NTFS permissions for Redirected Folders

KB > Computer and Networking Service > Server Applications > Active Directory & Group Policy

Create security-enhanced redirected folders

To make sure that only the user and the domain administrators have permissions to open a particular redirected folder, do the following:
  1. Select a central location in your environment where you would like to store Folder Redirection, and then share this folder. In this example, FLDREDIR and HOMEDIR are used.
  2. Set Share Permissions for the Everyone group to Full Control.
  3. Use the following settings for NTFS Permissions:
    • CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
    • System - Full Control (Apply onto: This Folder, Subfolders and Files)
    • Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
    • Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
    • Everyone - List Folder/Read Data (Apply onto: This Folder Only)
    • Everyone - Read Attributes (Apply onto: This Folder Only)
    • Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)

  4. Configure Folder Redirection Policy as outlined in Windows Help. Use a path similar to \\server\FLDREDIR\%username% to create a folder under the shared folder, FLDREDIR.
    You can also configure a home folder “HOMEDIR“ in a similar manner by copying a template user with a home folder like \\server\HOMEDIR\%username%, or create the user and folder with that name.
    Note For home folders, the scenario isn’t common, because when you add the home folder for a user, Active Directory Users and Computers will create the folder. But if you use a custom provisioning, Active Directory Users and Computers doesn’t create the folder. Therefore, you have to do this by yourself.

Why these permissions help improve the security of the share folders

Because the Everyone group has the Create Folder/Append Data right, the group members have the proper permissions to create the folder; however, the members are not able to read the data afterwards. The Username group is the name of the user that was logged on when you created the folder. Because the folder is a child of the parent folder, it inherits the permissions that you assigned to FLDREDIR. Also, because the user is creating the folder, the user gains full control of the folder because of the Creator Owner Permission setting.

Pay attention when configuring the home directory or folder redirection policies.  If you enable the setting to give the user exclusive access to the folder, you will override the inherited permissions and need to reset the ACL.
Article ID: 208, , Modified: 8/16/2022 at 12:55 PM

Share this article