• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 403
  • Last Modified:

Access to users folders in Active Directory

What is the best way to provide the system administrator (domain administrator) with access to all user files without taking over ownership so that it is easy to restore, provide maintenance or verify data is ok with each users redirected folders?  For example \\server\users$\jsmith   This folder may contain desktop, document and favorite folders.
0
tucktech
Asked:
tucktech
  • 4
  • 2
  • 2
  • +2
4 Solutions
 
Michael MachieFull-time technical multi-taskerCommented:
Easy..

IN your example, you would add yourself, or your departmental AD Group, to the root share (users$) Permissions and also the Security list and grant Full Control. Repeat for all shares.

If you cannot do this under your login, then either log into the file server as a local or Domain admin and set your AD account as Full Control under Permissions and under Security.

Repeat for all shares you wan to have control over.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
If you're using folder redirection in a group policy, make sure you uncheck the box that gives the user exclusive access to the folder and then you should be fine, if memory serves
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Fine on new users, existing ones will still need you to adjust permissions either manually or through a script that will likely involve taking ownership.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
McKnifeCommented:
Normally, the administrators group would have access. But because of UAC, the Administrator token is stripped from you and you have to elevate to access that Directory. Since Explorer.exe may not elevate, windows will resort to changing the ACL, as simple as that. So you have an argument for turning off UAC on file servers for maintenance tasks. However, if the admin does not sit at the server but at his workstation and remote UAC is disabled, he will be able to access the directories via \\server\d$ for example without changing the ACL.

My advice: leave UAC on but for such Tasks, don't use explorer. Use total commander or the like and run it elevated. That way, you won't need to take ownership if the shares have been set up thoroughly in the first place.
0
 
Premkumar YogeswaranCommented:
Adding permission to root folder or ownership might mess up the existing the permission settings.

Use subinacl command to add local Administrators in folders and Subfolder & files.

Login to server: execute command in CMD - change the path

subinacl /subdirectories E:\Users\*.*  grand=administrators=f >> c:\subinacl.txt

Open in new window


This will add Administrators in all folders and subfolders in Users folder. Change the path as per ur requirement.
0
 
McKnifeCommented:
Prekumar, did you read my comment? With uac on, this will not make it any better.
0
 
Premkumar YogeswaranCommented:
McKnife,

Domain Admins will be part of Administrators group in Servers.

For User profiles, the folder doesn't have Administrators group added. So they wont have access.
This is not for all scenario. In my organisation Administrators group will not be part of users profile folder ACL.

For this we will run the above command to get access to the profile folder. This command used to help us...

I believe requestor is facing the same scenario.
0
 
McKnifeCommented:
You still didn't get my point. Being part of administrators will NOT have any effect even if administrators is now in that ACL if the UAC is on, because the token is stripped of your user object. This is what the whole problem is about and what I explained in detail, please feel free to read it :)
0
 
tucktechAuthor Commented:
Hello McKnife, can you point me to a URL for total commander?  Never used it before...
0
 
McKnifeCommented:
0
 
tucktechAuthor Commented:
This is the best solution for my environment.  Thank you
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 4
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now