Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Folder Redirection Permissions Server 2008 R2

Answered Folder Redirection Permissions Server 2008 R2

  • Monday, February 04, 2013 8:25 PM
     
     
    Sign In to Vote
    0

    Hello,

    I have inherited a domain which utilizes folder redirection. The environment is server 2008 R2 and all workstations are Windows 7 x64. The redirected folders are on a shared drive which for now resides on the primary domain controller (I know, bad). My predecessors used multiple methods in creating profiles meaning they would create the profile on the share as domain admin for some users and then log in as the new user in other instances. Essentially I had a mix of profiles and profile permissions. Everyone was able to browse and view each others documents. Obviously, not the desired outcome. I have since changed the permissions of the root User folder based on reading a couple of different articles one of which is below:

    http://social.technet.microsoft.com/Forums/en-IE/winservergen/thread/7e1f5344-ff3f-4fee-90d1-bfe805f8c57f

    The root Users folder does have Include inheritable permissions unchecked. So far I have changed the permissions on the root Users folder to the following:

    Creator Owner: Full Control This Folder SubFolder and Files (although it only shows the Permission as Special and Apply To as Subfolder and Files in the ACL)

    SYSTEM: Full Control This Folder subfolders and files

    Domain Admins: Full Control This Folder subfolders and files

    Administrators: Full Control This Folder subfolders and files

    Authenticated Users: This Folder and Files (I explain why I included Files below) with the following permissions: Traverse/Execute, List folder/Read Data, Read Attributes, Read extended attributes, Create files/Write Data, Create folders/Append data

    I created a test user, logged in as that user and verified the documents are redirected and the permissions are pushed down to the user profiles. The users name appears in the NTFS permissions and is listed with Permission Special This folder only.

    In addition to folder redirection each user needs to have a shared folder which resides under their My Documents which they scan documents to. Normally I create a new user and then log in as that user which populates their redirected folders to the share with the correct permissions. Later on I log on as domain admin, browse to the users profile and create their shared “scan folder” which inherits all but the users name in the NTFS permissions (I’m guessing because I created the folder as admin rather than logging in as the user and so Admin is the owner..?). I then add a separate "Scanning Account" with write permissions to This Folder and Files.

    Initially on the root Users folder I had Authenticated Users set to This Folder Only per the documentation. The problem with this is if I create the scan folder, scan a document, and then move the document to the users desktop or other directory they lose permission to open the document or do anything with it. I've found that when the document is scanned into the scan folder the NTFS permissions of the documents change. There is a second entry created in the ACL for the scanning account with Full Control. The users name is not listed. If the user moves the document to their desktop they cannot open it or do anything with it. They can only work with the document within the scan folder. 

    In trying to get this to work I added This Folder and Files to Authenticated Users in the root Users folder. Now the user can move the scanned document to the desktop and open and save it. Their name still does not show up in the ACL but they can open it I'm guessing because Authenticated Users is applied to all files.

    I’m trying to figure out the best way to get this to work. I’ve even tried logging in as the user, and then creating the Scan Folder in order to get inherited permissions including the users name in the ACL. Even when scanning this way though they do not have any permissions in the ACL of the scanned document.

    I apologize for the long winded explanation but I'm trying to include as much info as possible. Please let me know if you need any additional information or clarification and I'll be happy to provide it.

    On a side note if I go into the NTFS permissions of the users profile, Edit and check Full Control under the Security tab the user has Full Control for everything in their profile including scanned documents. Not sure if there is a way to do this for all users from the root Users folder or even if this is a best practice.

     

All Replies

  • Friday, February 01, 2013 6:27 PM
     
     
    Sign In to Vote
    0

    Hello,

    I have inherited a domain which utilizes folder redirection. The environment is server 2008 R2 and all workstations are Windows 7 x64. The redirected folders are on a shared drive which for now resides on the primary domain controller (I know, bad). My predecessors used multiple methods in creating profiles meaning they would create the profile on the share as domain admin for some users and then log in as the new user in other instances. Essentially I had a mix of profiles and profile permissions. Everyone was able to browse and view each others documents. Obviously, not the desired outcome. I have since changed the permissions of the root User folder based on reading a couple of different articles one of which is below:

    http://social.technet.microsoft.com/Forums/en-IE/winservergen/thread/7e1f5344-ff3f-4fee-90d1-bfe805f8c57f

    The root Users folder does have Include inheritable permissions unchecked. So far I have changed the permissions on the root Users folder to the following:

    Creator Owner: Full Control This Folder SubFolder and Files (although it only shows the Permission as Special and Apply To as Subfolder and Files in the ACL)

    SYSTEM: Full Control This Folder subfolders and files

    Domain Admins: Full Control This Folder subfolders and files

    Administrators: Full Control This Folder subfolders and files

    Authenticated Users: This Folder and Files (I explain why I included Files below) with the following permissions: Traverse/Execute, List folder/Read Data, Read Attributes, Read extended attributes, Create files/Write Data, Create folders/Append data

    I created a test user, logged in as that user and verified the documents are redirected and the permissions are pushed down to the user profiles. The users name appears in the NTFS permissions and is listed with Permission Special This folder only.

