Admin/Domain Admin cannot access Redirected Folders (My Documents or Desktop)

On a fresh install of SBS 2008, with folder redirection enabled for the "My Documents" and "Desktop" of users, I can't make those folders accessible by any user who does not own that folder. Basically, if User A wants to access files in User B's redirected documents folder, they can't. I know this is by design, but I need to be able to at least let admin or domain admin view these folders so that a few of the users can see one another "My Documents" again like they used to on SBS 2003.  There are a ton of responses on Google and Experts Exchange but none that walk you through how to work aroound this.

Essentially, there is 5 users on this small network and I want the folders (My Documents and Desktop) redirected like they are so that they are backed up but want to allow the users to view each others My Documents as well.

Any help would be greatly appreciated.

Sincerely,

Mike Johnson
dataflownetworksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Larry Struckmeyer MVPCommented:
Strangely, there are folks on both sides of this issue.  We see people claim that the tree is wide open and cannot be closed, and others saying that the tree is closed and cannot be opened.

As the domain admin, take ownership of the top level folder, and all folders below.  Right click the top level folder, properties, security, advanced.  Click the box to not allow inherited permissions, to pass the permissions to this folder, subfolders and files, when asked about the previous permissions say copy.  Once you have ownership, navigate down the tree and set what ever permissions AND NTFS security you wish.  You must set both, and the most restrictive applies, and deny anywhere overrules any allow permissions.
0
dataflownetworksAuthor Commented:
Thanks fl_flyfishing for your response.  I have read in other responses similiar to your that this way breaks the GPO for the folder redirection and therefore breaks the functionality.  Ideally, if possible (big if possible)I would like to keep the intended functioinality of the redirection and sync but just let the domain admin be able to see these redirected folders as would the end user that the folder is for.  

Hopefully that makes sense.

Sincerely,

Mike Johnson
0
DonNetwork AdministratorCommented:
0
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

dataflownetworksAuthor Commented:
Hi dstewartjr -

Thanks for your response.  I checked out the link you forwarded which almost looks helpful, my concern with it is that it references the 'Best Practices for Folder Redirection' for the following OS's: Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2,  And SBS 2008 is not included in this, which has a whole different set of GPO's.  Do you do you know of an article that pertains to SBS 2008 specfically?  I have looked everywhere without success.

Thanks again for your help and advice.

Mike
0
Cliff GaliherCommented:
Both of the answers you received are partially correct and, together, they will provide a complete solution. Here is the breakdown:

First, a common misconception is that group policies are processed by the server. Your comment that " And SBS 2008 is not included in this, which has a whole different set of GPO's" illustrates this misunderstanding. First (and perhaps being nitpicky) there is a difference between a group policy and a group policy object (GPO.) A policy is the rule that is being turned on, enforces, set, etc. A GPO is a specific object in active directory that includes a set of policies. Folder redirection is a policy, for example, but the SBS wizard creates a specific GPO that turns on that policy in a specific way. You could create another GPO that turns on folder redirection but points to a different path for a different OU in AD, thus, same policy (folder redirection) but different GPOs.

This distinction is important because *policies* are enforced by the client, not the server. SBS includes a few default GPOs, true, but they aren't wholly different than previous versions of SBS, or even different versions of Windows Server. And ultimately, it is up to the client OS, via the Grou Policy Client Side Extensions service, to get the GPOs that apply to it and enforce them.

If you view a specific policy, sometimes in the description of the policy, you will see an "applies to Windows Vista or later" in the description pane on the left of the GPMC. You could take a Windows 7 machine, connect it to a Windows 2000 (very old AD server) install the Remote Server Administration Tools (RSAT), and create a GPO that turns on that "Windows Vista and Higher" policy, even though Windows 2000 has no clue about it due to its age. If you were to view that same GPO using the windows 2000 tool, it'd show up as an "extra registry entry." But Windows Vista and Windows 7 machines will see that policy, enforce it, and it'd work as expected even on a network where Windows 2000 is the only DC.

Thus illustrating that *policies* are enforced by the client, not the server.

So, to bring back that point, dstewartjr's link is exactly accurate. That checkbox is interpreted by all client OS's, including Windows 7, and will create folders with either exclusive user rights (checked) or user and administrator rights (unchecked) when the folder redirection folder is first created by the client. Unchecking this box will automatically add Administrator privileges to future users when Folder Redirection is first applied and the foldesr first created moving forward. This is true for XP/Vista/Win7 on SBS2003/2008/2011.

BUT, and this is where fl_flyfishing's response comes in, the folder redirection *only* sets the initial permission when the folder is created. It does *not* reset permissions once the folder exists. So your existing five users must be fixed manually.

