We use the folder redirection group policy to place users' My Documents folders on a network share.
We have configured the share with Microsoft's recommended NTFS permissions, as defined here: https://support.microsoft.com/en-us/help/274443/how-to-dynamically-create-security-enhanced-redirected-folders-by-usin. Specifically:
- CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only)
- System – Full Control (Apply onto: This Folder, Subfolders and Files)
- Domain Admins – Full Control (Apply onto: This Folder, Subfolders and Files)
- Everyone – Create Folder/Append Data (Apply onto: This Folder Only)
- Everyone – List Folder/Read Data (Apply onto: This Folder Only)
- Everyone – Read Attributes (Apply onto: This Folder Only)
- Everyone – Traverse Folder/Execute File (Apply onto: This Folder Only)
However, that KB article also states (key points in bold):
By the end of May 2017, all supported operating systems converted the
CREATOR OWNER ACE to:<Folder-User> – Full Control (Apply onto: This Object only)
Whereas this does not affect the daily operations of the folders for
the users, it makes a difference when the administrator has to work on
the contents of the home folders or redirected folders.If you want to make sure the user to get the inheritable full control
on all child objects, you have to:Create the folder matching for the users samaccountname by yourself.
Set the permissions that are needed for the folder, omit the Everyone
ACEs above, and make sure that you have the ACE:<Folder-User> – Full Control (Apply onto: This Folder, Subfolders and
Files)
In other words, if SYSTEM creates a subfolder in a user's folder, the user won't be able to access that subfolder because they no longer inherit full control of it like they used to.
Microsoft's workaround for this is to manually create the user's root folder and manually set the user's permissions with the necessary scope.
Is there any way to automate this via group policy, or is scripting the only option here?
Best Answer
That's the expected behaviour for CREATOR OWNER, and it is unlikely to have ever been any different; I think the addendum to the article is misleading in that respect. In my experience, it wouldn't usually be a problem, because you don't usually want to add stuff to the user's folder anyway. That's probably why the original article never mentioned it.
If you aren't going to create each user's directory in advance with explicitly chosen permissions, then as far as the group policy goes, you only have two options: if you set "Grant the user exclusive rights" option, they get full access to the entire folder and contents, but nobody else does; if you don't set it, they only get access to the content they created themselves.
If you go with the first option, you can use backup privilege to bypass the permissions whenever you want to add content. This is elegant, but can be inconvenient because the built-in tools for using backup privilege are fairly limited.
If you go with the second option, you can change the permissions on the user's folder before you add content; or you can explicitly set the permissions on the content that you're adding.
Another approach (as you suggest) is to use a group policy logon script to change the permissions on the user's folder when the user first logs in. This may be the most convenient option if whatever process is adding content to the user's folder isn't under your control.