?
Solved

User Home folder security is whacked. How do I regen appropriate security

Posted on 2014-10-21
7
Medium Priority
?
123 Views
Last Modified: 2014-11-03
I just moved a users home folder into a new share on a new server.  Because of the massive load of files it would have transferred from the old server to the new server, I moved them all to a temporary folder before changing his group GPO for home folders. Logged him out. Logged him in. Folder was created. Copied his "my documents" folder(s) into his new home folder area.  A few files/folders had security issues so, yep, I fiddled.  
How do I set his security on home folders back to what they would be if users folders were just recreated?
0
Comment
Question by:davebird
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 10

Expert Comment

by:Tim Edwards
ID: 40395118
Were  you able to copy all the files and folders over into his new Home folder?

If so once they are there go to the top level of his home folder, right click and to security. click on advanced.

Check off "replace permissions on all child objects with entries shown here that apply to child objects" and click apply.

This will populate the top level permission all the way down the files and folders.

Here a link about NTFS permissions and what they effect:

http://www.ntfs.com/ntfs-permissions-file-advanced.htm
0
 

Author Comment

by:davebird
ID: 40395480
It didn't change permissions on any of the folders I copied into his home "my documents" area.  User has access to \\share\homefolder$\<user>, but anything migrated/copied, ie,  desktop and my documents files, no access.  Security shows "special" permissions, but no access.
If I create a new folder in My documents, user has access and create/delete controls.  
Did I miss something on how to get the security on the folders and files I copied INTO his home folder to regen? I tried from the <user> folder and regenerated AND to the My documents folder and regenerated. No love.
0
 
LVL 10

Expert Comment

by:Tim Edwards
ID: 40395498
Can you verify the permissions on the users folder, then compare them to the desktop, my documents etc..

As well on the my documents go to advanced and verify the it is inheriting from the top level is checked
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 1

Expert Comment

by:ViruScan
ID: 40396128
you need to either become the owner of root folder <user>X and all sub directories (\\share\homefolder$\<user>) (Right click on root folder - properties - Security - advanced - Owner - edit - you select your name or admin name (if you're an admin). and apply.

Once set, then you just add him to the permissions with either FULL or MOD permissions.
0
 

Accepted Solution

by:
davebird earned 0 total points
ID: 40400088
Thank you for your responses.  Here's what I have learned by trial/error.

Steps I took.
-      I took ownership control of the user’s home folder on the old server, and put him back on as full rights so he could still work. This was necessary because in the olden days that redirection folders were created, administrator(s) was NOT allowed access to home folders.
o      Once I had access, I moved all of the “my documents“ folders and files OUT of that folder leaving just an empty my documents folder.  I had to do this because
      IF I left the files in there, when they moved to the new server, they retained their OLD folder security and Administrator was still not allowed access to the new home folder even though in the new folder redirection security the administrator does have rights. Don’t know why, it just is the way it is.
      He had nearly 15 gigs of files (yes, I’m helping him understand this is a bad thing) and logging in the first time after you move to a new redirected home folder takes about 25-60 minutes with a clean profile.  That would have taken all day.
o      I then put the user in the new GPO and logged the user in.  After the necessary slow login for the first time, everything is working as designed in the new redirection folders.
Anything created new as that user is created normally and with proper access rights. (yea so far).  
o      If I copy the data back into his home folder from the holding area as an administrator, the security is foobar.  Security for that user is NOT recreated and the user does NOT have access to the files and folders.  (this is where I started fiddling and originated this question).  
o      Ergo, I deleted all his folders (again) and this time, I logged in as the user, copied the files from the holding folder into the home folder and security then applied properly.
-      If there is/was another way to do this, I’m eager to learn.  
-      I had two open tickets and talked with three, supposedly, levels of support at Microsoft and they had no answers.  They didn’t recommend moving the folders through the check box on the redirection setup check boxes in GPO nor did they recommend returning the files to the local machine check box, taking users out of GPO and then reassigning to new GPO.  Thus my moving files out before changing their GPO assignment. I don’t know why they said these things but I didn’t argue.  
In the end all is working.  
-      Take ownership.
-      Copy files out to holding area.
-      Give user full control security to holding folder.
-      Move user to new GPO.
-      Update GPO.
-      Login user and wait……..
-      Move/copy files back to redirected folders.
-      Done.

Again, thanks for all your help and suggestions.
0
 
LVL 10

Expert Comment

by:Tim Edwards
ID: 40400100
Glad you were able to figure it out
0
 

Author Closing Comment

by:davebird
ID: 40419021
Not the best solution but it worked.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month12 days, 8 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question