Redirecting My Documents to a Subfolder Produces Unexpected Permissions (273842)

MORE INFORMATION

When you redirect a user's My Documents folder to a network location, you normally specify a path such as \\Server\Share\username. When you do this, a folder with the same name as the user's name is created in the share called "Share" on the server called "Server". For example, when a user named User1 logs on, if User1's account has a group policy object that redirects their My Documents folder to \\Server\Share\username, the following behavior occurs:

• When User1 logs on and the group policy is applied, the folder User1 is created in the share \\Server\Share to create the path \\Server\Share\User1.
• When User1 stores a file in their My Documents folder, which is displayed as a local folder to the user, the file is actually being stored on the network in the \\Server\Share\User1 folder.
• Because the User1 folder is created by the group policy, the following Windows NT file system (NTFS) permissions are applied by default (if the drive that the User1 folder was created on is formatted as NTFS):
  
  
  • User1 - Full Control
  • Everyone - No Access
  • System - Full Control
  
  NOTE: These permissions are default settings and can be modified.
  
  When the permissions are applied, User1 is the only user account that can access the User1 folder on the network. The administrator does not have permission to access the User1 folder.

If you choose to redirect the My Documents folder to a subfolder of username, the permissions that are applied may not be the permissions that you intended. For the preceding example, if you redirect User1's My Documents folder to \\Server\Share\username\My Documents, the following behavior occurs:

• When User1 logs on and the group policy is applied, the folder User1 and the subfolder My Documents are created in the share \\Server\Share to create the path \\Server\Share\User1\My Documents.
• When User1 stores a file in their My Documents folder, which is displayed as a local folder to the user, it is actually being stored on the network in the \\Server\Share\User1\My Documents folder.
• Because the folders User1 and My Documents were created by the group policy, the following NTFS permissions are applied by default (if the drive that User1 and My Documents were created on is formatted as NTFS):
  
  
  • Permissions for the User1 folder:
    • Everyone - Full Control or Everyone - Modify, Read and Execute, List Folder Contents, Read, and Write.
      
      NOTE: The permissions for the User1 folder are inherited from the Share parent folder. This parent folder is a central share that many users have access to.
  • Permissions for the My Documents folder:
    • User1 - Full Control
    • Everyone - No Access
    • System - Full Control
  In this example, the username folder, \\Server\Share\User1, is not secure. The permissions placed on the User1 folder give any user who has access to the \\Server\Share folder the same level of access to the \\Server\Share\User1 folder.
  
  However, the My Documents folder in \\Server\Share\User1\My Documents is secure. Because of the default permissions placed on the My Documents folder, only User1 can access the folder and its contents.

It is recommended that you do not rely on group policies alone to configure permissions; folders configured by a group policy may not have the permissions you expected. When you want to create a secure home directory for the user, create the following path: \\Server\Share\username. When you want to create a secure redirected My Documents folder, create the following path: \\Server\Share\username\My Documents.

For additional information about NTFS permissions or folder redirection in Windows 2000, click the article numbers below to view the articles in the Microsoft Knowledge Base: