Folder Redirection, Server 2012 and Windows 7 & 8, security issues

Folder redirection seems to be working well for users in the security filter on the GPO.  Additionally, DFSR is working for the redirected folders share.  The issue is that when one is logged in as a domain admin, one can browse to the redirected folder share and see all the redirected users folders.  This top level visibility seems normal, but a domain admin can drill into other domain admin folders but not into standard users folders.  When a standard user browses to the redirected share, they can only see their own folder which is to be desired.  How do I secure other domain admin folders?
Security settings on the share and folders are based on this article:

https://technet.microsoft.com/en-us/library/jj649078.aspx
BTPSSE-1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph MoodyBlogger and wearer of all hats.Commented:
By nature, a domain administrator can see everything (or undo anything that you set to prevent them from seeing it).

A better solution would be to limit the number of domain admins that you have and delegate permissions to those users requiring additional rights.
0
McKnifeCommented:
No matter what, denying anything to domain admins is useless since they can revert all that us imposed on them.
Best you could do is setup file auditing and see how to setup alerting mechanisms. Frankly, this is difficult and will not change much. Trust your admins or look for new admins.
0
BTPSSE-1Author Commented:
OK, I understand about trusting my admins, and that they can see anything they want.  Let me emphasize the issue at hand: domain admins CAN NOT see inside the Standard Users folders(without taking ownership), only inside OTHER Domain Admins(Grand total of 3).  I would prefer that it be the other way around.  IF a standard users folder can be made private, surely a DA can have privacy as well?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

McKnifeCommented:
It cannot be made private. Your ACLs of domain admin folders can be setup like the users folders - simply compare and you'll find your configuration error. But what for? All can be reset in seconds.
0
Joseph MoodyBlogger and wearer of all hats.Commented:
It sounds like your folder redirection GPO has "Grant user exclusive rights to" enabled under the options tab.
0
BTPSSE-1Author Commented:
"Grant user exclusive rights to" is not enabled.  
Maybe I'm not being clear.  If, logged in as an admin, I can see other admins files, I should ALSO be able to see standard users files without editing permissions. That is not the case.  I didn't configure the individual folders, I configured the shares and the GPO.  The system is setting the folder perms.
0
Joseph MoodyBlogger and wearer of all hats.Commented:
If that isn't enabled, you will need to change the permissions on the root folder where all of your standard user documents are stored. In the technet article you linked to, administrators only have full control to "this folder only". You would need to change that apply to "This folder, subfolders and files".
0
David Johnson, CD, MVPOwnerCommented:
are the domain admin folders in the same directory as the users folders and are you using the same gpo?
0
BTPSSE-1Author Commented:
@David, yes and yes.
0
Muhammad BurhanManager I.T.Commented:
you can try it by Enumeration enabled shared folder and make changes in NTFS permission on root folder in which all redirection happens set Explicit permissions add Authenticated Users and apply.
but if administrator or administrators group were in permissions so it can't work
0
McKnifeCommented:
We cannot help you if you don't screenshot the ACLs of some admin folder and compare it to some user's folder. But even if we set them both to "protected", this protection is ridiculous since all a domain admin has to do is reset it - a matter of seconds. The best measure against it (if you don't trust your admins) is auditing, as I mentioned before.

...and yes, I understand exactly what you are talking about, you made it very clear.
0
David Johnson, CD, MVPOwnerCommented:
My folder settingsOU PermissionsFull View
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Muhammad BurhanManager I.T.Commented:
Tested!
test your self as well then apply on existing.

Let \\Server\Redirection$ is the folder in which My Documents are redirected for all users (GPO).
Create that folder then,
go to Server Manager > File and Storage Services > under shares tab > new share select Redirection$ folder and enable Enumeration.
now under permissions disable inheritance and click on convert inherited permissions, just remove others except
System                    This folder, subfolders and files
Administrators      This Folder only
Creator Owner      Subfolders and files only

add Authenticated users and double click on it, select This folder, subfolders and files in 'applies to' click on clear all then click on show advance permissions,
check:
Create Files / write data
Create FOlder / appent data
write attributes
write extended attributes
read permissions
OK

ignore warning and errors

in Share tab
add authenticated users and give full control
ok
apply
1
BTPSSE-1Author Commented:
tore it down and rebuilt it based on the above tips and it is now functioning as desired.  Thanks, folks!
0
McKnifeCommented:
Don't get me wrong, I am not criticizing your choice. I wonder why one would use that approach because it is no (zero) real security against tampering. Setup auditing at least.
0
BTPSSE-1Author Commented:
@McKnife:  all you did from the beginning was criticize my choice.  You kept telling me that I was making a mistake by concerning myself with whether or not domain admins could see each others folders and to "just trust your admins".  You said you clearly understood my issue, but your responses indicated that you did not.  The other experts spent their time offering guidance on the permissions and their suggestions worked.  You are still telling me how to manage my user politics.  Auditing is and has been enabled.  Thanks for your time, maybe next time I will be able to communicate my needs in a more effective manner.
0
McKnifeCommented:
"You said you clearly understood my issue, but your responses indicated that you did not." - that's what one should call a misunderstanding which is normally between two and not one-sided.
My last posting was made because I wondered (and still do) if you think your issues is solved, that's all. My opinion is, that it's not, the fact is, admins can still open other admins folders, it's just two or three clicks further away now. If you setup auditing, which you now say you did, then it's a lot better, still no real protection, but at least we can see what has been done - that's good to hear.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.