My Documents Redirection Administrator Access

I am looking for a way to grant Domain Admins access to users My Documents folders that have been redirected by GPO.

I know that the "Grant User Exclusive Rights" will lock all other users, including admins, out of the share.

However, if I disable the "Grant User Exclusive Rights" setting then, while admins do have access, other users can also see other users redirected My Documents just by changing the UNC path.

With that said, how do I prevent others users from accessing other users My Documents while also allowing Domain Admins access to the folders?

Thanks.
arkhaminmate11nAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arkhaminmate11nAuthor Commented:
Thanks.  But I am still not clear what settings are needed to prevent other users from browsing other users' shares by UNC path.  I do understand that for Admins to have access the "Grant Users Exclusive Rights" needs to be unchecked.  So the problem is really two-fold.  One, for Admins to have access, you have to uncheck "Grant Users Exclusive Rights."  Two, after unchecking the "Grant Users Exclusive Rights" users can browser other users My Documents share by UNC patch.  It is part two that I am not sure how to prevent.  Ideas?
kola12Commented:
If you have problem with setting this by GPO try set rigts for admin by ACL on NTFS.
When You combined with GPO and ACL on NTFS It will be work :)
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

arkhaminmate11nAuthor Commented:
What are the NTFS settings needed then?
arkhaminmate11nAuthor Commented:
This KB at VMWare is for granting Administrators access to user folders.  I need a way to lock down the NTFS permissions so other users cannot browse other users My Document shares when the Grant Users Exclusive Rights is unchecked.
kola12Commented:
On root folder authenticated users should have Read rights and domain admins shold have Full rights.
Every user should have full rights to his folder. i mind NTFS rights
arkhaminmate11nAuthor Commented:
Yeah, I understand this.  However, how do you automatically set this up?
kola12Commented:
This is short plan for do this:
1. Prepare folder/share for redirected folders
    - set manualy ntfs full rights for root folder for domain admins and read rights for authenticated users
2. Prepare GPO for redirect folders (use varable %username%)
i think thats should be enough.
arkhaminmate11nAuthor Commented:
That is not enough.  As I already mentioned, I have done this and I have outlined the problems I have encountered deploying this.  So I need a solution for the problems I've encountered.
kola12Commented:
http://hardforum.com/showthread.php?t=1601199

use the 'Folder Redirection' group policy extention (Under User Configuration --> Windows Settings --> Folder Redirection).
In order to fix your problem you should take the following steps:
1. Open you Group Policy Object, go to the properties of the redirected folder you configured, go to the 'Settings' tab and clear the 'Grant the user exclusive rights to...' checkbox.
2. Next, make sure you configured full access to the 'Administrators' group under the root folder. Do no propogate the permissions because you will override all existing permissions.
3. In order to fix the security on the existing problem, I recommend using the AdminAllow tool (available at http://www.winsite.com/bin/Info?500000029999).

Anyhow, the Folder Redirection Group Policy Extention is not very stable and might cause long logon delays (Especially on Terminal Server environment).
The paths to the Special Folders exist in the following registry key:
1. HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\Shell Folders

2. HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\User Shell Folders

You can write a simple ADM file that sets the configuration of your folder. It works much better. I used it in many organizations when optimizing Terminal Server Farms.
arkhaminmate11nAuthor Commented:
I am sorry, it seems you are not reading my question.  As noted, I have already tried what you have outlined.  The question I have is how to allow administrators access to the user folders BUT also prevent users from seeing other user shares.  Please review my question more before answering again.
Lionel MMSmall Business IT ConsultantCommented:
Let's say you have the user folders at d:\users\user1 and d:\users\user2 and so on. Then the first thing to do it to run this from a command prompt (you turn this into a script later to have it automated)
ICACLS D:\users /save D:\Users\SaveACL.txt /T /C /L
This will save all the current NTFS permissions so you can use the /restore option down the road if things get messed up. Then you can run the icacls command to grant and remove permissions and/or inheritance to allow the type of access you want.
Icacls C:\utils\test1 /inheritance:r /grant:r “domain admins”:(OI)(CI)F /grant:r “user1”:(OI)(CI)R
You can even change ownership if required (if you get any access denied errors)
ICACLS d:\users /setowner "Domain admins" /T
Lionel MMSmall Business IT ConsultantCommented:
arkhaminmate11nAuthor Commented:
Thanks.  But I am not after a solution to modify permissions on an existing share.

