I setup folder permissions for Redirected My Documents per a MS white paper,
as such:

Share
- Authenticated Users = Full



NTFS
- Authenticated Users
= Traverse Folder / Execute File
= List Folder / Read date
= Read attributes
= Create folders / append data
- Creator = Full
- Domain Admins = Full
- System = Full
- local administrators = Full

After the user's My Docs has been redirected, I can see the folder on the
network share, but I don't have permissions to open the My Documents folder.
I can create a new folder, at the same level in the user's folder. And of
course I can open that folder. But I can't access the My Documents folder.
It seems like it hasn't inherited the permissions for the root "Users"
folder. But I don't see where I can control that.

If I check the NTFS properties for a user folder, the box for "Include
inheritable permissions from this object's parent is grayed out, and checked
off.

I know there are other ways to do permissions for Redirected My Docs, but I
prefer to follow the MS example.

How can I change the NTFS permissions so that I can access the My Documents
folders?

Thanks

"JohnB" <jbrigan@newsgroup> wrote in message
news:u41LYQVjKHA.4872@newsgroup

>I setup folder permissions for Redirected My Documents per a MS white
>paper, as such:
>
> Share
> - Authenticated Users = Full
>
> NTFS
> - Authenticated Users
> = Traverse Folder / Execute File
> = List Folder / Read date
> = Read attributes
> = Create folders / append data
> - Creator = Full
> - Domain Admins = Full
> - System = Full
> - local administrators = Full
>
> After the user's My Docs has been redirected, I can see the folder on the
> network share, but I don't have permissions to open the My Documents
> folder. I can create a new folder, at the same level in the user's folder.
> And of course I can open that folder. But I can't access the My Documents
> folder. It seems like it hasn't inherited the permissions for the root
> "Users" folder. But I don't see where I can control that.
>
> If I check the NTFS properties for a user folder, the box for "Include
> inheritable permissions from this object's parent is grayed out, and
> checked off.
>
> I know there are other ways to do permissions for Redirected My Docs, but
> I prefer to follow the MS example.
>
> How can I change the NTFS permissions so that I can access the My
> Documents folders?
>
> Thanks
>

The user account requires Full Control on the Share and the NTFS permissions
for redirection to work. I don't follow the Microsoft suggestion because it
allows everyone to see all subfolders, so now they know their logon names,
etc. The less seen, the less the ability to make changes, reducing
curiosity, etc. Many installations hide the user home folder substructure
for security reasons and share the individual folders to the users only,
with a hidden share name.

Take a look at my blog for specifics. I hope you find it helpful.

Folder Redirection
http://msmvps.com/blogs/acefekay/arc...direction.aspx


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

I realize there are other ways of doing this, but I'm hoping to stick with
the Microsoft method.

The redirection works fine. That isn't the problem. It's the resulting
permissions on their My Documents folder on their user folder. A Domain
Admin account does not have access to it.


"Ace Fekay [MCT]" <aceman@newsgroup> wrote in message
news:O4v1pcVjKHA.4872@newsgroup

> "JohnB" <jbrigan@newsgroup> wrote in message
> news:u41LYQVjKHA.4872@newsgroup

>>I setup folder permissions for Redirected My Documents per a MS white
>>paper, as such:
>>
>> Share
>> - Authenticated Users = Full
>>
>> NTFS
>> - Authenticated Users
>> = Traverse Folder / Execute File
>> = List Folder / Read date
>> = Read attributes
>> = Create folders / append data
>> - Creator = Full
>> - Domain Admins = Full
>> - System = Full
>> - local administrators = Full
>>
>> After the user's My Docs has been redirected, I can see the folder on the
>> network share, but I don't have permissions to open the My Documents
>> folder. I can create a new folder, at the same level in the user's
>> folder. And of course I can open that folder. But I can't access the My
>> Documents folder. It seems like it hasn't inherited the permissions for
>> the root "Users" folder. But I don't see where I can control that.
>>
>> If I check the NTFS properties for a user folder, the box for "Include
>> inheritable permissions from this object's parent is grayed out, and
>> checked off.
>>
>> I know there are other ways to do permissions for Redirected My Docs, but
>> I prefer to follow the MS example.
>>
>> How can I change the NTFS permissions so that I can access the My
>> Documents folders?
>>
>> Thanks
>>

>
>
> The user account requires Full Control on the Share and the NTFS
> permissions for redirection to work. I don't follow the Microsoft
> suggestion because it allows everyone to see all subfolders, so now they
> know their logon names, etc. The less seen, the less the ability to make
> changes, reducing curiosity, etc. Many installations hide the user home
> folder substructure for security reasons and share the individual folders
> to the users only, with a hidden share name.
>
> Take a look at my blog for specifics. I hope you find it helpful.
>
> Folder Redirection
> http://msmvps.com/blogs/acefekay/arc...direction.aspx
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
> 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
>

"JohnB" <jbrigan@newsgroup> wrote in message
news:OtKb4PXjKHA.1420@newsgroup

>I realize there are other ways of doing this, but I'm hoping to stick with
>the Microsoft method.
>
> The redirection works fine. That isn't the problem. It's the resulting
> permissions on their My Documents folder on their user folder. A Domain
> Admin account does not have access to it.
>

Understood. Then basically the parent folder must allow:

Share:
Auth Users FC

NTFS:
Auth users FC
Domain Admin FC
System FC

Then each User's older requires (set individually):

NTFS:
Remove Inheritance, Choose Remove All when prompted.
Add:
UserAccount FC
Domain Admin FC
System FC

Then the domain admin can access all folders, and the specific user account
can access their own folder. The FC permissions satisfy redirection, as well
as provide the user FC on their own objects.

Ace