Solved

Administrator access to redirected folders

Posted on 2014-01-22
3
605 Views
Last Modified: 2014-01-24
I know this has been asked before on EE (and elsewhere!) but I can't seem to find a straight answer on this.

In Server 2008, when setting up redirected folders, the default settings work fine for the server to automatically create user folders on first login. Likewise, users can't browse into other users' folders. But neither can a domain administrator (access denied). I'm working off of the TechNet article at http://technet.microsoft.com/en-us/library/cc757013

I've seen quite a few articles on this, but I haven't found a way to keep everything just like that, but give administrators access to all of the folders.

Adding administrators to have full access on the parent folder doesn't fix the problem, because the individual user folders don't inherit permissions, and access is limited to the target user.
Un-checking the "Grant user exclusive rights ..." checkbox allows the administrator in, but then all other users have access to each others' folders, which isn't desirable.
The GPO setting "Add Administrators group to roaming user profiles ..." doesn't appear to have any effect, even when I apply it using Default Domain Policy.

Here's my current setup:

Server 2008 R2, Windows 7 Pro client

Share-level permissions for parent folder (\\servername\User Redirected Folders$)
Administrators: Full Control
Affected users group: Full Control

NTFS permissions for parent folder (\\servername\User Redirected Folders$)
CREATOR OWNER: Full Control, Subfolders and files only
Administrators: Full Control, This folder, subfolders, and files
Affected users group: List Folder/Read Data, Create Folders/Append Data, This folder only
SYSTEM: Full Control, This folder, subfolders, and files

User folders are redirected to \\servername\User Redirected Folders$\username\foldername

I've built many of the systems before and I've always left the administrator without access, but I really would like to set this one up the right way and do it in the future. Can someone please help with a final answer on how to configure this enviroment?
0
Comment
Question by:milhouse537
  • 2
3 Comments
 

Author Comment

by:milhouse537
Comment Utility
Just wanted to clarify that I have the "Grant user exclusive ... " checkbox turned on, and the "Add Administrators to roaming profile ..." GPO also enabled. And rsop shows that it's being applied properly to the computer.

Currently, the folder \\servername\User Redirected Folders$\username has the administrator added with Full Control rights, but the folder \\servername\User Redirected Folders$\username\My Documents shows access denied when I try to go in as administrator.
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 500 total points
Comment Utility
I have never found an automated way to deal with this problem.  What I do is leave the checkbox for "Grant user exclusive rights" UNchecked when creating the top-level folder.  Then I immediately go to the top-level folder that has just been created and edit the security settings to remove any other user groups and add the individual user with full rights, and also give that user ownership of the folder(s). There's no problem with inheritance, since the folder is still empty at this point. After that, anything added to the folder as the user works will inherit those top-level rights.

This is a lot of work, although you can automate it with a script, but again despite many years of experience I've never been able to find any other way to do it.
0
 

Author Comment

by:milhouse537
Comment Utility
Thanks hypercat, that's a fair answer (if a bit disappointing, of course). I'm just going to leave this question open a bit more to see if anybody else has found a way.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now