Here is a summary of what I want to do:

1) Setup a network share from scratch that will host user's redirected Documents (My Documents).
2) I want to allow Administrators (Domain Admins) the ability to see a user's folder.
3) I do not want a user to be able to browser other users folders by the UNC path.

If I enable the "Grant User Exclusive Rights" in the GPO, then Admins cannot access the users' folders.
If I disable "Grant User Exclusive Rights" in the GPO, then Admins can access the users' folders.  However, a user can then use a UNC path to view other user's folders.  For example, if a user's My Documents are redirected to \\server\share\%username, then when the "Grant User Exclusive Rights" is disabled, UserA can go to \\server\share\userb and view UserB's files.

So, I need a way to 1) Allow Admins access to all user folders and 2) Prevent others from using UNC patch to view other users folders.

Thanks.
Lionel MMSmall Business IT ConsultantCommented:
You can control UNC access by "Share Permissions" you can use
Net Share ShareName=D:\Data\UserFoldername /Grant:UserName,Full /Grant:"Domain Admins",Read
You can even use this in a batch file to read a list of usernames. However you will still need to grant and add and remove NTFS permissions if you want to ensure that user cannot access other users files and folders. You need to control it with share level access and file/folder access.
arkhaminmate11nAuthor Commented:
Thanks.  Is there a way to setup NTFS permissions so that users cannot browse other users My Document shares when the "Grant User Exclusive Rights" is disabled?  If so, how can one do this?
Lionel MMSmall Business IT ConsultantCommented:
Yes the icacls command I gave you above does this and this too can be setup to read a file with a list of usernames. This command will remove inheritance and grant NTFS permissions
Icacls D:\userfolderlocation /inheritance:r /grant:r “domain admins”:(OI)(CI)R /grant:r “user1”:(OI)(CI)F
which will mean only domain admins and user1 will be able to access this folder and sub folder and files. The net share I gave you above will also restrict access to \\servername\user-sharename
arkhaminmate11nAuthor Commented:
Thanks.  Is there a way to do this through the GUI?  Or only using the icacls command?
Lionel MMSmall Business IT ConsultantCommented:
No you can use Windows Explore to do this but that means doing it user by user. Click on the folder you want to change share and/or folder permissions on on then click on properties (or sharing and security) and then add, remove users or groups as required. You can then remove inheritance too (Advanced button and uncheck on the bottom). If you want to see some screenshots check out this link http://www.techrepublic.com/article/step-by-step-how-to-set-and-troubleshoot-ntfs-permissions-in-windows-xp/
arkhaminmate11nAuthor Commented:
Thanks.  Do I have to go through each user folder and grant the Domain Admins permission?
Lionel MMSmall Business IT ConsultantCommented:
let say you have a folder called
C:\Users
and it has the following sub-folders
User1
User2
User3
Then you can add it to C:\Users and and apply it to all the folders underneath it
Make sense?
arkhaminmate11nAuthor Commented:
Sorry, I am still confused.

Looks like I need to run this command: D:\share\user1 /inheritance:r /grant:r “domain admins”:(OI)(CI)R /grant:r “user1”:(OI)(CI)F

But in this example, I am granting Domain Admins and User1 access to the User1 folder.

If I have multiple user folders in D:\share ( D:\share\user1,  D:\share\user2,  D:\share\user3....), what command do I need to run to give Domain Access access to these folders, the domain user associated with this folder while also preventing another user from gaining access to another users folder?

