File permissions Server 2008r2 wide open


Our organization has acquired a new network through an amalgamation. The old IT Admin was not part of the deal. Upon investigation into effective permissions of folders it's obvious that they are misconfigured, i.e. the barn doors are open.
It's a Server 2008 r2 containing a root folder C:\folderredirection that holds RDS users' data.
Below are some screen shots of the current folder permission config.

root folder
sample user folder within C:\folderredirection

Obviously I would like to lock down folder access to admin and the folder's user.
This server will be active for only three more months but is a production environment that so I need to tread lightly in correcting this.

I very much appreciate any advice or guidance.
user folder
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Muhammad BurhanManager I.T.Commented:
There are Two types of permissions, NTFS and SMB or share permissions.

NTFS are responsible for who can write/edit or create files and folders.
where share permissions are for who can access them by share.

if NTFS permissions on 'Folder1' are on Full control to 'user1' and if Share permission is set to deny read/write access to 'user1' so ultimately 'user1' have no access to that folder on share.

the best practice is to set permissions with both perspective NTFS and Share.

if you want to give share access to only 'user1' to the folder '\\server\folder' then click on change permission on the bottom right in above screenshot and just add 'user1' in share permissions.
same procedure apply if you want to give permissions to any group like domain users etc.
In order to allow Windows to create a redirected folder (or roaming profile) the first time a user logs on, I allow the redirected folder to be created using the user credentials and add a permission to grant CREATOR OWNER full control.  

One problem with this approach is that if an administrator needs to take ownership, then the users will lose rights to the files.  My guess that the Authenticated Users -Full Control permission was added after someone took ownership, but in any case the solution here is remove the  Authenticated Users -Full Control permission and assign rights for each user for their folder.

Since each user has individual rights assigned, you don't want to change the Share permissions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.