Offline Folders - Windows Server 2003

[Guest Sven-D]

I am having a trouble with users home folders and offline folders.

 

The issue is like this:

when making a folder offline (either through group policy og by right

clicking and selecting make available offline) I get the following error:

"Offline Files (\\server\share): Unable to make 'share' available offline on

\\server\users\username. Access is denied."

 

The structure on the server looks like this:

- users : shared folder, domain users full control (share permission)

- username : subfolders with the name of the user. created automatically

when the user is created in AD.

 

According to an article I found, it is a permissions issue with the

top-folder "users":

http://support.microsoft.com/kb/275461

 

I can get it to work by doing the following:

- granting domain users ntfs "read" access on the top "users" folder. (but

this lets everyone check the contents of other users folders, so then I have

to:)

- edit the ntfs permissions on every sub folder, so the don't inherit

permissions from the top folder.

 

This will add administrative overhead, as I will have to remove this

permission everytime a new user is created. It is easy to forget, also..

 

I feel there is something vital I am missing here... It isn't meant to be

this way, is it?

[Guest Lanwench [MVP - Exchange]]

Re: Offline Folders - Windows Server 2003

 

Sven-D <sven-d@discussions.microsoft.com> wrote:

> I am having a trouble with users home folders and offline folders.

>

> The issue is like this:

> when making a folder offline (either through group policy og by right

> clicking and selecting make available offline) I get the following

> error: "Offline Files (\\server\share): Unable to make 'share'

> available offline on \\server\users\username. Access is denied."

>

> The structure on the server looks like this:

> - users : shared folder, domain users full control (share permission)

> - username : subfolders with the name of the user. created

> automatically when the user is created in AD.

>

> According to an article I found, it is a permissions issue with the

> top-folder "users":

> http://support.microsoft.com/kb/275461

>

> I can get it to work by doing the following:

> - granting domain users ntfs "read" access on the top "users" folder.

> (but this lets everyone check the contents of other users folders, so

> then I have to:)

> - edit the ntfs permissions on every sub folder, so the don't inherit

> permissions from the top folder.

>

> This will add administrative overhead, as I will have to remove this

> permission everytime a new user is created. It is easy to forget,

> also..

>

> I feel there is something vital I am missing here... It isn't meant

> to be this way, is it?

 

You might check out "How to dynamically create security-enhanced redirected

folders by using folder redirection in Windows 2000 and in Windows Server

2003" - http://support.microsoft.com/kb/274443.

It doesn't *exactly* describe your setup but should help with the folder

permissions.

 

I don't use home directories anymore - they're a pretty antiquated concept.

If you just set up folder redirection for My Documents, you can use "basic -

redirect everyone to the same location" and "create a folder under the

parent share" ...e.g., \\server\home$\%username%\My Documents. You can map a

drive letter to that if you like, also.

 

There are all sorts of group policy settings for offline files, too -

including one that automatically makes subfolders available offline.

[Guest Sven-D]

Re: Offline Folders - Windows Server 2003

 

Just tested this in my test environment - and it works on home folders :)

 

The reason I use home folders are:

- they are already there..

- people already have lots of music, pictures etc in my documents. don't

want that on the server.

- I want to enrypt the offline folder cache. Haven't found a way to do that

with my documents redirection - but maybe someone has a solution for that,

too?

 

 

"Lanwench [MVP - Exchange]" wrote:

> Sven-D <sven-d@discussions.microsoft.com> wrote:

> > I am having a trouble with users home folders and offline folders.

> >

> > The issue is like this:

> > when making a folder offline (either through group policy og by right

> > clicking and selecting make available offline) I get the following

> > error: "Offline Files (\\server\share): Unable to make 'share'

> > available offline on \\server\users\username. Access is denied."

> >

> > The structure on the server looks like this:

> > - users : shared folder, domain users full control (share permission)

> > - username : subfolders with the name of the user. created

> > automatically when the user is created in AD.

> >

> > According to an article I found, it is a permissions issue with the

> > top-folder "users":

> > http://support.microsoft.com/kb/275461

> >

> > I can get it to work by doing the following:

> > - granting domain users ntfs "read" access on the top "users" folder.

> > (but this lets everyone check the contents of other users folders, so

> > then I have to:)

> > - edit the ntfs permissions on every sub folder, so the don't inherit

> > permissions from the top folder.

> >

> > This will add administrative overhead, as I will have to remove this

> > permission everytime a new user is created. It is easy to forget,

> > also..

