Enabling the Administrator to Have Access to Redirected Folders

The information in this article applies to:

·        Microsoft Windows 2000 Server SP1

·        Microsoft Windows 2000 Server SP2

·        Microsoft Windows 2000 Advanced Server SP1

·        Microsoft Windows 2000 Advanced Server SP2

·        Microsoft Windows 2000 Professional SP1

·        Microsoft Windows 2000 Professional SP2

This article was previously published under Q288991

SUMMARY

This article discusses the Folder Redirection feature and how it can be used, particularly by administrators.

Windows 2000 Server has a feature that can redirect specific user folders to server locations, using a Group Policy extension called Folder Redirection. By default, the Folder Redirection feature enables the user to have exclusive access to the redirected folder.

Many administrators want the Folder Redirection feature to enable a user's folders to be automatically redirected to a newly created folder for each user, but, at the same time, to have the Administrators group automatically added to the NTFS file system's access control list (ACL).

MORE INFORMATION

When you redirect folders using Group Policy, it is recommended that you enable the Folder Redirection client-side feature to automatically create the users folders to ensure that the folder is secure. By default, administrators do not have access to the redirected folders.

To make the redirected folders secure, the Folder Redirection feature performs the following actions:

·        Gives ownership of the folder to the user.

·        Sets the following ACLs on it:
User: Full Control
Local System: Full Control

·        Prevents inheritance of ACLs from the parent folder.

To access the files in a user's redirected folders, the administrator must either log on as the user whose folder is being redirected, or take ownership of the folder and manually change the ACLs on it.

NOTE: The act of taking ownership can cause subsequent redirections to be unsuccessful, as the Folder Redirection feature ensures that the user is the owner of the folder to which they are being redirected.

To avoid the preceding issues, you can configure the Folder Redirection feature to enable administrators access, but still automatically create folders in a secure manner.

To Set Security on the Shared Folders:

Log on as an administrator to the server that can host the users redirected folders.

Locate the top-level folder that can hold the users redirected documents (for example, D:\Redirected, which is shared as \\Server\Redirected\) folder using Windows Explorer. Right-click, and then click Properties.

Select the security property page.

Click to clear the Allow inheritable permissions from parent to propagate to this object check box.

When you are prompted to copy or to remove permissions, click Remove, and then click Add. Add the Administrators group, System, and Creator Owner. Give them all full control of this folder.

Click the Advanced Button, and then click Add. Select authenticated users.

When the permission entry dialog appears, check the Allow checkbox for Create Folders/Append Data, Read Permissions, Read Attributes and Read Extended Attributes. In the "Apply to" dropdown box, select "This folder only".

Close all property sheets and dialogs.

To Configure the Folder Redirection Feature

Open the Group Policy object where Folder Redirection policy is set.

Under User Configuration, double-click Windows Settings.

Double-click Folder Redirection.

Click the folder you want to configure (for example, My Documents). Right-click, and then click Properties.

Select the Settings property page, and click to clear the Grant user exclusive rights to my documents

Close all windows.

Now when a user logs on and the Folder Redirection Group Policy extension runs, it can create the users folder in the \\Server\Redirected\Username folder and correctly set the owner of the folder as the user. If you click to clear the Grant user exclusive rights to my documents check box, the user's redirected folder can inherit the ACLs from its parent, which are set to:

Administrators: Full Control

System: Full Control

Creator Owner: Full Control

                       

The user has full control because the user is the owner. The Administrators group and the System have full control, but the folder is still secure and other users cannot see the contents of the folder's data because they do not belong to any of the preceding three ACLs.