Wednesday, 25 July 2012

Folder redirection and Group Policy for Server 2003

This article discusses the Folder Redirection feature and how it can be used, particularly by administrators.

Microsoft Windows Server 2003 and Microsoft Windows 2000 Server have a feature that can redirect specific user folders to server locations by using a Group Policy extension called Folder Redirection. By default, the Folder Redirection feature enables the user to have exclusive access to the redirected folder.

Many administrators want the Folder Redirection feature to enable a user's folders to be automatically redirected to a newly created folder for each user, but, at the same time, to have the Administrators group automatically added to the NTFS file system's access control list (ACL).


When you redirect folders by using Group Policy, it is recommended that you enable the Folder Redirection client-side feature to automatically create the user's folders to ensure that the folder is secure. By default, administrators do not have access to the redirected folders.

To make the redirected folders secure, the Folder Redirection feature performs the following actions:
Gives ownership of the folder to the user.
Sets the following ACLs on the folder:
User: Full Control
Local System: Full Control
Prevents inheritance of ACLs from the parent folder.
To access the files in a user's redirected folders, the administrator must either log on as the user whose folder is being redirected or take ownership of the folder and manually change the ACLs on the folder.

Note The act of taking ownership can cause subsequent redirections to be unsuccessful because the Folder Redirection feature ensures that the user is the owner of the folder to which they are being redirected.

To avoid the preceding issues, you can configure the Folder Redirection feature to enable administrator access but to still automatically create folders in a secure manner.

Windows Server 2003

To set security on the shared folders in Windows Server 2003

1.    Log on as an administrator to the server that can host the user's redirected folders.

2.    Locate the top-level folder that can hold the user's redirected documents (for example, D:\Redirected, which is shared as \\Server\Redirected\) by using Windows Explorer. Right-click the folder, and then click Properties.

3.    Click the Security tab.

4.    Click Advanced.

5.    Click to clear the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here. check box.

6.    When you are prompted to copy or remove permissions, click Remove.

7.    If the Administrators group is not present, click Add, type Administrators, and then click OK.

8.    Select the Administrators group, and then click Edit.

9.    Verify that the Full Control permission is set to Allow, and then click OK.

10.    Click Add, and add System and Creator Owner to the Permissions entries.

11.    Verify that the System and Creator Owner objects have the Full Control / Allow permission.

12.    Click Add, add Authenticated Users, and then set the following permissions to Allow:
Create Folders / Append Data
Read Permissions
Read Attributes
Read Extended Attributes

13.    Close all property sheets and dialog boxes.

To configure the Folder Redirection feature 

1.    Open the Group Policy object where Folder Redirection policy is set.

2.    Under User Configuration, double-click Windows Settings.

3.    Double-click Folder Redirection.

4.    Click the folder you want to configure (for example, My Documents). Right-click the folder, and then click Properties.

5.    Select the Settings property page, click to clear the Grant the user exclusive rights to My Documents check box, and then click OK.

6.    Close all windows.

Now when a user logs on and the Folder Redirection Group Policy extension runs, it can create the users folder in the \\Server\Redirected\Username folder and correctly set the owner of the folder as the user. If you click to clear the Grant user exclusive rights to my documents check box, the user's redirected folder can inherit the ACLs from its parent, which are set to:

Administrators: Full Control
System: Full Control
Creator Owner: Full Control
The user has full control because the user is the owner. The Administrators group and the System have full control, but the folder is still secure and other users cannot see the contents of the folder's data because they do not belong to any of the preceding three ACLs.


When an administrator attempts to access a user's redirected My Documents folder, the administrator receives an "Access is Denied" message.


This behavior occurs because a user or an administrator applied a Group Policy...
This behavior occurs because a user or an administrator applied a Group Policy object to redirect the user's My Documents folder to a network share (\\Server\Share\UserName), and did not change the Grant the user exclusive rights to My Documents default setting.

Only the user, to whom the folder belongs, has authorization to access this folder when this default setting is used.


An administrator must take ownership of the folder in order to change the Acces...
An administrator must take ownership of the folder in order to change the Access Control List (ACL) or to access the folder.

To take ownership of a folder, follow these steps:

1.    Right-click the desired folder, click Properties, and then click the Security tab.

2.    Click OK when you receive the following message:
You only have permission to view the current security information on username

3.    Click Advanced, and then click the Owner tab.

4.    Select a new owner, select Replace owner on subcontainers and objects, and then click OK.

5.    Click Yes when you receive the following message:
You do not have permission to read the contents of directory path and directory name. Do you want to replace the directory permissions with permissions granting you Full Control?

6.    Close, and then reopen Properties to refresh the ACL.
Note: The permissions for this folder are now being inherited from the parent folder. In most cases you should block inheritance from the parent by clearing the Allow inheritable permissions from parent to propagate to this object check box. You will then be able to change the permissions on this folder.


Post a Comment