infedonetwork
asked on
Add permissions to folder redirection my documents
Hi Guys
I have a group policy that redirect "My documents" and Desktop folder to the server for about 40 PC's on one location and this scenario repeat very often for other domains that I manage.
As you know the My documents folder and Desktop has permission assign only to the user that own the folder and no Domain admins has access to.
My problem is that I'm using a Cloud Backup software like Livedrive to backup data on the server including the users personal folders. Livedrive service run under the administrator account but since the administrator does not have acess to the My Documents folder nothing get backup on those folders. My work around is to take ownership of each folder and add domain admin under security then give the ownership back to the user.
If is just a few users is not big deal but when you have 40 users and you multiply by 2 folders each there is a lot's of permission to be assign manually.
I was wondering if there is a command script that can be run eider as a logon script that will assign the domain admin rights to those folders and subfolder without taking the user out of the permission list.
Thank you
I have a group policy that redirect "My documents" and Desktop folder to the server for about 40 PC's on one location and this scenario repeat very often for other domains that I manage.
As you know the My documents folder and Desktop has permission assign only to the user that own the folder and no Domain admins has access to.
My problem is that I'm using a Cloud Backup software like Livedrive to backup data on the server including the users personal folders. Livedrive service run under the administrator account but since the administrator does not have acess to the My Documents folder nothing get backup on those folders. My work around is to take ownership of each folder and add domain admin under security then give the ownership back to the user.
If is just a few users is not big deal but when you have 40 users and you multiply by 2 folders each there is a lot's of permission to be assign manually.
I was wondering if there is a command script that can be run eider as a logon script that will assign the domain admin rights to those folders and subfolder without taking the user out of the permission list.
Thank you
If you still have doubt you can walk through with this article.
http://www.omegaits.net/articles/configuring-folder-redirection-in-windows-server-2008-r2
http://www.omegaits.net/articles/configuring-folder-redirection-in-windows-server-2008-r2
ASKER
This does not work because under the users folder you have as follow:
\\server\users\john Up to here domain admin has access but when you go to \desktop or \favorites or \my Documents only the user and system has access so no matter what permission I try to modify at the user folder level it will not propagate up to the Desktop or My documents level. I will just get an access denied.
\\server\users\john Up to here domain admin has access but when you go to \desktop or \favorites or \my Documents only the user and system has access so no matter what permission I try to modify at the user folder level it will not propagate up to the Desktop or My documents level. I will just get an access denied.
ASKER
I also forgot to mention that when I looked at the security and advance tab of the users folder all I see is what's bellow and I do not have the option of :Allow inheritable permissions from parent to propagate to this object " If I take the check mark of the Include inheritable Permissions....." and chose remove then I will get access denied when it comes to applying to the desktop and my documents folder
Each folder has the setting to "Grant user exclusive rights.." ...uncheck that box
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not sure if I properly explain my goal.
I have a server running windows 2011 SBS and it has a folder called shared\users
The GPO redirect all desktops and My Documents under the users folder.
As an Example I have for Tom \\server\shared\users\tom\
Everyone has read list and execute and Domain admins full control up to the Tom folder.
At the Desktop and My documents only Tom and system has full rights.
To be able to backup the desktop and my documents on the cloud the user under what the livedrive run needs access to those two folders.
What I did until now is properties of the Desktop folder, Security, Advanced, Owner then take ownership of the folder. Then add Domain admin and Tom with full control then make Tom the owner. I have to do the same for the My Documents and Favorite Folders.
So 3 Folders times 40 users or more is at less 120 Folders to modify one by one.
The goal is to assign permission to the Domain admins with one script for everyone.
What you all suggest I believe it still require to go to each folder or log on as the users and go to the properties of each folder.
I already took the grant the Exclusive permission to the user from the GPO but I still have Tom and system and If try to remove the propagation at the root folder \\server\users it will not applied to any of the My documents folder because the administrator has not permission to make any changes to those folders.
Only way I see is to take ownership of the users folder and all sub folder then add the domain admin but I will not have Tom in there so I will be back to gound zero were I have to go to each folder and add each user to their own folder and make them back owners.
I have a server running windows 2011 SBS and it has a folder called shared\users
The GPO redirect all desktops and My Documents under the users folder.
As an Example I have for Tom \\server\shared\users\tom\
Everyone has read list and execute and Domain admins full control up to the Tom folder.
At the Desktop and My documents only Tom and system has full rights.
To be able to backup the desktop and my documents on the cloud the user under what the livedrive run needs access to those two folders.
