Guest Bryan L Posted November 8, 2007 Posted November 8, 2007 I have been using folder redirection in my domain for some time and recently used article 288991 to ensure that I was following best practices for securing the redirected folders. The domain controller and the server hosting the redirected share are both running Server 2003, all clients are XP Pro SP2. I want to grant Domain Admins, SYSTEM, and CREATOR OWNER full access to redirected folders. This should ensure that users have exclusive access to their folders with the exception that Domain Admins also have full access. Share permissions are set to Everyone: Full Control. The odd behavior is observed when I try to set/check the permissions for CREATOR OWNER. Per the article, I have granted CREATOR OWNER Full Control over the Redirected folder, but when I check the ACL on the Redirected folder, all checkboxes for CREATOR OWNER are clear except for Special Permissions. However, if I click Advanced, select CREATOR OWNER, and click Edit to view the atomic permissions, CREATOR OWNER has Full Control -- every single checkbox in the Allow column is selected. Also of possible note is the fact that those permissions are being applied to Subfolders and Files only. I once tried changing that to "This folder, subfolders and files" but it had no effect on the permissions displayed for CREATOR OWNER on the Security tab - they still show all checkboxes empty except for Special Permissions. I checked the ACL on specific users' subfolders and files under the Redirected folder, and found the same discrepancy in how the ACL is presented on the Security tab vs. the atomic permisions displayed under Advanced. (The only difference was that the list of Allow checkboxes under Advanced were greyed out, indicating they they were indeed inherited from an upper-level parent.) My question is, should I be concerned? I followed exactly the same procedures when setting permissions for System and Domain Admins, and they display as expected on the Security tab - only the CREATOR OWNER is acting like this. It's been a couple of weeks now since I did this, but iirc, users weren't getting the access they were supposed to have, so I had to add each user to the ACL of their folder and grant them Full Control (but I can't remember for sure). Should I test what happens if I remove myself from the ACL of my own user folder, and see if the inherited CREATOR OWNER ACE is still granting me full control, and my user experience with my redirected folders is normal? All thoughts appreciated -- thanks in advance. Bryan
Recommended Posts