POLL: POWERSHELL VS. GUI - DO YOU WANT TO BE A DEVOP OR AN ADMIN?
Folder Redirection – Part 3: Explanation of folder permissions
Folder Redirection in Group Policy allows a systems administrator to redirect certain folders from a user’s profile to a file server. In part 3 of this series, I’ll discuss the folder permissions we set on the file server along with justifications for those settings and alternatives.
By Kyle Beckman - Mon, May 7, 2012 - 4 comments Kyle Beckman works as a systems administrator in Higher Education in the Southeast United States. He is an MCSE and specializes in Group Policy, Windows Server, and client support.
At this point, you may have noticed that we didn’t give our users very many permissions on the Users folder. First and foremost, we made sure that one user can’t see inside of another user’s folder. It’s also pretty obvious that we don’t want to give users the ability to do things like take ownership, delete files/folders, or change permissions, but a few of the other missing permissions take a little more explanation.
First off, you don’t want users to have Create files/write data permissions or they can save files into the root of the shared folder. Since we’re redirecting folders, we only want the users to be able to create folders in the root Users folder, but not individual files. Once the user creates a folder named %username%, the CREATOR OWNER permission will take over (since it is a sub-folder of Users) and will give the account full control over the %username% folder and everything inside of it.
Second, List folder/read data is also missing because we don’t want users to be able to enumerate folders in the share. Here’s what it will look like to the end user if they try to go to \\fileserver\Users:
User can’t enumerate folders
However, if the user tries to go to \\fileserver\Users\%username%, he can see all of his folders:
User CAN see inside username folder
To the Administrator, you’ll still be able to see everything on the server:
Redirected folders on server
Why would you want to do it this way? The biggest reason is that we’re giving the user the ability to create folders in the Users share. That means that there is nothing to stop a user from creating a few hundred folders and then saving files into those folders inside of Users. By removing the ability to enumerate folders in the Users share, you eliminate the ability of the user to see what is in the folder. It doesn’t stop the user from being able to create other folders or copy data into them, but it makes is much more difficult to use should they decide to try.
The other big benefit you get is that users can’t see the other user account folders that are stored in the Users share. Can’t I do that with Access Based Enumeration? Yes… Access Based Enumeration will essentially hide any files/folders to a user that he/she doesn’t have permissions to see; but, it doesn’t solve the problem of the user being able to create new folders in your Users share. If you enable Access Based Enumeration and allow users to enumerate the contents of the share, they’ll just see their %username% folder and all of the other folders they’ve created there.
In the next post I will show you how to configure folder redirection in Group Policy.
Thank you for the excellent coverage about folder redirection. Looking forward to more about the topic.
Please, consider giving your recommendations regarding the servername part of the UNC path. What is recommended to use NETBIOS name or a FQDN, i.e. in an environment with Windows 7 only PCs and users traveling and connection via VPN to office servers.
Patrick – Thanks for the feedback! Unfortunately, I haven’t been able to find an official Microsoft Best Practice for this topic. For me, it usually depends on the scale of the deployment. On small deployments, I use the NetBIOS name to keep things simple and larger deployments I use FQDN. In your circumstance with remote users, your best bet is probably going to be using the FQDN to ensure that your remote users don’t have problem resolving the name of your file server when they are offsite.
Is it correct that the Administrator can see the Users folders, but not the contents inside? I can view all of the user folders, but still must take ownership to view the contents of the folder itself.
It sounds like you’re referring to the user folders in the C:\Users\%username%\ folders. If you use the configuration outlined in this series, any Administrator on your file server will be able to see inside the contents of your users’ redirected folders.