    In addition to folder redirection each user needs to have a shared folder which resides under their My Documents which they scan documents to. Normally I create a new user and then log in as that user which populates their redirected folders to the share with the correct permissions. Later on I log on as domain admin, browse to the users profile and create their shared “scan folder” which inherits all but the users name in the NTFS permissions (I’m guessing because I created the folder as admin rather than logging in as the user and so Admin is the owner..?). I then add a separate "Scanning Account" with write permissions to This Folder and Files.

    Initially on the root Users folder I had Authenticated Users set to This Folder Only per the documentation. The problem with this is if I create the scan folder, scan a document, and then move the document to the users desktop or other directory they lose permission to open the document or do anything with it. I've found that when the document is scanned into the scan folder the NTFS permissions of the documents change. There is a second entry created in the ACL for the scanning account with Full Control. The users name is not listed. If the user moves the document to their desktop they cannot open it or do anything with it. They can only work with the document within the scan folder. 

    In trying to get this to work I added This Folder and Files to Authenticated Users in the root Users folder. Now the user can move the scanned document to the desktop and open and save it. Their name still does not show up in the ACL but they can open it I'm guessing because Authenticated Users is applied to all files.

    I’m trying to figure out the best way to get this to work. I’ve even tried logging in as the user, and then creating the Scan Folder in order to get inherited permissions including the users name in the ACL. Even when scanning this way though they do not have any permissions in the ACL of the scanned document.

    I apologize for the long winded explanation but I'm trying to include as much info as possible. Please let me know if you need any additional information or clarification and I'll be happy to provide it.

    On a side note if I go into the NTFS permissions of the users profile, Edit and check Full Control under the Security tab the user has Full Control for everything in their profile including scanned documents. Not sure if there is a way to do this for all users from the root Users folder or even if this is a best practice.

     
  • Saturday, February 02, 2013 5:04 PM
     
     
    Sign In to Vote
    1

    Refer below link how to set permission on profile for folder redirection.
    http://msmvps.com/blogs/acefekay/archive/2009/09/08/folder-redirection.aspx

    Best Practice: Roaming Profiles and Folder Redirection
    http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/

    Also there is dedicated forum for GP which may be good source to ask:http://social.technet.microsoft.com/Forums/en/winserverGP/threads

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed As Answer by VenkatSP Sunday, February 03, 2013 1:50 AM
    •  
     
  • Monday, February 04, 2013 10:29 PM
     
     
    Sign In to Vote
    0

    I have the almost same setup with "Mkcsit" So far the network is running OK but our Security person suggested the "Redirected Folders" should not be available offline.

    Is there any way to force the "Redirected Folders" stay on the servers only?? That means when users are offline, they will "Not" be able to access their "Documents".... folders. This is to make sure the PCs will not store any sensitive data in case they are stolen.

    Thanks in advance for the help.

     
  • Tuesday, February 05, 2013 7:46 AM
     
     
    Sign In to Vote
    0

    Hi,

    Please check below line to disable offline files on redirected folders:

    http://technet.microsoft.com/en-us/library/jj154097.aspx

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

     
  • Tuesday, February 05, 2013 1:19 PM
     
     
    Sign In to Vote
    0

    The article http://msmvps.com/blogs/acefekay/archive/2009/09/08/folder-redirection.aspx has very different then other articles I've read. Several have instructions to create the user in AD and then log in as the user to create the profile and folders. I've been doing it this way and now have the issue above. After reading this article I configured another test user in AD. This time I created the profile folder for the test user under the Users share. I set the same permissions as listed in the article and tested. It seems to work without any issues. The only question I had regarding the article is it doesn't mention the NTFS permissions for the root share. It only lists the share permissions. Also, why is there a need for home directory configuration using this method? If the users log on they can see all of their redirected documents under the My Computer. I'm not certain of the need to map them as well. Having said that I did not share the user profile during my test. I did create and test other shared folders within the users profile in working with my issue above and that seems to be working.

    In the article I posted a link for above they advise to configure the User folder with the exact permissions I listed in my original post. Why is all of that necessary for users to be able to access their own profiles if they're configured the way this article describes?

    The other question I have is why are there so many different methods of doing this? Is it different by environment because this seems pretty universal to me. Thanks for the article. I'm continuing to work with the methods described.

     
    • Edited by mkcsit Tuesday, February 05, 2013 1:28 PM
    •  
     
  • Wednesday, February 06, 2013 4:57 AM
     
     Answered
    Sign In to Vote
    0

    Hi,

    I suggest you to go through this Microsoft offcial technical article about how to configure security permission for folder redirection:

    Security Recommendations for Folder Redirection

    http://technet.microsoft.com/en-us/library/cc736916(v=ws.10).aspx

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.