To do this, you can follow fl_flyfishing's post, but with only five users, I'd do so on a more granular level. Take ownership of each user's root folder, add domain admins full conrol, add "owner" full control, then in the advanced security tab, use the ownership feature again, but this time choose "other user" and grant ownership back to the original user. Since the owner is now the original user, that "owner" full control will give them access, but your "domain admins" will not be overwritten, so you retain access.

The above is, when done properly, identical to the permissions that the GPCSE (Group Policie Client Side Extensions) assigns when it first creates the redirected folder for a new login. Thus you are staying consistent with the policy and will have a uniform folder layout moving fowards.

-Cliff
0
dataflownetworksAuthor Commented:
Very well put Cliff.  That was the most descriptive and thorough explanation I have ever received in respects to someone supporting me and I have been doing this for many years.  Thank you fl_flyfishing & dstewartjr as well as Cliff points out both your answers were on the right track as well.

Cliff - And if my goal at the end of the day is to utilize the feature of the redirection to the server for the backup purposes will this allow the users to share one another folder like they use to if I give them all domain admin privileges or would you outlay an easier approach?  For Example, the main goal is to redirect them to the server both for backup and sharing, security is not an issue as it's a family run business that needs no privacy.

Thanks again sincerely.

Mike
0
Cliff GaliherCommented:
Even where security is not an issue, it is best to use the system as intended or you run into unexpected results with upgrades. In your scenario, I'd recommend creating a separate directory on the server, name is "shared files" and share it giving full read-write permissions to all users (no need to make them domain admins at that point), and enable volume shadow copies for the share so you/they can easily recover accidentally deleted files.

Drop a shortcut to the shared files folder on each users' desktop and they can access it quickly and easily, and you avoid any accidental data loss or "oops" issues which you could have if you pursue a non-standard approach.

-Cliff
0
dataflownetworksAuthor Commented:
Totally agree with that idea Cliff, problem with that is that they have GB's and GB's of data in there existing "My Docs" already and for them to have to go through and determine what needs to be put there by them would probably not get done or they would not be receptive as they are not IT saavy to begin with.  Does that make sense?

Mike
0
Cliff GaliherCommented:
I've had to fight that culture change before, but honestly, it is worth it, and they will actually appreciate the change once shown the benefits and experience it.

For example, let's say this were an architecture firm. Each user has gotten in the habit of storing notes on projects in their "my docs." 6 months later, a question comes up about a project that two people in the company worked on. Where are the notes that answer the question? Even if everyone has access to everyone elses data, you have a situation where you are sifting through two "mydocs" because the location is not certain.

Now, with a shared folder, and each project getting its own folder in that main shared folder, it can be indexed, easily searched and all notes are centralized. There is no longer the need to sift. Even non-IT folks get this.

Even though they have gigs of information, making a change now will benefit them long-term in time and effort *ESPECIALLY* because they are non-IT. In cases where there is a large amount of data, the solutioon is a 1-2-3 (as easy as) solution.

1) Create the share. Educate the users how to use it.

2) All *new* documents, notes, projects, that need to be shared get saved to the share. This is very easy if you've completed step 1 and the adjustment for users is painless and they usually appreciate the immediate benefits of better organization and collaboration. Mind you, you haven't touched old data yet so there is literally no downside except the shallow learning curve.

3) Instruct users to move existing data from "my documents" or various folders on their desktops (we all know they use their desktops as repositories, don't we?) to the shared folder on an "as needed" basis. In other words, Bob need's Cheryl's notes on project A-5 from three weeks ago. He emails Cheryl, and she moves the notes from her "My docs" to the shared folder. Takes all of about 30 second. So they arent spending hours "sifting" data. They are doing it in increments so small that it doesn't even seem like an inconvenience.

By following that simple plan, and helping users follow it, their shared documents grow organically, not artificially forced, and they acclimate to using the system as it was designed to be used. It also allows for future growth and feature additions as they desire them instead of trying to wedge fixes in placed where they were never expected to go.

I've had a great deal of success and this is a very common scenario, so you aren't alone. Take the time, set things up right, and you'll save them (and yourself) a lot of headaches relatively quickly.

That is my .02 cents.

-Cliff

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Larry Struckmeyer MVPCommented:
Agreeing with Cliff.  I have many customers that don't use My Documents or Documents or any variation, instead filing things in the way Cliff has described.  And this works best if the top level share describes the security for all the files and folders below.  If you need distinct share permissions, say for the engineers, the accountants, and the shipping department, create security groups, add the approprate users to the security groups,  then make the shares, set the permissions for the groups, not the individuals.

This is one of the primary benefits of a true server.  Using the Documents way is nearly as bad as staying in a workgroup.
0
dataflownetworksAuthor Commented:
Very well put and that is the approach I will take.  Funny, this was technical at first and has now become a training for both myself and my clients.  Thanks again for everyone's help.

Mike
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.