Solved

Folder Redirector Permissions

Posted on 2011-03-17
21
849 Views
Last Modified: 2012-08-13
Hello,

I have setup Folder Redirector and created a GPO. My settings are below.

Target
Settings: Basic - Redirect everyone's folder to the same location
Target: Create a folder for each user under the root path

Root Path: \\192.168.1.173\Data\Users

Settings
Grant the users exclusive rights to documents <- THIS WAS CHECKED
Move the contents of Documents to new location <- This was checked
Also Apply redirection policy to Windows 2000 <- This was checked

---------------------------------------------------------------------------------------------------------

I applied this to one OU and around 40 users documents moved over successfully. The problem is that when I go to my new Filserver (W/admin rights) it tells me that I do not have permissions.

 Folder Permissions

Now the weird thing is that When I Right Click Users and look at my settings, the share name is users2 and I don't unsderstand why?

Please review pic, its hard to explain.
 Users Properties
I'm looking for a way to fix all of this the right way.

Thanks,

nimdatx
0
Comment
Question by:nimdatx
  • 10
  • 6
  • 5
21 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35159414
Hello again.

If you want a nice clean setup, create a new share according to the link I gave you on the other question. Change your folder redirection policy to this new share (on same server). For the options set:

Grant the users exclusive rights to documents: Unchecked
Move the contents of Documents to new location: Checked
Also Apply redirection policy to Windows 2000: Unchecked if you have no Windows 2000 machines
0
 
LVL 1

Author Comment

by:nimdatx
ID: 35159603
Hello Jmoody,
I have alot of questions.....

What will happen to my users documents once I change it all?

Why did this happen in the first place?

Can I create any share name or does it have to be Users?

Any addtional steps that will be helpful?
0
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 300 total points
ID: 35159651
It is no problem. I have a lot of answers. :)

The documents will move from their current location. This means that documents stored on the local computer, file servers, etc will all be moved. This setting is very useful when organizations combine file servers

The Owner permission happened because Microsoft sets "Grant Users Exclusive Permission" automatically. You have to uncheck that in your folde redirection policy or the specific user is the only user that has access (without you seizing ownership).

It can be any share name. Your policy is probably going to look like this:

Setting: Basic - Redirect everyone's folder to the same location

Create a folder for each user under the root path
\\servername\share

Does that make sense?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 35159819
I'm not sure how far you have gone with your previous questions, but just a quick link that describes the NTFS/share permissions in a "easy to follow" entry.

http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

(see the Folder redir section)
0
 
LVL 1

Author Comment

by:nimdatx
ID: 35159826
Yes makes sense to a certain point....

A brief description of my environment:

I'm running a ESXi Server that has my new Fileserver (win2k8) on it. I created two VHDs: 1VHD= C: (OS) and 2VHD= D: (Data).

Now within that I created folders for example; My Renal Common (Files/Folders for entire practice), Users which will change now to UsersDocs. These are the two folders I've migrated so far. Thank god cause I would have screwed up other shares.

Ok....I'm looking at the Security Recommendations for Folder Redirecion and a bit confuse.

Assigning permissions for root folders, shares, and users's redirected folder.

NTFS Permissions for Folder Redirection Root Folder <- Is that D: (DATA) or Within D: (Data) and set on UsersDocs and other Folders. Makes more sense to do at the D: Data, but I'm not sure.

What the heck is Creator Owner and is Local system the same as System?

Ok....now, Share level (SMB) Permissions for Folder Redirection Share <- WHERE IS THAT?

Last but not least....NTFS Permissions for Users' Redirected Folders <- WHERE IS THAT?

Thanks so much and if I could I would give you more points!!!!
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35159892
It is no problem at all. I like helping. Let me look over this a bit more in my test environment.

NTFS permissions for folders on the root folder can be D or a subfolder. We have a massive drive (let us say D:\). Inside of it are subfolders such as staff data, student data, etc. We assign the NTFS permissions on those folders. Then when folder redirection creates the users folder redirectio folders, it will get the top permissions.

Creator owner is the coolest thing ever (besides loopback policy processing)! It just means that if I create the file, I am assigned full permission to it because I am the creator/owner. This is the setting that allows you to not worry about "can other users see my documents".

Local System is the same as system. http://msdn.microsoft.com/en-us/library/ms684190(v=vs.85).aspx

SMB is where you right click on the folder (like Staff data) and select share. You then change share permissions to something like everyone: full control.

Last question: see your first question
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 35160030
On the root, ie. D:\, I always give "Domain admins" and "System" full permissions and nobody else.

If you the create a folder, i.e. "D:\FolderRedir", this is the folder that should be considered to be your root folder where you configure permissions. Remember to turn off NTFS inheritance like described in the blog entry.  

