Enabling the administrator to have access to redirected folders (288991)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
This article was previously published under Q288991

SUMMARY

This article discusses the Folder Redirection feature and how it can be used, particularly by administrators.

Microsoft Windows Server 2003 and Microsoft Windows 2000 Server have a feature that can redirect specific user folders to server locations by using a Group Policy extension called Folder Redirection. By default, the Folder Redirection feature enables the user to have exclusive access to the redirected folder.

Many administrators want the Folder Redirection feature to enable a user's folders to be automatically redirected to a newly created folder for each user, but, at the same time, to have the Administrators group automatically added to the NTFS file system's access control list (ACL).

MORE INFORMATION

When you redirect folders by using Group Policy, it is recommended that you enable the Folder Redirection client-side feature to automatically create the user's folders to ensure that the folder is secure. By default, administrators do not have access to the redirected folders.

To make the redirected folders secure, the Folder Redirection feature performs the following actions:
  • Gives ownership of the folder to the user.
  • Sets the following ACLs on the folder:
    User: Full Control
    Local System: Full Control
  • Prevents inheritance of ACLs from the parent folder.
To access the files in a user's redirected folders, the administrator must either log on as the user whose folder is being redirected or take ownership of the folder and manually change the ACLs on the folder.

Note The act of taking ownership can cause subsequent redirections to be unsuccessful because the Folder Redirection feature ensures that the user is the owner of the folder to which they are being redirected.

To avoid the preceding issues, you can configure the Folder Redirection feature to enable administrator access but to still automatically create folders in a secure manner.

Windows Server 2003

To set security on the shared folders in Windows Server 2003

  1. Log on as an administrator to the server that can host the user's redirected folders.
  2. Locate the top-level folder that can hold the user's redirected documents (for example, D:\Redirected, which is shared as \\Server\Redirected\) by using Windows Explorer. Right-click the folder, and then click Properties.
  3. Click the Security tab.
  4. Click Advanced.
  5. Click to clear the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here. check box.
  6. When you are prompted to copy or remove permissions, click Remove.
  7. If the Administrators group is not present, click Add, type Administrators, and then click OK.
  8. Select the Administrators group, and then click Edit.
  9. Verify that the Full Control permission is set to Allow, and then click OK.
  10. Click Add, and add System and Creator Owner to the Permissions entries.
  11. Verify that the System and Creator Owner objects have the Full Control / Allow permission.
  12. Click Add, add Authenticated Users, and then set the following permissions to Allow:
    • Create Folders / Append Data
    • Read Permissions
    • Read Attributes
    • Read Extended Attributes
  13. Close all property sheets and dialog boxes.

To configure the Folder Redirection feature

  1. Open the Group Policy object where Folder Redirection policy is set.
  2. Under User Configuration, double-click Windows Settings.
  3. Double-click Folder Redirection.
  4. Click the folder you want to configure (for example, My Documents). Right-click the folder, and then click Properties.
  5. Select the Settings property page, click to clear the Grant the user exclusive rights to My Documents check box, and then click OK.
  6. Close all windows.

Windows 2000

To set security on the shared folders in Windows 2000

  1. Log on as an administrator to the server that can host the users redirected folders.
  2. Locate the top-level folder that can hold the users redirected documents (for example, D:\Redirected, which is shared as \\Server\Redirected\) folder by using Windows Explorer. Right-click the folder, and then click Properties.
  3. Select the Security property page.
  4. Click to clear the Allow inheritable permissions from parent to propagate to this object check box.
  5. When you are prompted to copy or to remove permissions, click Remove, and then click Add. Add the Administrators group, System, and Creator Owner. Give them all full control of this folder.
  6. Click Advanced, and then click Add. Select Authenticated Users. When the permission entry dialog box appears, click to select the Allow check box for Create Folders/Append Data, Read Permissions, Read Attributes and Read Extended Attributes. In the Apply to box, select This folder only.
  7. Close all property sheets and dialog boxes.

To configure the Folder Redirection feature

  1. Open the Group Policy object where Folder Redirection policy is set.
  2. Under User Configuration, double-click Windows Settings.
  3. Double-click Folder Redirection.
  4. Click the folder you want to configure (for example, My Documents). Right-click the folder, and then click Properties.
  5. Select the Settings property page, and then click to clear the Grant user exclusive rights to my documents box.
  6. Close all windows.
Now when a user logs on and the Folder Redirection Group Policy extension runs, it can create the users folder in the \\Server\Redirected\Username folder and correctly set the owner of the folder as the user. If you click to clear the Grant user exclusive rights to my documents check box, the user's redirected folder can inherit the ACLs from its parent, which are set to:

Administrators: Full Control
System: Full Control
Creator Owner: Full Control
The user has full control because the user is the owner. The Administrators group and the System have full control, but the folder is still secure and other users cannot see the contents of the folder's data because they do not belong to any of the preceding three ACLs.

MORE INFORMATION

Technical support for Windows x64 editions

Your hardware manufacturer provides technical support and assistance for Microsoft Windows x64 editions. Your hardware manufacturer provides support because a Windows x64 edition was included with your hardware. Your hardware manufacturer might have customized the Windows x64 edition installation with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your Windows x64 edition. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:

http://www.microsoft.com/windowsxp/64bit/default.mspx

For product information about Microsoft Windows Server 2003 x64 editions, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/64bit/x64/default.mspx

Modification Type:MinorLast Reviewed:1/27/2006
Keywords:kbhowto KB288991
©2004 Microsoft Corporation. All rights reserved.