locked
Home Folder administrator access denied? RRS feed

  • Question

  • We implemented the home folders for users using Windows 2003 ADS, all home folders created successfully for every individual users , but problem me as an Administrator can't access the users folders and files as like access denied if I take ownership of that folder than it breaks the system and create many annoying problems. Is there anyway that we configure home folders in start that by default administrator should have full contorl on every single file of all users?

    Sunday, March 22, 2009 11:58 AM

Answers

  •  

    Hi,

     

    Thanks for the post.

     

    Based on your description, I understand that an administrator cannot access to the users folders after implementing the home folders. Now you want to re-implement the home folders that administrators by default have access to redirected folders

     

    Now I would like to explain that the Folder Redirection feature enables the user to have exclusive access to the redirected folder; however, administrators by default do not have access to the redirected folders.

     

    To make the redirected folders secure, the Folder Redirection feature performs the following actions:

    ·         Gives ownership of the folder to the user.

    ·         Sets the following ACLs on the folder:
    User: Full Control
    Local System: Full Control

    ·         Prevents inheritance of ACLs from the parent folder.

    To access the files in a user's redirected folders, the administrator must either log on as the user whose folder is being redirected or take ownership of the folder and manually change the ACLs on the folder.

     

     

    Considering this situation, you can perform the following steps to configure the Folder Redirection feature to enable administrator access but to still automatically create folders in a secure manner.

     

    To set security on the shared folders in Windows Server 2003

    1.    Log on as an administrator to the server that can host the user's redirected folders.

    2.    Locate the top-level folder that can hold the user's redirected documents (for example, D:\Redirected, which is shared as \\Server\Redirected\) by using Windows Explorer. Right-click the folder, and then click Properties.

    3.    Click the Security tab.

    4.    Click Advanced.

    5.    Click to clear the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here. check box.

    6.    When you are prompted to copy or remove permissions, click Remove.

    7.    If the Administrators group is not present, click Add, type Administrators, and then click OK.

    8.    Select the Administrators group, and then click Edit.

    9.    Verify that the Full Control permission is set to Allow, and then click OK.

    10. Click Add, and add System and Creator Owner to the Permissions entries.

    11. Verify that the System and Creator Owner objects have the Full Control / Allow permission.

    12. Click Add, add Authenticated Users, and then set the following permissions to Allow:

    o    Create Folders / Append Data

    o    Read Permissions

    o    Read Attributes

    o    Read Extended Attributes

    13. Close all property sheets and dialog boxes.

    To configure the Folder Redirection feature

    1.    Open the Group Policy object where Folder Redirection policy is set.

    2.    Under User Configuration, double-click Windows Settings.

    3.    Double-click Folder Redirection.

    4.    Click the folder you want to configure (for example, My Documents). Right-click the folder, and then click Properties.

    5.    Select the Settings property page, click to clear the Grant the user exclusive rights to My Documents check box, and then click OK.

    6.    Close all windows.

    For your reference, you could also take a look at the following KB article.

     

    Enabling the administrator to have access to redirected folders

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;288991

     

    Hope this will help.

     

    • Marked as answer by Manajee Tuesday, March 24, 2009 7:52 AM
    Monday, March 23, 2009 6:48 AM