Quantcast
Channel: Folder redirection GP and CREATOR OWNER inheritance/scope - Server Fault
Viewing all articles
Browse latest Browse all 2

Folder redirection GP and CREATOR OWNER inheritance/scope

0
0

We use the folder redirection group policy to place users' My Documents folders on a network share.

We have configured the share with Microsoft's recommended NTFS permissions, as defined here: https://support.microsoft.com/en-us/help/274443/how-to-dynamically-create-security-enhanced-redirected-folders-by-usin. Specifically:

  • CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
  • System - Full Control (Apply onto: This Folder, Subfolders and Files)
  • Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
  • Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
  • Everyone - List Folder/Read Data (Apply onto: This Folder Only)
  • Everyone - Read Attributes (Apply onto: This Folder Only)
  • Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)

However, that KB article also states (key points in bold):

By the end of May 2017, all supported operating systems converted the CREATOR OWNER ACE to:

    <Folder-User> - Full Control (Apply onto: This Object only)

Whereas this does not affect the daily operations of the folders for the users, it makes a difference when the administrator has to work on the contents of the home folders or redirected folders.

If you want to make sure the user to get the inheritable full control on all child objects, you have to:

Create the folder matching for the users samaccountname by yourself. Set the permissions that are needed for the folder, omit the Everyone ACEs above, and make sure that you have the ACE:

    <Folder-User> - Full Control (Apply onto: This Folder, Subfolders and Files)

In other words, if SYSTEM creates a subfolder in a user's folder, the user won't be able to access that subfolder because they no longer inherit full control of it like they used to.

Microsoft's workaround for this is to manually create the user's root folder and manually set the user's permissions with the necessary scope.

Is there any way to automate this via group policy, or is scripting the only option here?


Viewing all articles
Browse latest Browse all 2

Latest Images

Trending Articles





Latest Images