Admin/Domain Admin cannot access Redirected Folders (My Documents or Desktop)
On a fresh install of SBS 2008, with folder redirection enabled for the "My Documents" and "Desktop" of users, I can't make those folders accessible by any user who does not own that folder. Basically, if User A wants to access files in User B's redirected documents folder, they can't. I know this is by design, but I need to be able to at least let admin or domain admin view these folders so that a few of the users can see one another "My Documents" again like they used to on SBS 2003. There are a ton of responses on Google and Experts Exchange but none that walk you through how to work aroound this.
Essentially, there is 5 users on this small network and I want the folders (My Documents and Desktop) redirected like they are so that they are backed up but want to allow the users to view each others My Documents as well.
Any help would be greatly appreciated.
Sincerely,
Mike Johnson
Essentially, there is 5 users on this small network and I want the folders (My Documents and Desktop) redirected like they are so that they are backed up but want to allow the users to view each others My Documents as well.
Any help would be greatly appreciated.
Sincerely,
Mike Johnson
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi dstewartjr -
Thanks for your response. I checked out the link you forwarded which almost looks helpful, my concern with it is that it references the 'Best Practices for Folder Redirection' for the following OS's: Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, And SBS 2008 is not included in this, which has a whole different set of GPO's. Do you do you know of an article that pertains to SBS 2008 specfically? I have looked everywhere without success.
Thanks again for your help and advice.
Mike
Thanks for your response. I checked out the link you forwarded which almost looks helpful, my concern with it is that it references the 'Best Practices for Folder Redirection' for the following OS's: Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, And SBS 2008 is not included in this, which has a whole different set of GPO's. Do you do you know of an article that pertains to SBS 2008 specfically? I have looked everywhere without success.
Thanks again for your help and advice.
Mike
Both of the answers you received are partially correct and, together, they will provide a complete solution. Here is the breakdown:
First, a common misconception is that group policies are processed by the server. Your comment that " And SBS 2008 is not included in this, which has a whole different set of GPO's" illustrates this misunderstanding. First (and perhaps being nitpicky) there is a difference between a group policy and a group policy object (GPO.) A policy is the rule that is being turned on, enforces, set, etc. A GPO is a specific object in active directory that includes a set of policies. Folder redirection is a policy, for example, but the SBS wizard creates a specific GPO that turns on that policy in a specific way. You could create another GPO that turns on folder redirection but points to a different path for a different OU in AD, thus, same policy (folder redirection) but different GPOs.
This distinction is important because *policies* are enforced by the client, not the server. SBS includes a few default GPOs, true, but they aren't wholly different than previous versions of SBS, or even different versions of Windows Server. And ultimately, it is up to the client OS, via the Grou Policy Client Side Extensions service, to get the GPOs that apply to it and enforce them.
If you view a specific policy, sometimes in the description of the policy, you will see an "applies to Windows Vista or later" in the description pane on the left of the GPMC. You could take a Windows 7 machine, connect it to a Windows 2000 (very old AD server) install the Remote Server Administration Tools (RSAT), and create a GPO that turns on that "Windows Vista and Higher" policy, even though Windows 2000 has no clue about it due to its age. If you were to view that same GPO using the windows 2000 tool, it'd show up as an "extra registry entry." But Windows Vista and Windows 7 machines will see that policy, enforce it, and it'd work as expected even on a network where Windows 2000 is the only DC.
Thus illustrating that *policies* are enforced by the client, not the server.
So, to bring back that point, dstewartjr's link is exactly accurate. That checkbox is interpreted by all client OS's, including Windows 7, and will create folders with either exclusive user rights (checked) or user and administrator rights (unchecked) when the folder redirection folder is first created by the client. Unchecking this box will automatically add Administrator privileges to future users when Folder Redirection is first applied and the foldesr first created moving forward. This is true for XP/Vista/Win7 on SBS2003/2008/2011.
BUT, and this is where fl_flyfishing's response comes in, the folder redirection *only* sets the initial permission when the folder is created. It does *not* reset permissions once the folder exists. So your existing five users must be fixed manually.
To do this, you can follow fl_flyfishing's post, but with only five users, I'd do so on a more granular level. Take ownership of each user's root folder, add domain admins full conrol, add "owner" full control, then in the advanced security tab, use the ownership feature again, but this time choose "other user" and grant ownership back to the original user. Since the owner is now the original user, that "owner" full control will give them access, but your "domain admins" will not be overwritten, so you retain access.
The above is, when done properly, identical to the permissions that the GPCSE (Group Policie Client Side Extensions) assigns when it first creates the redirected folder for a new login. Thus you are staying consistent with the policy and will have a uniform folder layout moving fowards.
-Cliff
First, a common misconception is that group policies are processed by the server. Your comment that " And SBS 2008 is not included in this, which has a whole different set of GPO's" illustrates this misunderstanding. First (and perhaps being nitpicky) there is a difference between a group policy and a group policy object (GPO.) A policy is the rule that is being turned on, enforces, set, etc. A GPO is a specific object in active directory that includes a set of policies. Folder redirection is a policy, for example, but the SBS wizard creates a specific GPO that turns on that policy in a specific way. You could create another GPO that turns on folder redirection but points to a different path for a different OU in AD, thus, same policy (folder redirection) but different GPOs.
