Jump to content

Folder Redirection: Change Permissions

Manu Narayan

By Manu Narayan
in Windows 2000/2003/NT4

 Share

Recommended Posts

Manu Narayan

Manu Narayan

Posted
Posted

We use redirected folders via a GPO. Everyone's My Documents and Desktop are redirected to a server. This allows us for backup as well as 'roaming' users.

The issue is, the share was setup with the root, everyone has access (not a security breach, people cna see a users root folder, but not traverse inside) However, the GPO was setup to grant each user 'exclusive rights' to their own folder. This prohibits domain admins from accessing the data.

I've since modified the root share to have full control for Creator/Owner, Domain Admin, and System. However, this permission will not propogate, since the domain admin is not the owner of the user's folder.

I've tried to uncheck 'grant exclusive rights' on the GPO, and that works for new redirected folders, but it does not change the status of existing users (even on log on/log off)

So the question is, as a domain admin, if I have no permissions/am not the owner on a folder, how can I add permissions to it? Or, more precisely, how can I make it so after the fact, a domain admin can access a redirected folder...

Thanks...

Manu


Noise

Noise

Posted
Posted

Your screwed.

Well... maybe not. If you have physical access to the server you can try accessing the share directory via the system account. Use the "at" command to schedule a command prompt (cmd.exe) to run interactivly. When the scheduled event pops up the command prompt window, see if you can access the forbidden directories.

chilifrei64

chilifrei64

Posted
Posted

I ran into this problem once before and what i did was created a policy that i had run after the original one that i made and had it redirect the redirected documents to another location where i set up the proper permissions and group policy settings..

Manu Narayan

Manu Narayan

Posted
  • Author
Posted
Your screwed.

Well... maybe not. If you have physical access to the server you can try accessing the share directory via the system account. Use the "at" command to schedule a command prompt (cmd.exe) to run interactivly. When the scheduled event pops up the command prompt window, see if you can access the forbidden directories.

Well, I don't think I am screwed :) Worst case i need to manually take ownership when I need to access someone's files.

I ran into this problem once before and what i did was created a policy that i had run after the original one that i made and had it redirect the redirected documents to another location where i set up the proper permissions and group policy settings..

I was hoping I'd be able to avoid a new GPO, but my research seems to be taking me that way. When you did the new policy, did it first redirect documents to the users profile and then the new share? If the new share is on the same physical server, is it pretty quick? I am worried about the time it will take my users.

InTheWayBoy

InTheWayBoy

Posted
Posted

Since I'm kinda new to AD/GPO this may be a silly idea...but why not delete the GPO, take ownership of the root folder and have it apply to child items, and then make another GPO and not select the "Exclusive" setting? I think I did that on a beta server once and I seem to remember it being okay...but seems to easy.

Manu Narayan

Manu Narayan

Posted
  • Author
Posted
Since I'm kinda new to AD/GPO this may be a silly idea...but why not delete the GPO, take ownership of the root folder and have it apply to child items, and then make another GPO and not select the "Exclusive" setting? I think I did that on a beta server once and I seem to remember it being okay...but seems to easy.

That might work, I will give it a try.

chilifrei64

chilifrei64

Posted
Posted

The logon time was a bit slower but it is only a small price to pay to be able to back up all the documents and recover them in the event of a disaster..

And yes.. what InTheWayBoy said, in theory, sounds like it would work. I would try his way first... the only thing is is that you would have to set the permissions on their folders again for each user unless you left it full control to everyone until they all logged on again and they were moved..If you had a sneaky user on your network or someone who was looking for their "Big Chance" I would think twice..

Manu Narayan

Manu Narayan

Posted
  • Author
Posted
The logon time was a bit slower but it is only a small price to pay to be able to back up all the documents and recover them in the event of a disaster..

And yes.. what InTheWayBoy said, in theory, sounds like it would work. I would try his way first... the only thing is is that you would have to set the permissions on their folders again for each user unless you left it full control to everyone until they all logged on again and they were moved..If you had a sneaky user on your network or someone who was looking for their "Big Chance" I would think twice..

Well, that I know and agree with, as that is why we currently have redirected folders, but, just to give Domain Admins access to the data, I am not sure if it is worth making users need to 'reapply' the setting.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...