Also, when new users log in for the first time, Windows creates a new folder for this user.  Do I need to go back in and run the command again each time a new user folder is created?

Thanks again.
Lionel MMSmall Business IT ConsultantCommented:
OK but you just said you don't want to use icacls and I just gave you instructions to do it through the GUI so which one do you want to use?
arkhaminmate11nAuthor Commented:
Sorry, I misread your earlier post about the GUI.  I just want a way that can be "set it and forget it."  That is, give Domain Admins access and each user access to his/her 'share.'  Is this possible?
Lionel MMSmall Business IT ConsultantCommented:
Watch this very short video to show you using Windows Explorer (GUI) https://youtu.be/d9Uk6dxWj20
arkhaminmate11nAuthor Commented:
Thanks.  I do understand this part.

The part I do not under is how to grant each user exclusive rights to his/her 'share'

D:\Share -> Go into here and use the video instructions to set "Full Control" for "Domain Admins."  Domain Users have rights to look at this folder as well.

I then setup the GPO to redirect users My Documents to \\share\.  I leave the "Grant User Exclusive Rights" to this folder unchecked.

When a new user logs into Windows for the first time, a new folder is created on the \\share\

\\share\User1
\\share\User2
\\share\User3.....

With this setup, Domain Admins can view all the user folders.  However, if User2 goes to \\share\user1, User2 can see User1's files.

How can I prevent this from happening?
Lionel MMSmall Business IT ConsultantCommented:
OK I don't understand your folder setup. On the server where is the share on the server? Is it on D:\Data\My Documents, Where? Tell me the exact physical location, not the \\server\sharename. Once I know that I can better tell you how to setup shares that other users cannot see. Even better do a DIR from a command prompt and show me where all the users folders are, type
dir /s /ad
thanks
arkhaminmate11nAuthor Commented:
The \\server\share is the same thing as D:\share.  I am just giving you the UNC path as example of how the GPO is setup and how other users can browser to other users directories when the "Grant User Exclusive Rights" checkbox is unchecked.  So all permission changes would be on the D:\share on the server.
Lionel MMSmall Business IT ConsultantCommented:
from a command prompt type
dir /s /ad
thanks
arkhaminmate11nAuthor Commented:
There isn't anything in the directory yet- I am trying to get this setup as detailed above.
Lionel MMSmall Business IT ConsultantCommented:
OK so then I am confused as you said you are having problems with access, you said
    "If I enable the "Grant User Exclusive Rights" in the GPO, then Admins cannot access the users' folders.
If I disable "Grant User Exclusive Rights" in the GPO, then Admins can access the users' folders.  However, a user can then use a UNC path to view other user's folders.  For example, if a user's My Documents are redirected to \\server\share\%username, then when the "Grant User Exclusive Rights" is disabled, UserA can go to \\server\share\userb and view UserB's files."