And with the cool "CREATOR OWNER" thing :) users will get their folders:

D:\FolderRedir\%username%

\\servername\FldRedir$\%username%
0
 
LVL 1

Author Comment

by:nimdatx
ID: 35160195
We have a massive drive (let us say D:\). Inside of it are subfolders such as staff data, student data, etc. We assign the NTFS permissions on those folders. Then when folder redirection creates the users folder redirectio folders, it will get the top permissions.

Should I have shared D:? Since I shared D: wouldn't that be top level? How would D: Security permissions affect the subfolders such as staff data, students data, etc?

When I create permisions on D: I see that it inherits down to subfolders, but what do you recommend. As far as shares, I get confused on win2k8 cause it looks a bit differant. When I right Click a folder and go to properties, then share I give Everyone full control, but then when I go to Security tab, I see everyone listed with full control.

My thought was share permissions gives access to a house and the security permissions are access to the rooms in the house. So you see where my concern is?

Thanks,

nimdatx
0
 
LVL 1

Author Comment

by:nimdatx
ID: 35160218
On the root, ie. D:\, I always give "Domain admins" and "System" full permissions and nobody else.

If I give Domain Admin and System Full permissions and nobody else, wouldn't that affect Domain users gaining access to subfolders?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 35160342
If I give Domain Admin and System Full permissions and nobody else, wouldn't that affect Domain users gaining access to subfolders?

Not if you set the permissions correctly. Users connect to the share you create (the subfolder), not D$\Subfolder.  
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 35160361
PS! I talk about an empty D-disk where you start creating subfolders and shares. If you already have dozens of subfolders in place already relying on inheritance from D$, I would be a little careful changing anything.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 35160603
Ok I created a new Share and unchecked Give Users Exclusive rights, but when I logon to new fileserver and select users my documents it says that I do not have permissions. Under security tab of that popup I can select admistrator and take ownership. I have to do that for all folders or I'm doing something wrong?

Thanks,

nimdatx
0
 
LVL 1

Author Comment

by:nimdatx
ID: 35160658
These are the security permissions I set prior to modifying folder redirector.

 Advance Security Settings for Userdocs
When I logon to new fileserver and select users my documents it says that I do not have permissions. Under security tab of that popup I can select admistrator and take ownership. I have to do that for all folders or I'm doing something wrong?

 D Data Security Settings
Thanks,

nimdatx
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 200 total points
ID: 35160721
If I got it correctly, you have an old file server holding the folder redirections and you are moving them to a new file server?

If the GPO had "Give Users Exclusive rights" ticked when the user folders were created, there is no way an admin can get access without taking ownership.

If the "Move the contents of Documents to new location" is ticked, it will drag along the already sat owner which is the %username% as "Give Users Exclusive rights" was ticked.

If you take ownership and give an admin permissions, the user will not be able to use Folder redirection until you change the owner and permission back like it was.


If you have created a new share on the new server and unticked the "Give Users Exclusive rights", try to create a new test user, and you'll most likely see that the admin has permissions.

"Give Users Exclusive rights" will only came into play when you add new users. It will not do anything on already created folders.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 35160817
My folder redirections GPO is set on new VM Server/DC. When users "my document" migrated to my new server (fileserver) yesterday, I had checked Give Users Exclusive Rights. i figured by creating a new share it would allow admin to take ownership, but what your saying is that it won't, correct?

Now, If I take ownership of each of those users folders, it will not redirect these folders anywhere else?

If I don't plan on moving those folders for awhile then taking ownership is ok? I can always change ownership back if I need to move folders again?

At what level do I need to gain ownership?
\\192.168.1.173\UserDocs\JaimeC\My Documents
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 35161042
i figured by creating a new share it would allow admin to take ownership, but what your saying is that it won't, correct?

You can take ownership, but what I said/ment was that unticking "Give Users Exclusive Rights" will not have any backward effect on already created folders. Only on folders created after you have unticked.

If I don't plan on moving those folders for awhile then taking ownership is ok?

Then if JaimeC logs on he will get an error that he can't gain access to the redirected folder. He needs to be the owner.

You need ownership on the folder "JaimeC".
0
 
LVL 1

Author Comment

by:nimdatx
ID: 35165913
As an administrator how do I gain access if i give ownership back? Some not all my users can access their documents after I changed ownership to admin. Some of my users are complaining that when they go to documents they don't see anything. I can their folders/files on my new fileserver, but they can't. So you think it's cause I took ownership of folder?
0
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 300 total points
ID: 35165943
Yes. When you take ownership, it replaces their permissions with yours. If it is a few users, you can open their folder (ex: \\server\share\users1\) and give them full control that propagates down.
0
 
LVL 1

Author Comment

by:nimdatx
ID: 35166634
Takes so much for all your hard/smart work.
0
 
LVL 1

Author Closing Comment

by:nimdatx
ID: 35166672
I really wish I could give more points. Your help is greatly appreciated.

nimdatx
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35167378
It is no problem! I have set this up many times. Once you do it once, you'll be answering questions like this with ease.
0

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now