Access to users folders in Active Directory

What is the best way to provide the system administrator (domain administrator) with access to all user files without taking over ownership so that it is easy to restore, provide maintenance or verify data is ok with each users redirected folders?  For example \\server\users$\jsmith   This folder may contain desktop, document and favorite folders.
tucktechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael MachieFull-time technical multi-taskerCommented:
Easy..

IN your example, you would add yourself, or your departmental AD Group, to the root share (users$) Permissions and also the Security list and grant Full Control. Repeat for all shares.

If you cannot do this under your login, then either log into the file server as a local or Domain admin and set your AD account as Full Control under Permissions and under Security.

Repeat for all shares you wan to have control over.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
If you're using folder redirection in a group policy, make sure you uncheck the box that gives the user exclusive access to the folder and then you should be fine, if memory serves
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Fine on new users, existing ones will still need you to adjust permissions either manually or through a script that will likely involve taking ownership.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

McKnifeCommented:
Normally, the administrators group would have access. But because of UAC, the Administrator token is stripped from you and you have to elevate to access that Directory. Since Explorer.exe may not elevate, windows will resort to changing the ACL, as simple as that. So you have an argument for turning off UAC on file servers for maintenance tasks. However, if the admin does not sit at the server but at his workstation and remote UAC is disabled, he will be able to access the directories via \\server\d$ for example without changing the ACL.

My advice: leave UAC on but for such Tasks, don't use explorer. Use total commander or the like and run it elevated. That way, you won't need to take ownership if the shares have been set up thoroughly in the first place.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Premkumar YogeswaranAnalyst II - System AdministratorCommented:
Adding permission to root folder or ownership might mess up the existing the permission settings.

Use subinacl command to add local Administrators in folders and Subfolder & files.

Login to server: execute command in CMD - change the path

subinacl /subdirectories E:\Users\*.*  grand=administrators=f >> c:\subinacl.txt

Open in new window


This will add Administrators in all folders and subfolders in Users folder. Change the path as per ur requirement.
0
McKnifeCommented:
Prekumar, did you read my comment? With uac on, this will not make it any better.
0
Premkumar YogeswaranAnalyst II - System AdministratorCommented:
McKnife,

Domain Admins will be part of Administrators group in Servers.

For User profiles, the folder doesn't have Administrators group added. So they wont have access.
This is not for all scenario. In my organisation Administrators group will not be part of users profile folder ACL.

For this we will run the above command to get access to the profile folder. This command used to help us...

I believe requestor is facing the same scenario.
0
McKnifeCommented:
You still didn't get my point. Being part of administrators will NOT have any effect even if administrators is now in that ACL if the UAC is on, because the token is stripped of your user object. This is what the whole problem is about and what I explained in detail, please feel free to read it :)
0
tucktechAuthor Commented:
Hello McKnife, can you point me to a URL for total commander?  Never used it before...
0
McKnifeCommented:
0
tucktechAuthor Commented:
This is the best solution for my environment.  Thank you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.