So if you don't have anything yet how are you having the problems. The reason I am asking for the directory structure is so that I can better explain to you how to set up shares so others can't access it other than domain admins and the user it is for.
arkhaminmate11nAuthor Commented:
I have setup different test shares to test the scenarios I noted.  So I am starting from scratch, but I have also run through tests before I made a post here.
Lionel MMSmall Business IT ConsultantCommented:
OK so I am going to assume you have a directory on Drive D called Users and under that you have a directory for each of your users like D:\Users\Bob. So right click on directory D:\Users\Bob and in the sharing tab add Bob and give him the permissions you want and then add domain admins and permissions wanted. You can also do this with the command I provided before in comment above
Net Share Bob=D:\Data\Bob /Grant:Bob,Full /Grant:"Domain Admins",Read
Then if you have another user called Mary all you need to change is the Bob's to Mary
Net Share Mary=D:\Data\Mary /Grant:Mary,Full /Grant:"Domain Admins",Read
arkhaminmate11nAuthor Commented:
Thanks.  I do understand how to set the permissions manually.  I am looking for a way to automatically do this.
Lionel MMSmall Business IT ConsultantCommented:
that is what net share can do -- you add this to a logon script if you want to or you can it a "new user" file to run whenever someone logs on who does not have an existing folder on D:\Data. There are many ways to automate the "net share" command since you can't get it to work in GPO
arkhaminmate11nAuthor Commented:
How do I use Net Share to redirect a user's My Documents?
Lionel MMSmall Business IT ConsultantCommented:
In your earlier comment you said you already had the NTFS per missions and redirected taken care and then asked about sharing so I was dealing with sharing but now you are talking about redirecting again. So I'm not sure exactly what it is that you are having trouble with because this can't all be done with just one click or just one command and others have already given you suggestions on how to deal with redirecting documents in GPO.
arkhaminmate11nAuthor Commented:
Sharing and redirection are linked.  So there isn't a way to have this conversation without discussing both.

Again, I want to redirect users "My Documents" to a network share and on that network share I want Domain Admins to have full access to all the folders and I want each user to have access to his/her share.
Lionel MMSmall Business IT ConsultantCommented:
I did not say they are not linked--if you re-read what I said, I said they cannot be done with one click--that there are multiple steps and that other people have already given you information on how to enable redirection in GPO. Redirection is set at Group Policy Object Name]\User Configuration\Policies\Windows Settings\Folder Redirection https://technet.microsoft.com/en-us/library/cc732275.aspx which has nothing do with sharing--nothing. Then you have decide how you want to do sharing, part of a script--either manually or at logon, or user by user. The script can be as simple as
If not exist d:\users\%username% md d:\users\%username% && net share d:\users\%username%=d:\users\%username% /Grant:%username%,Full /Grant:"Domain Admins",Read
arkhaminmate11nAuthor Commented:
Thanks.  It sounds like what I am after, a solution to redirect users My Documents to a network share AND grant Domain Admins access to these shares automatically while limiting the user to his/her folder is not possible.  I appreciate the help nonetheless.
Lionel MMSmall Business IT ConsultantCommented:
It is possible but not in the same place. You can't do it with just one setting but it can be done with either some or all of my suggestions and/or some of those from others.
arkhaminmate11nAuthor Commented:
Thanks for confirming that it is not possible to use a combination of GPO and NTFS permissions to automate the process I would like to deploy.
Lionel MMSmall Business IT ConsultantCommented:
it is possible to use a combination of GPO and NTFS permissions to automate the process -- but for some reason you keep arguing that it is not. IT IS POSSIBLE
arkhaminmate11nAuthor Commented:
Alright, then I am misunderstanding.

So here is what I have:

Setup GPO to redirect users My Documents to \\server\share- uncheck "Grant User Exclusive Rights."

What else needs to happen to 1) allow Domain Admins access to user folders and 2) prevent users from browsing other users' folders?

Again, I want this process completely automated.

So to start, the server share would not have any folders in it.  As users start logging in, username folders would be automatically created by the GPO.  

Please outline what is needed for the NTFS permissions to work.  Thank you.
Lionel MMSmall Business IT ConsultantCommented:
How are you creating the shares now? Please provide exact steps and/or script used.
arkhaminmate11nAuthor Commented:
The initial share is created by going into Windows Explorer.  Create a folder.  After folder is created, I go into Advanced Sharing, set the file name.  Permissions, I give full to Authenticated Users.  In Security, I give Domain Admins full access.

After this is done, then the UNC path is \\server\share.

I then create a GPO and redirect user's My Documents to \\server\share.

In the GPO, under Target folder location, I choose "Create a folder for each user under the root path."

So the GPO creates all the username folders under the root share.

Again, if I go into Settings on the GPO and select "Grant User exclusive Rights to Documents" then the user has full access to the \\server\share\username folder.  But Domain Admins do not have access to this folder.

