Security groups not allowing domain admin to view files

network-sharepermissionsSecuritywindows-server-2008

This should be very simple. I have my Documents folders redirected to a share called //dc/documents. It creates a folder under this share for each person and then creates a folder under that for My Documents. The security permissions on this //dc/documents share are as follows:

  • Share Permissions:
    • Everyone – Full Control
  • NTFS Permissions:
    • Everyone (This Folder Only) – List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions
    • CREATOR OWNER (Subfolders and files only) – Full Control
    • SYSTEM (This folder, subfolders and files) – Full Control
    • Administrators (This folder, subfolders and files) – Full Control
    • Domain Admins (This folder, subfolders and files) – Full Control

My problem arises when I sign into the in-built administrator account on the PDC. Though that account is part of the Domain Admins and Administrator groups, I do not have permission to view the subfolders and files. I don't see any inherited permissions that should prevent me from doing anything I want inside of these folders. Is there some magical button I have to hit when opening the folders? This is becoming increasingly frustrating.

Best Answer

You have the "Grant the user exclusive rights..." box ticked on the "Settings" tab of the folder redirection settings. Turn that off and the Folder Redirection client-side extension (CSE) will add "Administrators" to the permissions on the folders it creates.

Pesonally, I pre-create the subfolders for the users because the Folder Redirection CSE disables inheritance on the subfolders it creates (which I consider a Bad ThingTM). If you pre-create the folders and add "The User / Full Control" to the subfolder the Folder Redirection CSE will be happy and will leave the inheritance hierarchy on your folders intact.

If you want to "repair" the folders you already have you can use something like the icacls utility in a script to clean up the permissions. Assuming the subfolders are all named for the users' samAccountNames you could do something like the following:

FOR /D %%d in (E:\Home Directories\*) DO (
  TAKEOWN /f "E:\Home Directories\%%d" /r /d y 
  ICACLS "E:\Home Directories\%%d" /reset /T 
  ICACLS "E:\Home Directories\%%d" /grant:r "MYDOMAIN\%userDir%":(OI)(CI)F 
  ICACLS "E:\Home Directories\%%d" /setowner "MYDOMAIN\%userDir%" /T 
)

That'll give you a nice, clean inheritance hierarchy again w/ the user specified w/ "Full Control" permission at each subfolder.

Related Topic