Solved

Administrator access to redirected folders

Posted on 2014-01-22
3
613 Views
Last Modified: 2014-01-24
I know this has been asked before on EE (and elsewhere!) but I can't seem to find a straight answer on this.

In Server 2008, when setting up redirected folders, the default settings work fine for the server to automatically create user folders on first login. Likewise, users can't browse into other users' folders. But neither can a domain administrator (access denied). I'm working off of the TechNet article at http://technet.microsoft.com/en-us/library/cc757013

I've seen quite a few articles on this, but I haven't found a way to keep everything just like that, but give administrators access to all of the folders.

Adding administrators to have full access on the parent folder doesn't fix the problem, because the individual user folders don't inherit permissions, and access is limited to the target user.
Un-checking the "Grant user exclusive rights ..." checkbox allows the administrator in, but then all other users have access to each others' folders, which isn't desirable.
The GPO setting "Add Administrators group to roaming user profiles ..." doesn't appear to have any effect, even when I apply it using Default Domain Policy.

Here's my current setup:

Server 2008 R2, Windows 7 Pro client

Share-level permissions for parent folder (\\servername\User Redirected Folders$)
Administrators: Full Control
Affected users group: Full Control

NTFS permissions for parent folder (\\servername\User Redirected Folders$)
CREATOR OWNER: Full Control, Subfolders and files only
Administrators: Full Control, This folder, subfolders, and files
Affected users group: List Folder/Read Data, Create Folders/Append Data, This folder only
SYSTEM: Full Control, This folder, subfolders, and files

User folders are redirected to \\servername\User Redirected Folders$\username\foldername

I've built many of the systems before and I've always left the administrator without access, but I really would like to set this one up the right way and do it in the future. Can someone please help with a final answer on how to configure this enviroment?
0
Comment
Question by:milhouse537
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Author Comment

by:milhouse537
ID: 39801953
Just wanted to clarify that I have the "Grant user exclusive ... " checkbox turned on, and the "Add Administrators to roaming profile ..." GPO also enabled. And rsop shows that it's being applied properly to the computer.

Currently, the folder \\servername\User Redirected Folders$\username has the administrator added with Full Control rights, but the folder \\servername\User Redirected Folders$\username\My Documents shows access denied when I try to go in as administrator.
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 500 total points
ID: 39804871
I have never found an automated way to deal with this problem.  What I do is leave the checkbox for "Grant user exclusive rights" UNchecked when creating the top-level folder.  Then I immediately go to the top-level folder that has just been created and edit the security settings to remove any other user groups and add the individual user with full rights, and also give that user ownership of the folder(s). There's no problem with inheritance, since the folder is still empty at this point. After that, anything added to the folder as the user works will inherit those top-level rights.

This is a lot of work, although you can automate it with a script, but again despite many years of experience I've never been able to find any other way to do it.
0
 

Author Comment

by:milhouse537
ID: 39804901
Thanks hypercat, that's a fair answer (if a bit disappointing, of course). I'm just going to leave this question open a bit more to see if anybody else has found a way.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
GET INFO ABOUT WHAT THE PRINTER IS DOING ? 11 77
192.168... network can't ping 18 36
Basic nexus configuraton 12 26
Linksys EA8500 3 20
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
An article on effective troubleshooting
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question