This distinction is important because *policies* are enforced by the client, not the server. SBS includes a few default GPOs, true, but they aren't wholly different than previous versions of SBS, or even different versions of Windows Server. And ultimately, it is up to the client OS, via the Grou Policy Client Side Extensions service, to get the GPOs that apply to it and enforce them.
If you view a specific policy, sometimes in the description of the policy, you will see an "applies to Windows Vista or later" in the description pane on the left of the GPMC. You could take a Windows 7 machine, connect it to a Windows 2000 (very old AD server) install the Remote Server Administration Tools (RSAT), and create a GPO that turns on that "Windows Vista and Higher" policy, even though Windows 2000 has no clue about it due to its age. If you were to view that same GPO using the windows 2000 tool, it'd show up as an "extra registry entry." But Windows Vista and Windows 7 machines will see that policy, enforce it, and it'd work as expected even on a network where Windows 2000 is the only DC.
Thus illustrating that *policies* are enforced by the client, not the server.
So, to bring back that point, dstewartjr's link is exactly accurate. That checkbox is interpreted by all client OS's, including Windows 7, and will create folders with either exclusive user rights (checked) or user and administrator rights (unchecked) when the folder redirection folder is first created by the client. Unchecking this box will automatically add Administrator privileges to future users when Folder Redirection is first applied and the foldesr first created moving forward. This is true for XP/Vista/Win7 on SBS2003/2008/2011.
BUT, and this is where fl_flyfishing's response comes in, the folder redirection *only* sets the initial permission when the folder is created. It does *not* reset permissions once the folder exists. So your existing five users must be fixed manually.
To do this, you can follow fl_flyfishing's post, but with only five users, I'd do so on a more granular level. Take ownership of each user's root folder, add domain admins full conrol, add "owner" full control, then in the advanced security tab, use the ownership feature again, but this time choose "other user" and grant ownership back to the original user. Since the owner is now the original user, that "owner" full control will give them access, but your "domain admins" will not be overwritten, so you retain access.
The above is, when done properly, identical to the permissions that the GPCSE (Group Policie Client Side Extensions) assigns when it first creates the redirected folder for a new login. Thus you are staying consistent with the policy and will have a uniform folder layout moving fowards.
-Cliff
ASKER
Very well put Cliff. That was the most descriptive and thorough explanation I have ever received in respects to someone supporting me and I have been doing this for many years. Thank you fl_flyfishing & dstewartjr as well as Cliff points out both your answers were on the right track as well.
Cliff - And if my goal at the end of the day is to utilize the feature of the redirection to the server for the backup purposes will this allow the users to share one another folder like they use to if I give them all domain admin privileges or would you outlay an easier approach? For Example, the main goal is to redirect them to the server both for backup and sharing, security is not an issue as it's a family run business that needs no privacy.
Thanks again sincerely.
Mike
Cliff - And if my goal at the end of the day is to utilize the feature of the redirection to the server for the backup purposes will this allow the users to share one another folder like they use to if I give them all domain admin privileges or would you outlay an easier approach? For Example, the main goal is to redirect them to the server both for backup and sharing, security is not an issue as it's a family run business that needs no privacy.
Thanks again sincerely.
Mike
Even where security is not an issue, it is best to use the system as intended or you run into unexpected results with upgrades. In your scenario, I'd recommend creating a separate directory on the server, name is "shared files" and share it giving full read-write permissions to all users (no need to make them domain admins at that point), and enable volume shadow copies for the share so you/they can easily recover accidentally deleted files.
Drop a shortcut to the shared files folder on each users' desktop and they can access it quickly and easily, and you avoid any accidental data loss or "oops" issues which you could have if you pursue a non-standard approach.
-Cliff
Drop a shortcut to the shared files folder on each users' desktop and they can access it quickly and easily, and you avoid any accidental data loss or "oops" issues which you could have if you pursue a non-standard approach.
-Cliff
ASKER
Totally agree with that idea Cliff, problem with that is that they have GB's and GB's of data in there existing "My Docs" already and for them to have to go through and determine what needs to be put there by them would probably not get done or they would not be receptive as they are not IT saavy to begin with. Does that make sense?
Mike
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Agreeing with Cliff. I have many customers that don't use My Documents or Documents or any variation, instead filing things in the way Cliff has described. And this works best if the top level share describes the security for all the files and folders below. If you need distinct share permissions, say for the engineers, the accountants, and the shipping department, create security groups, add the approprate users to the security groups, then make the shares, set the permissions for the groups, not the individuals.
This is one of the primary benefits of a true server. Using the Documents way is nearly as bad as staying in a workgroup.
This is one of the primary benefits of a true server. Using the Documents way is nearly as bad as staying in a workgroup.
ASKER
Very well put and that is the approach I will take. Funny, this was technical at first and has now become a training for both myself and my clients. Thanks again for everyone's help.
Mike
Mike
ASKER
Hopefully that makes sense.
Sincerely,
Mike Johnson