What I did until now is properties of the Desktop folder, Security, Advanced, Owner then take ownership of the folder. Then add Domain admin and Tom with full control then make Tom the owner. I have to do the same for the My Documents and Favorite Folders.
So 3 Folders times 40 users or more is at less 120 Folders to modify one by one.
The goal is to assign permission to the Domain admins with one script for everyone.
What you all suggest I believe it still require to go to each folder or log on as the users and go to the properties of each folder.
I already took the grant the Exclusive permission to the user from the GPO but I still have Tom and system and If try to remove the propagation at the root folder \\server\users it will not applied to any of the My documents folder because the administrator has not permission to make any changes to those folders.
Only way I see is to take ownership of the users folder and all sub folder then add the domain admin but I will not have Tom in there so I will be back to gound zero were I have to go to each folder and add each user to their own folder and make them back owners.
Did you not read the article I posted at all ?
The script
" Sets full access for the user and administrators on the specified redirected folder root "
When you try to remove propagation on the root, select "Copy"
These may help you as well
http://technet.microsoft.com/en-us/library/dd440852%28v=ws.10%29.aspx
Especially this one
Reset Roaming Profile and Folder Redirection Permissions
http://www.mcbsys.com/techblog/2010/10/reset-roaming-profile-and-folder-redirection-permissions/
The script
" Sets full access for the user and administrators on the specified redirected folder root "
When you try to remove propagation on the root, select "Copy"
These may help you as well
http://technet.microsoft.com/en-us/library/dd440852%28v=ws.10%29.aspx
Especially this one
Reset Roaming Profile and Folder Redirection Permissions
http://www.mcbsys.com/techblog/2010/10/reset-roaming-profile-and-folder-redirection-permissions/
ASKER
The script will work if I find out the SID for each user and enter it each time I run the script.
This will not save much time. Please correct me if I'm wrong.
:: User SID
if "%~2"=="" (
echo Please specify the user SID as the second parameter!
exit /b 1
)
set UserSid=%~2
set UserSid=%UserSid:"=%
if not exist "%~dp0\SetACL.exe" (
echo SetACL not found!
exit /b 1
The goal is to give domain admin permission to folders that they do not have.
One way I can think about is to write a script that will run at the logon script so when the user logon it will run the script under his name since his the only one that has full control to the folder and add domain admin group to his own folder.
I will do some research on this type of scrip.
I also read the other articles but I do not want to change the folder redirection location just for that and the second article with the enable administrator group acess to the roaming profile from the GPO will be the perfect solution if I will use roaming profiles but unfortunately I don't and I don't think that will work for folder redirection.
This will not save much time. Please correct me if I'm wrong.
:: User SID
if "%~2"=="" (
echo Please specify the user SID as the second parameter!
exit /b 1
)
set UserSid=%~2
set UserSid=%UserSid:"=%
if not exist "%~dp0\SetACL.exe" (
echo SetACL not found!
exit /b 1
The goal is to give domain admin permission to folders that they do not have.
One way I can think about is to write a script that will run at the logon script so when the user logon it will run the script under his name since his the only one that has full control to the folder and add domain admin group to his own folder.
I will do some research on this type of scrip.
I also read the other articles but I do not want to change the folder redirection location just for that and the second article with the enable administrator group acess to the roaming profile from the GPO will be the perfect solution if I will use roaming profiles but unfortunately I don't and I don't think that will work for folder redirection.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for infedonetwork's comment #a39735133
for the following reason:
The only solution that work for all users at the same time
Accepted answer: 0 points for infedonetwork's comment #a39735133
for the following reason:
The only solution that work for all users at the same time
I at the minimum led you in the right direction and to icacls, credit is deserved there.
ASKER
Hi
I add your answer as a partial solution but that did not help with the goal of assigning administrator full access to the users Documents with one single script for all users at the same time. But your script will get the same results if there is a way to extract each user SID in form of a variable. Without that I need to enter it one by one and that not fix my problem of assigning permission to multiple folders at once or without having to manipulate each folder or script individually.
Thank you all for your help.
I add your answer as a partial solution but that did not help with the goal of assigning administrator full access to the users Documents with one single script for all users at the same time. But your script will get the same results if there is a way to extract each user SID in form of a variable. Without that I need to enter it one by one and that not fix my problem of assigning permission to multiple folders at once or without having to manipulate each folder or script individually.
Thank you all for your help.
Enabling the administrator to have access to redirected folders
http://support.microsoft.com/kb/288991