Hello,
I have inherited a domain which utilizes folder redirection. The environment is server 2008 R2 and all workstations are Windows 7 x64. The redirected folders are on a shared drive which for now resides on the primary domain controller (I know, bad). My predecessors used multiple methods in creating profiles meaning they would create the profile on the share as domain admin for some users and then log in as the new user in other instances. Essentially I had a mix of profiles and profile permissions. Everyone was able to browse and view each others documents. Obviously, not the desired outcome. I have since changed the permissions of the root User folder based on reading a couple of different articles one of which is below:
http://social.technet.microsoft.com/Forums/en-IE/winservergen/thread/7e1f5344-ff3f-4fee-90d1-bfe805f8c57f
The root Users folder does have Include inheritable permissions unchecked. So far I have changed the permissions on the root Users folder to the following:
Creator Owner: Full Control This Folder SubFolder and Files (although it only shows the Permission as Special and Apply To as Subfolder and Files in the ACL)
SYSTEM: Full Control This Folder subfolders and files
Domain Admins: Full Control This Folder subfolders and files
Administrators: Full Control This Folder subfolders and files
Authenticated Users: This Folder and Files (I explain why I included Files below) with the following permissions: Traverse/Execute, List folder/Read Data, Read Attributes, Read extended attributes, Create files/Write Data, Create folders/Append data
I created a test user, logged in as that user and verified the documents are redirected and the permissions are pushed down to the user profiles. The users name appears in the NTFS permissions and is listed with Permission Special This folder only.
In addition to folder redirection each user needs to have a shared folder which resides under their My Documents which they scan documents to. Normally I create a new user and then log in as that user which populates their redirected folders to the share with the correct permissions. Later on I log on as domain admin, browse to the users profile and create their shared “scan folder” which inherits all but the users name in the NTFS permissions (I’m guessing because I created the folder as admin rather than logging in as the user and so Admin is the owner..?). I then add a separate "Scanning Account" with write permissions to This Folder and Files.
Initially on the root Users folder I had Authenticated Users set to This Folder Only per the documentation. The problem with this is if I create the scan folder, scan a document, and then move the document to the users desktop or other directory they lose permission to open the document or do anything with it. I've found that when the document is scanned into the scan folder the NTFS permissions of the documents change. There is a second entry created in the ACL for the scanning account with Full Control. The users name is not listed. If the user moves the document to their desktop they cannot open it or do anything with it. They can only work with the document within the scan folder.
In trying to get this to work I added This Folder and Files to Authenticated Users in the root Users folder. Now the user can move the scanned document to the desktop and open and save it. Their name still does not show up in the ACL but they can open it I'm guessing because Authenticated Users is applied to all files.
I’m trying to figure out the best way to get this to work. I’ve even tried logging in as the user, and then creating the Scan Folder in order to get inherited permissions including the users name in the ACL. Even when scanning this way though they do not have any permissions in the ACL of the scanned document.
I apologize for the long winded explanation but I'm trying to include as much info as possible. Please let me know if you need any additional information or clarification and I'll be happy to provide it.
On a side note if I go into the NTFS permissions of the users profile, Edit and check Full Control under the Security tab the user has Full Control for everything in their profile including scanned documents. Not sure if there is a way to do this for all users from the root Users folder or even if this is a best practice.