Tutorials

 Für unsere deutschen Kunden Premier Support ist auch in deutscher Sprache verfügbar. Wir helfen Ihnen gerne bei allen Ihren Migrationsproblemen.
How the administrator can gain access to redirected folders owned by domain users and which are created by a policy using ‘grant the user exclusive rights’.

How the administrator can gain access to redirected folders owned by domain users and which are created by a policy using ‘grant the user exclusive rights’.

Your Windows Server 2012 R2 Essentials is setup and all configuration is done. You have also turned on the Group Policy that organizes Folder Redirection and redirects users folders to server. Great, but then you find that the redirected folders created by users who logon to your server are not accessible by you…the almighty administrator.

This cannot be right is what you think? Well, as matter of fact it is behavior by design as Microsoft will tell you but it is not very handy. You could click on ‘continue’ and gain access to John’s folder but there must be an easier way to get access to the ‘redirected folders’.

How the administrator can gain access to redirected folders owned by domain users and which are created by a policy using ‘grant the user exclusive rights’.

Would it not be nice if the administrator has access to those redirected folders? Here is how we do that.

  1. In order to gain access to those folders we need to run some Powershell commands to change security on those redirected folders. But we do that in a special way, we use PSexec from PSTools and you download them here https://technet.microsoft.com/en-us/sysinternals/pstools.aspx. Once you have downloaded them I would extract the pstools.zip to a folder in the root of your server like c:\pstools as shown in the screenshot.
    How the administrator can gain access to redirected folders owned by domain users and which are created by a policy using ‘grant the user exclusive rights’.
  2. I have already put in the PSTools folder a file called ‘FixPermissions.ps1’ and that is what we are going to use. You can download that file here but remember that you need to change the file extension to .ps1 as the download is just an ordinary text file (more secure). Before you run the file you must change $StartingDir= "E:\Users\FolderRedirections" and $Principal="adatum\admin" to your own situation. Instead of using only one admin like ‘admin’ in my example you could also use ‘domain\Domain admins’. Open an elevated command prompt.
    How the administrator can gain access to redirected folders owned by domain users and which are created by a policy using ‘grant the user exclusive rights’. How the administrator can gain access to redirected folders owned by domain users and which are created by a policy using ‘grant the user exclusive rights’.
  3. From within the command prompt type psexec -s -i powershell -noexit C:\pstools\FixPermissions.ps1. A second ‘command prompt’ screen will open asking you for permission and type ‘Y’.
    How the administrator can gain access to redirected folders owned by domain users and which are created by a policy using ‘grant the user exclusive rights’.
  4. In the green line ‘New Permissions’ you see that Contoso\Admin:F is added. This means that this Admin has now Full Control added to the security on that folder.
    How the administrator can gain access to redirected folders owned by domain users and which are created by a policy using ‘grant the user exclusive rights’.
  5. There is more to this. If you have been struggling with this for some time and you have searched the Internet for answers you probably have found an answer that included the advice to uncheck the option in the policy that disables ‘Grant the user exclusive rights…”. It is a very bad idea to uncheck this. As an admin you will have access to those folders for ‘new users only’ but it will also mean that ALL Domain Users will have access to the documents created by that user. A huge security problem IMHO. Don’t change the policy but rerun the script as I did above.
    How the administrator can gain access to redirected folders owned by domain users and which are created by a policy using ‘grant the user exclusive rights’.
  6. Here is the complete Powershell solution but you may also download the text file here.
    #FixPermissions.ps1
    # CACLS rights are usually
    # F = FullControl
    # C = Change
    # R = Readonly
    # W = Write
    
    $StartingDir= "D:\ServerFolders\Folder Redirection"
    
    $Principal="contoso\admin"
    
    $Permission="F"
    
    $Verify=Read-Host `n "You are about to change permissions on all" `
    "files starting at"$StartingDir.ToUpper() `n "for security"`
    "principal"$Principal.ToUpper() `
    "with new right of"$Permission.ToUpper()"."`n `
    "Do you want to continue? [Y,N]"
    
    if ($Verify -eq "Y") {
    
    foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
    #display filename and old permissions
    write-Host -foregroundcolor Yellow $file.FullName
    #uncomment if you want to see old permissions
    #CACLS $file.FullName
    
    #ADD new permission with CACLS
    CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL
    
    #display new permissions
    Write-Host -foregroundcolor Green "New Permissions"
    CACLS $file.FullName
    }
    }

     

Attached Files

Subscribe and receive ‘how to’ and ‘best practice’ articles on server and cloud maintenance, design and troubleshooting.

  • Monthly newsletter with a summary of all new tutorials
  • Get an email as soon as a new tutorial has been published

About www.server-essentials.com 

www.server-essentials.com is founded by Mariette Knap, a Dutch Microsoft MVP. www.server-essentials.com is a community for IT Consultants and Business Owners who, themselves, take care of the IT infrastructure and Employees who do that little extra in the company to keep things running. Our forum is for discussing all things ‘IT’ and more.  Our documentation is top notch and written by and for the community.

Change your cookie settings


 
Contact Us

Concentrix BV

C. de Rijcklaan 1

3723 PM Bilthoven

The Netherlands

KvK 30202318

VAT Id 814036739B01

The layout of this page is made to be viewed online.