I’ve got a small problem. We’re using the ”Folder Redirection” feature (as a GPO) in windows server 2008R2 and that’s working as expected for all the users. It’s configured to ”Grant the user exclusive rights to documents”, for security reason. We don’t want to give every administrator right to look into other people’s home folder. As an example, a user (let’s call the user for User1) gets the following ACLs on the folder on the server:
- CREATOR OWNER (group)
- SYSTEM (group)
- User1 (account)
This is as expected and no problem there. But now to the problem, when an administrator gets her/his home folder configured by windows, it’s getting:
- CREATOR OWNER (group)
- SYSTEM (group)
- Administrators (group)
As a result all administrators can access each other’s home folders without a problem and this we would like to prevent. I've like to get the administrators own account as the owner of the folder, like it is with all normal users.
An administrator in our environment is a member of a group called “ADMIN” which got “Enterprise Admins” and a few other things in it.
Do anyone have the same problem? I’ve be grateful for any tips and tricks.
After some more digging, I’ve come across the problem. Our problem lies within an application that we use (own crafted application that communicate with AD). So this wouldn’t be a problem for anyone else, hopefully.