Folder Redirection + Exclusive Rights + Administrator Access = Anger

I'm trying to allow folder redirection on Server 2008 R2 to automatically create folders that only the users who they are created for have access. I have a lot of new users every year so I don't want to be creating hundreds of user folders manually. To do this I'm using Exclusive Rights, it's working great. However, Administrators don't have access to the folders without taking ownership (thus screwing up NTFS security on the users stuff). I also don't want to leave it like this because sometimes we need to search through large amounts of user folders if we're looking for something in a users folder. If you do this without using Exclusive Rights, all users can see all other users data.

So, I need to find out a way to allow these folders to be created automatically with group policy. I don't want to use scripts, just group policy. Is it possible to set up some type of sharing/NTFS permission scheme where any user can create a folder (where I point them to) but only the creator and administrator can view the contents? I would only consider a script that I would run afterwords in order to add an administrator rights to the NTFS permissions of the created folders.

I see Microsoft has a KB regarding this and a work around, however it only works for Server 2000 and 2003, I'm on Server 2008. The options they want you to adjust are not there. Also, towards the bottom of this blog, they have directions to do something similar with folder redirection, but I can't get it to work.

You will want to modify the permissions on the root folder, do not give exclusive rights. Follow this microsoft technet guide for folder redirection, scroll down to the permissions section. Obviously for your case you will want to add Domain Admins (or applicable group for management) to the root folder.

http://technet.microsoft.com/en-us/library/cc781907(WS.10).aspx

Hey, thanks. That's just about what I'm looking for. It works well.

However, if the Administrator drops a file into a users folder, they become the CO, and the user can't access it. When moving a lot of user data around I can see that being a huge issue. I wouldn't want to have to change every file's ownership over to the user.

So, is there any way to have it add Full-Control for the user when they create it?

If not, I might just have to use scripting to create a user folder. Any resources for that?

bigdogchris said:

Hey, thanks. That's just about what I'm looking for. It works well.

However, if the Administrator drops a file into a users folder, they become the CO, and the user can't access it. When moving a lot of user data around I can see that being a huge issue. I wouldn't want to have to change every file's ownership over to the user.

So, is there any way to have it add Full-Control for the user when they create it?

If not, I might just have to use scripting to create a user folder. Any resources for that?

Click to expand...

In that case can't you just add the user to their folder and have the permissions propagate to all child objects under their folder?

Database said:

In that case can't you just add the user to their folder and have the permissions propagate to all child objects under their folder?

Click to expand...

Of course, when you have around 1,000 users, it's not something you want to do manually

I re-read that Technet blog post I linked and it says that when you use Home Drive in user account CP, that it grants the auto-generated profile Full-Control to the specific user. So even if an Administrator dropped in the file and was the CO, the user could still modify it. I couldn't get it to work when I was testing it but I may of had share permissions set up wrong. I'll try that again tomorrow.