Windows Folder Redirection Permissions

Question

I have a DFS share on "\\corp\content\", in this there is a folder named Personal. Owner Rights, Domain Admins and System all have full rights to this folder and Authenticated users can create folders, read attributes and permissions.

I have a Group Policy redirecting all possible folders on desktops to this share, eg \\corp\content\testuser\desktop. These policy applies to XP but does not Grant the user exclusive rights.

When a user logs in for the first time (on XP) they create a folder as expected and it has appropriate rights. When it gets to the Start Menu however it creates \\corp\content\personal\testuser\Start Menu\Programs and this folder lacks any rights for the Owner Rights (these rights seem not to be inherited). \\corp\content\personal\testuser\Start Menu\ does however have the rights as expected. The group policy then fails as it is unable to copy data to the directory that has been created.

This error isn't specific to Start Menu as disabling that error causes a similar fault in Application Data. The server is Windows Server 2008r2 Ent, the client is Windows XP. When the GPO dictates exclusive rights should be granted, the redirection functions as expected.

My goal is to have the Domain Admins group able to read the folders created by folder redirection (for backup and helpdesk requirements).

Has anyone accomplished this or know what could be causing the above error?

By request, gpresult section relevant to folder redirection:

        Folder Redirection
    ------------------
        GPO: Policy: Folder Redirection and Offline Files
            Setting:  InstallationType:  basic
                Grant Type:        Not Exclusive Rights
                Move Type:         Contents of Local Directory moved
                Policy Removal:    Leave folder in existing location
                Redirecting Group: Everyone
                Redirected Path:   \\corp\content\personal\test1\application data

        GPO: Policy: Folder Redirection and Offline Files
            Setting:  InstallationType:  basic
                Grant Type:        Not Exclusive Rights
                Move Type:         Contents of Local Directory moved
                Policy Removal:    Leave folder in existing location
                Redirecting Group: Everyone
                Redirected Path:   \\corp\content\personal\test1\start menu\Programs\Startup

        GPO: Policy: Folder Redirection and Offline Files
            Setting:  InstallationType:  basic
                Grant Type:        Not Exclusive Rights
                Move Type:         Contents of Local Directory moved
                Policy Removal:    Leave folder in existing location
                Redirecting Group: Everyone
                Redirected Path:   \\corp\content\personal\test1\desktop

        GPO: Policy: Folder Redirection and Offline Files
            Setting:  InstallationType:  basic
                Grant Type:        Not Exclusive Rights
                Move Type:         Contents of Local Directory moved
                Policy Removal:    Leave folder in existing location
                Redirecting Group: Everyone
                Redirected Path:   \\corp\content\personal\test1\start menu

        GPO: Policy: Folder Redirection and Offline Files
            Setting:  InstallationType:  basic
                Grant Type:        Not Exclusive Rights
                Move Type:         Contents of Local Directory moved
                Policy Removal:    Leave folder in existing location
                Redirecting Group: Everyone
                Redirected Path:   \\corp\content\personal\test1\pictures

        GPO: Policy: Folder Redirection and Offline Files
            Setting:  InstallationType:  basic
                Grant Type:        Not Exclusive Rights
                Move Type:         Contents of Local Directory moved
                Policy Removal:    Leave folder in existing location
                Redirecting Group: Everyone
                Redirected Path:   \\corp\content\personal\test1\start menu\Programs

        GPO: Policy: Folder Redirection and Offline Files
            Setting:  InstallationType:  basic
                Grant Type:        Not Exclusive Rights
                Move Type:         Contents of Local Directory moved
                Policy Removal:    Leave folder in existing location
                Redirecting Group: Everyone
                Redirected Path:   \\corp\content\personal\test1\documents

additional: it appears that Windows 7 creates the directories correctly with appropriate permissions. — Antitribu, Jun 23 '10 at 13:13
hmm wonder if its a smbv2 issue since it works on win7? Don't think so but who knows at this point. — tony roth, Jun 23 '10 at 22:21

score 2 · Answer 1 · answered Jun 22 '10 at 16:44

I don't allow Windows clients to create their redirected folders. Frankly, it seems like a potential DoS attack to me to have a world-writeable folder on a server computer where any user account can create sub-folders. (The whole notion of the client creating important folders like this seems brain-damaged to me-- as does the default behavior of breaking the permission inheritance hierarchy and specifying "User / Full Control". Whoever in Microsoft thought up that behavior had their head firmly up their ass and obviously doesn't administer production file servers.)

When I provision a user account (via script) I also create the redirected Desktop, Application Data, and My Documents folders (I don't do Start Menu redirection anywhere, but it should function similiarly) in the correct location and add a "User / Full Control" ACL to the folder immediately after creating it. The parent directory of any redirected folder hierarchy has "Administrators / Full Control" and "Authenticated Users / List Folder Contents - This folder only" specified on it already. I end up with a nice clean permission inheritance hierarchy and no world-writeable folder.

This has worked well for me w/ Windows 2000 thru Windows 7 clients. I don't mind the provisioning, since I'm doing it via script, and it makes me happy not to have a world-writeable folder on my server computers.

Is there a benefit to granting "Full" instead of "Modify"? I thought full only added the ability to take ownership and edit ACLs. — jscott, Jun 24 '10 at 12:42
My recollection was that the Folder Redirection CSE in *some* version of Windows complained when the user didn't have "Full Control" permission, but I may be jumping at shadows. I've been doing it this way for so long now (since W2K) that I can't say for sure. — Evan Anderson, Jun 24 '10 at 13:03
Evan, any chance of a look at your user provisioning script? — Tim Long, Nov 30 '10 at 14:53

score 1 · Answer 2 · answered Jun 22 '10 at 16:43

1

make sure the settings are per this link

http://support.microsoft.com/kb/274443

answered Jun 22 '10 at 16:43

tony roth

3,844
17
14

Thanks for the link, the directories for the folders were already set up as such and unfortunately still experiencing the problem. – Antitribu Jun 23 '10 at 13:14
can you post a dump of the gpo section that pertains to the redirection. "gpresult /z > somefile.txt" then just copy the relevant section. Also you list "personal" as part of the dfs path and your example does not show that, was that an omission? – tony roth Jun 23 '10 at 14:24
added in the requested section to the comment and also corrected the ommisions from the paths, thanks – Antitribu Jun 24 '10 at 11:55
do you have two shares one \\corp\content and one \\corp\content\personal ? – tony roth Jun 24 '10 at 14:16
no, just the one; files are shared out with full permissions and restrictions at the ntfs level. – Antitribu Jun 28 '10 at 08:37

Windows Folder Redirection Permissions

2 Answers2

Linked