Link to home
Avatar of BTPSSE-1

asked on

Folder Redirection, Server 2012 and Windows 7 & 8, security issues

Folder redirection seems to be working well for users in the security filter on the GPO.  Additionally, DFSR is working for the redirected folders share.  The issue is that when one is logged in as a domain admin, one can browse to the redirected folder share and see all the redirected users folders.  This top level visibility seems normal, but a domain admin can drill into other domain admin folders but not into standard users folders.  When a standard user browses to the redirected share, they can only see their own folder which is to be desired.  How do I secure other domain admin folders?
Security settings on the share and folders are based on this article:
Avatar of Joseph Moody
Joseph Moody
Flag of United States of America image

By nature, a domain administrator can see everything (or undo anything that you set to prevent them from seeing it).

A better solution would be to limit the number of domain admins that you have and delegate permissions to those users requiring additional rights.
No matter what, denying anything to domain admins is useless since they can revert all that us imposed on them.
Best you could do is setup file auditing and see how to setup alerting mechanisms. Frankly, this is difficult and will not change much. Trust your admins or look for new admins.
Avatar of BTPSSE-1


OK, I understand about trusting my admins, and that they can see anything they want.  Let me emphasize the issue at hand: domain admins CAN NOT see inside the Standard Users folders(without taking ownership), only inside OTHER Domain Admins(Grand total of 3).  I would prefer that it be the other way around.  IF a standard users folder can be made private, surely a DA can have privacy as well?
It cannot be made private. Your ACLs of domain admin folders can be setup like the users folders - simply compare and you'll find your configuration error. But what for? All can be reset in seconds.
It sounds like your folder redirection GPO has "Grant user exclusive rights to" enabled under the options tab.
"Grant user exclusive rights to" is not enabled.  
Maybe I'm not being clear.  If, logged in as an admin, I can see other admins files, I should ALSO be able to see standard users files without editing permissions. That is not the case.  I didn't configure the individual folders, I configured the shares and the GPO.  The system is setting the folder perms.
If that isn't enabled, you will need to change the permissions on the root folder where all of your standard user documents are stored. In the technet article you linked to, administrators only have full control to "this folder only". You would need to change that apply to "This folder, subfolders and files".
are the domain admin folders in the same directory as the users folders and are you using the same gpo?
@David, yes and yes.
you can try it by Enumeration enabled shared folder and make changes in NTFS permission on root folder in which all redirection happens set Explicit permissions add Authenticated Users and apply.
but if administrator or administrators group were in permissions so it can't work
We cannot help you if you don't screenshot the ACLs of some admin folder and compare it to some user's folder. But even if we set them both to "protected", this protection is ridiculous since all a domain admin has to do is reset it - a matter of seconds. The best measure against it (if you don't trust your admins) is auditing, as I mentioned before.

...and yes, I understand exactly what you are talking about, you made it very clear.
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
tore it down and rebuilt it based on the above tips and it is now functioning as desired.  Thanks, folks!
Don't get me wrong, I am not criticizing your choice. I wonder why one would use that approach because it is no (zero) real security against tampering. Setup auditing at least.
@McKnife:  all you did from the beginning was criticize my choice.  You kept telling me that I was making a mistake by concerning myself with whether or not domain admins could see each others folders and to "just trust your admins".  You said you clearly understood my issue, but your responses indicated that you did not.  The other experts spent their time offering guidance on the permissions and their suggestions worked.  You are still telling me how to manage my user politics.  Auditing is and has been enabled.  Thanks for your time, maybe next time I will be able to communicate my needs in a more effective manner.
"You said you clearly understood my issue, but your responses indicated that you did not." - that's what one should call a misunderstanding which is normally between two and not one-sided.
My last posting was made because I wondered (and still do) if you think your issues is solved, that's all. My opinion is, that it's not, the fact is, admins can still open other admins folders, it's just two or three clicks further away now. If you setup auditing, which you now say you did, then it's a lot better, still no real protection, but at least we can see what has been done - that's good to hear.