Administrator access to redirected folders

I know this has been asked before on EE (and elsewhere!) but I can't seem to find a straight answer on this.

In Server 2008, when setting up redirected folders, the default settings work fine for the server to automatically create user folders on first login. Likewise, users can't browse into other users' folders. But neither can a domain administrator (access denied). I'm working off of the TechNet article at http://technet.microsoft.com/en-us/library/cc757013

I've seen quite a few articles on this, but I haven't found a way to keep everything just like that, but give administrators access to all of the folders.

Adding administrators to have full access on the parent folder doesn't fix the problem, because the individual user folders don't inherit permissions, and access is limited to the target user.
Un-checking the "Grant user exclusive rights ..." checkbox allows the administrator in, but then all other users have access to each others' folders, which isn't desirable.
The GPO setting "Add Administrators group to roaming user profiles ..." doesn't appear to have any effect, even when I apply it using Default Domain Policy.

Here's my current setup:

Server 2008 R2, Windows 7 Pro client

Share-level permissions for parent folder (\\servername\User Redirected Folders$)
Administrators: Full Control
Affected users group: Full Control

NTFS permissions for parent folder (\\servername\User Redirected Folders$)
CREATOR OWNER: Full Control, Subfolders and files only
Administrators: Full Control, This folder, subfolders, and files
Affected users group: List Folder/Read Data, Create Folders/Append Data, This folder only
SYSTEM: Full Control, This folder, subfolders, and files

User folders are redirected to \\servername\User Redirected Folders$\username\foldername

I've built many of the systems before and I've always left the administrator without access, but I really would like to set this one up the right way and do it in the future. Can someone please help with a final answer on how to configure this enviroment?
milhouse537Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Hypercat (Deb)Connect With a Mentor Commented:
I have never found an automated way to deal with this problem.  What I do is leave the checkbox for "Grant user exclusive rights" UNchecked when creating the top-level folder.  Then I immediately go to the top-level folder that has just been created and edit the security settings to remove any other user groups and add the individual user with full rights, and also give that user ownership of the folder(s). There's no problem with inheritance, since the folder is still empty at this point. After that, anything added to the folder as the user works will inherit those top-level rights.

This is a lot of work, although you can automate it with a script, but again despite many years of experience I've never been able to find any other way to do it.
0
 
milhouse537Author Commented:
Just wanted to clarify that I have the "Grant user exclusive ... " checkbox turned on, and the "Add Administrators to roaming profile ..." GPO also enabled. And rsop shows that it's being applied properly to the computer.

Currently, the folder \\servername\User Redirected Folders$\username has the administrator added with Full Control rights, but the folder \\servername\User Redirected Folders$\username\My Documents shows access denied when I try to go in as administrator.
0
 
milhouse537Author Commented:
Thanks hypercat, that's a fair answer (if a bit disappointing, of course). I'm just going to leave this question open a bit more to see if anybody else has found a way.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.