If I uncheck the "Grant User exclusive Rights to Documents" then Domain Admins have access through the NTFS permissions.  But users can browse other users shares via the UNC path.

So I am trying to solve the question of how to automatically give Domain Admins rights to all user folders AND only grant users access to their folder.
Lionel MMSmall Business IT ConsultantCommented:
OK but that means you are creating the shares user by user and not automatically. If you will therefore create a file let's call it newuser,txt and each time you get a new user or multiple new users you put the user's name in that file and then run a batch file let's call it newuser.bat then you can create the folders, setup the share, and add the required permissions , all of this by just adding the username(s) to newuser.txt (remove the old names of course) and then run newuser.bat. Will you accept that as a solution? It is easy to do with the commands I have already provided and I will re-do it if you accept that as a possible solution, in addition to the GPO setting you have already setup (with some minor changes).
arkhaminmate11nAuthor Commented:
The GPO automatically creates the shares though.  I do not do this manually.
Lionel MMSmall Business IT ConsultantCommented:
NO the GPO DOES CREATE THE SHARES it creates the folders if the folder is not already there. Plus in your comment you said "
The initial share is created by going into Windows Explorer.  Create a folder.  After folder is created, I go into Advanced Sharing,

"
arkhaminmate11nAuthor Commented:
Right, the base share, I manually create.  All the subsequent "shares" are created by GPO.
Lionel MMSmall Business IT ConsultantCommented:
GPO does not create shares, as already started. I
arkhaminmate11nAuthor Commented:
Okay, the user folders are created by GPO.

With that said, I do not want have a batch file run.  Any other ideas?
Lionel MMSmall Business IT ConsultantCommented:
For what you asking for there is no other way--seems to me that all along you have been looking for ways to reject the options we have given you and you keep changing what you say you are doing now each time I show you a better way. So at this point it seems impossible to help someone who doesn't want to take our suggestions or recommendations
arkhaminmate11nAuthor Commented:
Thanks for your help.  But unfortunately, I feel you have never addressed my initial question. With that said, I am certainly willing to accept help and I do appreciate the help you have given me.  It may be one of us is misunderstanding the other.  Either way, I certainly did not intend on frustrating you in anyway.  I apologize if I have done so.
Lionel MMSmall Business IT ConsultantCommented:
Your initial question was "With that said, how do I prevent others users from accessing other users My Documents while also allowing Domain Admins access to the folders?"; and all I have been doing is showing you ways to setup shares so that no-one except that user and the domain admin can access that user's files and each time I give you a solution you refuse to accept it and/or change the information you previously gave. If you accept my suggestion you will create
1) Folders for each user
2) Setup Shares for each user
3) Setup share permissions that only allow that user and the domain admins access

That addresses you initial question perfectly so please tell me how the solution I provided DOES NOT address you initial question? This solution does EXACTLY what you asked for, what you wanted EXACTLY.
arkhaminmate11nAuthor Commented:
Thanks.  You are quoting one part of the puzzle.  So, while you have answered how to manually setup file permissions on subfolders on a server share so that domain admins have full access to all the folders and a user has access to his/her own folder and nothing else, you have not addressed how to automatically perform this and tie it into GPO.  Again, I appreciate the help.
Lionel MMSmall Business IT ConsultantCommented:
We already told you that this cannot be done with one-click, in one place and we have already given you numerous links on how to do the most you can by using GPO and then I have repeatedly given you information on how to do the rest. So you have the solution you need but it is not the solution you think should be possible but that solution is not possible -- you do not want to accept that it takes more than just settings in GPO -- IF you what you said you wanted--other user being unable to see other users files.. So you have a solution.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arkhaminmate11nAuthor Commented:
Thanks.  I did say earlier that it sounded like what I wanted to do was not possible.  Thanks for confirming this.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.