B
Bryan L
Guest
I have been using folder redirection in my domain for some time and recently
used article 288991 to ensure that I was following best practices for
securing the redirected folders. The domain controller and the server
hosting the redirected share are both running Server 2003, all clients are
XP Pro SP2. I want to grant Domain Admins, SYSTEM, and CREATOR OWNER full
access to redirected folders. This should ensure that users have exclusive
access to their folders with the exception that Domain Admins also have full
access. Share permissions are set to Everyone: Full Control.
The odd behavior is observed when I try to set/check the permissions for
CREATOR OWNER. Per the article, I have granted CREATOR OWNER Full Control
over the Redirected folder, but when I check the ACL on the Redirected
folder, all checkboxes for CREATOR OWNER are clear except for Special
Permissions. However, if I click Advanced, select CREATOR OWNER, and click
Edit to view the atomic permissions, CREATOR OWNER has Full Control -- every
single checkbox in the Allow column is selected. Also of possible note is
the fact that those permissions are being applied to Subfolders and Files
only. I once tried changing that to "This folder, subfolders and files" but
it had no effect on the permissions displayed for CREATOR OWNER on the
Security tab - they still show all checkboxes empty except for Special
Permissions.
I checked the ACL on specific users' subfolders and files under the
Redirected folder, and found the same discrepancy in how the ACL is
presented on the Security tab vs. the atomic permisions displayed under
Advanced. (The only difference was that the list of Allow checkboxes under
Advanced were greyed out, indicating they they were indeed inherited from an
upper-level parent.)
My question is, should I be concerned? I followed exactly the same
procedures when setting permissions for System and Domain Admins, and they
display as expected on the Security tab - only the CREATOR OWNER is acting
like this. It's been a couple of weeks now since I did this, but iirc, users
weren't getting the access they were supposed to have, so I had to add each
user to the ACL of their folder and grant them Full Control (but I can't
remember for sure). Should I test what happens if I remove myself from the
ACL of my own user folder, and see if the inherited CREATOR OWNER ACE is
still granting me full control, and my user experience with my redirected
folders is normal?
All thoughts appreciated -- thanks in advance.
Bryan
used article 288991 to ensure that I was following best practices for
securing the redirected folders. The domain controller and the server
hosting the redirected share are both running Server 2003, all clients are
XP Pro SP2. I want to grant Domain Admins, SYSTEM, and CREATOR OWNER full
access to redirected folders. This should ensure that users have exclusive
access to their folders with the exception that Domain Admins also have full
access. Share permissions are set to Everyone: Full Control.
The odd behavior is observed when I try to set/check the permissions for
CREATOR OWNER. Per the article, I have granted CREATOR OWNER Full Control
over the Redirected folder, but when I check the ACL on the Redirected
folder, all checkboxes for CREATOR OWNER are clear except for Special
Permissions. However, if I click Advanced, select CREATOR OWNER, and click
Edit to view the atomic permissions, CREATOR OWNER has Full Control -- every
single checkbox in the Allow column is selected. Also of possible note is
the fact that those permissions are being applied to Subfolders and Files
only. I once tried changing that to "This folder, subfolders and files" but
it had no effect on the permissions displayed for CREATOR OWNER on the
Security tab - they still show all checkboxes empty except for Special
Permissions.
I checked the ACL on specific users' subfolders and files under the
Redirected folder, and found the same discrepancy in how the ACL is
presented on the Security tab vs. the atomic permisions displayed under
Advanced. (The only difference was that the list of Allow checkboxes under
Advanced were greyed out, indicating they they were indeed inherited from an
upper-level parent.)
My question is, should I be concerned? I followed exactly the same
procedures when setting permissions for System and Domain Admins, and they
display as expected on the Security tab - only the CREATOR OWNER is acting
like this. It's been a couple of weeks now since I did this, but iirc, users
weren't getting the access they were supposed to have, so I had to add each
user to the ACL of their folder and grant them Full Control (but I can't
remember for sure). Should I test what happens if I remove myself from the
ACL of my own user folder, and see if the inherited CREATOR OWNER ACE is
still granting me full control, and my user experience with my redirected
folders is normal?
All thoughts appreciated -- thanks in advance.
Bryan