Folder Redirection Using Group Policy

[MrEgo]

I'm having some problems getting my folder redirection to work on my domain. I have a share set up on my file server where I want the folders to get redirected to, but it will not work unless I am logged in as the domain administrator.

I have the policy set to redirect the "Documents" and the "Favorites" to the following folder:

\\fileserver\Staff\%USERNAME%\

My question is - what permissions or security settings need to be applied to the "Staff" folder to allow standard users (Domain Users) to create folders in this directory when they log in for the first time?

When I do a gpresult, I can see that I'm getting the policy correctly, but the directory of the standard users aren't being created under the "Staff" folder. However, it is working properly when I use a domain administrator account. I don't want to give "Everyone" full control or write access to the "Staff" folder, but am I going to have to do that?

 

[snikt]

If you don't want to give Everyone full control, try just Authenticated Users. Its a little more secure than just giving Everyone full control.

 

[MrEgo]

That's not really what I had in mind, either. I don't want some computer savvy employee writing a bunch of files in this directory. It seems like there would be another way around this or I'm just not doing it right.

 

[snikt]

Well, you could temporarily allow Everyone full control. Depending on how many users are actually employed, give it 1-3 weeks to allow all the users to login, create their folders. When you're sure all or most of the users have logged in and the folders have been created you'll have to get granular with permissions on each users folders: remove any permissions you want from the Staff folder, remove Inheritance from the users' folder, and then modify the users' folders permissions as needed. Again, the amount of users may make you decide not take this route.

 

[MrEgo]

Yeah, we're talking about 4,000 users 🙂

 

[theevilsharpie]

http://support.microsoft.com/kb/274443

Create security-enhanced redirected folders
To make sure that only the user and the domain administrators have permissions to open a particular redirected folder, do the following:

1. Select a central location in your environment where you would like to store Folder Redirection, and then share this folder. In this example, FLDREDIR is used.

2. Set Share Permissions for the Everyone group to Full Control.

3. Use the following settings for NTFS Permissions:

* CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
* System - Full Control (Apply onto: This Folder, Subfolders and Files)
* Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
* Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
* Everyone - List Folder/Read Data (Apply onto: This Folder Only)
* Everyone - Read Attributes (Apply onto: This Folder Only)
* Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)

4. Configure Folder Redirection Policy as outlined in Windows Help. Use a path similar to \\server\FLDREDIR\username to create a folder under the shared folder, FLDREDIR.

Because the Everyone group has the Create Folder/Append Data right, the group members have the proper permissions to create the folder; however, the members are not able to read the data afterwards. The Username group is the name of the user that was logged on when you created the folder. Because the folder is a child of the parent folder, it inherits the permissions that you assigned to FLDREDIR. Also, because the user is creating the folder, the user gains full control of the folder because of the Creator Owner Permission setting.

 

[MrEgo]

Awesome! Thank you!

 

[RebateMonger]

The other thing you should check is whether disk space quotas are enabled on that disk. If so, be sure that the User disk space quotas are appropriately sized.