> >

> > I feel there is something vital I am missing here... It isn't meant

> > to be this way, is it?

>

> You might check out "How to dynamically create security-enhanced redirected

> folders by using folder redirection in Windows 2000 and in Windows Server

> 2003" - http://support.microsoft.com/kb/274443.

> It doesn't *exactly* describe your setup but should help with the folder

> permissions.

>

> I don't use home directories anymore - they're a pretty antiquated concept.

> If you just set up folder redirection for My Documents, you can use "basic -

> redirect everyone to the same location" and "create a folder under the

> parent share" ...e.g., \\server\home$\%username%\My Documents. You can map a

> drive letter to that if you like, also.

>

> There are all sorts of group policy settings for offline files, too -

> including one that automatically makes subfolders available offline.

>

>

>

[Guest Sven-D]

Re: Offline Folders - Windows Server 2003

 

Ooops! I was a litte quick there... Users still get access to each others

home folders. (The home folders are automatically created by Active Directory

users and computers, when creating a new user)

 

Any more ideas??

 

 

 

"Sven-D" wrote:

> Just tested this in my test environment - and it works on home folders :)

>

> The reason I use home folders are:

> - they are already there..

> - people already have lots of music, pictures etc in my documents. don't

> want that on the server.

> - I want to enrypt the offline folder cache. Haven't found a way to do that

> with my documents redirection - but maybe someone has a solution for that,

> too?

>

>

> "Lanwench [MVP - Exchange]" wrote:

>

> > Sven-D <sven-d@discussions.microsoft.com> wrote:

> > > I am having a trouble with users home folders and offline folders.

> > >

> > > The issue is like this:

> > > when making a folder offline (either through group policy og by right

> > > clicking and selecting make available offline) I get the following

> > > error: "Offline Files (\\server\share): Unable to make 'share'

> > > available offline on \\server\users\username. Access is denied."

> > >

> > > The structure on the server looks like this:

> > > - users : shared folder, domain users full control (share permission)

> > > - username : subfolders with the name of the user. created

> > > automatically when the user is created in AD.

> > >

> > > According to an article I found, it is a permissions issue with the

> > > top-folder "users":

> > > http://support.microsoft.com/kb/275461

> > >

> > > I can get it to work by doing the following:

> > > - granting domain users ntfs "read" access on the top "users" folder.

> > > (but this lets everyone check the contents of other users folders, so

> > > then I have to:)

> > > - edit the ntfs permissions on every sub folder, so the don't inherit

> > > permissions from the top folder.

> > >

> > > This will add administrative overhead, as I will have to remove this

> > > permission everytime a new user is created. It is easy to forget,

> > > also..

> > >

> > > I feel there is something vital I am missing here... It isn't meant

> > > to be this way, is it?

> >

> > You might check out "How to dynamically create security-enhanced redirected

> > folders by using folder redirection in Windows 2000 and in Windows Server

> > 2003" - http://support.microsoft.com/kb/274443.

> > It doesn't *exactly* describe your setup but should help with the folder

> > permissions.

> >

> > I don't use home directories anymore - they're a pretty antiquated concept.

> > If you just set up folder redirection for My Documents, you can use "basic -

> > redirect everyone to the same location" and "create a folder under the

> > parent share" ...e.g., \\server\home$\%username%\My Documents. You can map a

> > drive letter to that if you like, also.

> >

> > There are all sorts of group policy settings for offline files, too -

> > including one that automatically makes subfolders available offline.

> >

> >

> >

[Guest Phillip Windell]

Re: Offline Folders - Windows Server 2003

 

"Sven-D" <sven-d@discussions.microsoft.com> wrote in message

news:D8546371-52FF-458D-A668-12DC37A400E2@microsoft.com...

> Ooops! I was a litte quick there... Users still get access to each others

> home folders. (The home folders are automatically created by Active

> Directory

> users and computers, when creating a new user)

 

The document she pointed you to will cover the permissions issues.

 

How to dynamically create security-enhanced redirected

folders by using folder redirection in Windows 2000 and in Windows Server

2003" - http://support.microsoft.com/kb/274443.

 

Don't "blow over" the permissions decription, it is important, it is the

key, and it is not the "default" permissions you might expect it to be if

you don't look closely. Take note how the permissions in the Root above the

user's folders allow the creation of the folders below that but do not grant

permissions to the folders after they are created.

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------