign the NTFS permissions on those folders. Then when folder redirection creates the users folder redirectio folders, it will get the top permissions.

Should I have shared D:? Since I shared D: wouldn't that be top level? How would D: Security permissions affect the subfolders such as staff data, students data, etc?

When I create permisions on D: I see that it inherits down to subfolders, but what do you recommend. As far as shares, I get confused on win2k8 cause it looks a bit differant. When I right Click a folder and go to properties, then share I give Everyone full control, but then when I go to Security tab, I see everyone listed with full control.

My thought was share permissions gives access to a house and the security permissions are access to the rooms in the house. So you see where my concern is?

Thanks,

nimdatx
0
 
Jaime CamposAuthor Commented:
On the root, ie. D:\, I always give "Domain admins" and "System" full permissions and nobody else.

If I give Domain Admin and System Full permissions and nobody else, wouldn't that affect Domain users gaining access to subfolders?
0
 
snusgubbenCommented:
If I give Domain Admin and System Full permissions and nobody else, wouldn't that affect Domain users gaining access to subfolders?

Not if you set the permissions correctly. Users connect to the share you create (the subfolder), not D$\Subfolder.  
0
 
snusgubbenCommented:
PS! I talk about an empty D-disk where you start creating subfolders and shares. If you already have dozens of subfolders in place already relying on inheritance from D$, I would be a little careful changing anything.
0
 
Jaime CamposAuthor Commented:
Ok I created a new Share and unchecked Give Users Exclusive rights, but when I logon to new fileserver and select users my documents it says that I do not have permissions. Under security tab of that popup I can select admistrator and take ownership. I have to do that for all folders or I'm doing something wrong?

Thanks,

nimdatx
0
 
Jaime CamposAuthor Commented:
These are the security permissions I set prior to modifying folder redirector.

 Advance Security Settings for Userdocs
When I logon to new fileserver and select users my documents it says that I do not have permissions. Under security tab of that popup I can select admistrator and take ownership. I have to do that for all folders or I'm doing something wrong?

 D Data Security Settings
Thanks,

nimdatx
0
 
snusgubbenCommented:
If I got it correctly, you have an old file server holding the folder redirections and you are moving them to a new file server?

If the GPO had "Give Users Exclusive rights" ticked when the user folders were created, there is no way an admin can get access without taking ownership.

If the "Move the contents of Documents to new location" is ticked, it will drag along the already sat owner which is the %username% as "Give Users Exclusive rights" was ticked.

If you take ownership and give an admin permissions, the user will not be able to use Folder redirection until you change the owner and permission back like it was.


If you have created a new share on the new server and unticked the "Give Users Exclusive rights", try to create a new test user, and you'll most likely see that the admin has permissions.

"Give Users Exclusive rights" will only came into play when you add new users. It will not do anything on already created folders.
0
 
Jaime CamposAuthor Commented:
My folder redirections GPO is set on new VM Server/DC. When users "my document" migrated to my new server (fileserver) yesterday, I had checked Give Users Exclusive Rights. i figured by creating a new share it would allow admin to take ownership, but what your saying is that it won't, correct?

Now, If I take ownership of each of those users folders, it will not redirect these folders anywhere else?

If I don't plan on moving those folders for awhile then taking ownership is ok? I can always change ownership back if I need to move folders again?

At what level do I need to gain ownership?
\\192.168.1.173\UserDocs\JaimeC\My Documents
0
 
snusgubbenCommented:
i figured by creating a new share it would allow admin to take ownership, but what your saying is that it won't, correct?

You can take ownership, but what I said/ment was that unticking "Give Users Exclusive Rights" will not have any backward effect on already created folders. Only on folders created after you have unticked.

If I don't plan on moving those folders for awhile then taking ownership is ok?

Then if JaimeC logs on he will get an error that he can't gain access to the redirected folder. He needs to be the owner.

You need ownership on the folder "JaimeC".
0
 
Jaime CamposAuthor Commented:
As an administrator how do I gain access if i give ownership back? Some not all my users can access their documents after I changed ownership to admin. Some of my users are complaining that when they go to documents they don't see anything. I can their folders/files on my new fileserver, but they can't. So you think it's cause I took ownership of folder?
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Yes. When you take ownership, it replaces their permissions with yours. If it is a few users, you can open their folder (ex: \\server\share\users1\) and give them full control that propagates down.
0
 
Jaime CamposAuthor Commented:
Takes so much for all your hard/smart work.
0
 
Jaime CamposAuthor Commented:
I really wish I could give more points. Your help is greatly appreciated.

nimdatx
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
It is no problem! I have set this up many times. Once you do it once, you'll be answering questions like this with ease.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 10
  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now