Folder redirection user permissions block access to Administrators


When using Folder Redirection on a Windows 2003 server, the default policy is allow only ownership and permissions to the user. No admin account would have access to this folder. For example, you create a Group Policy to redirect user’s My Documents folders to a home directory on the server. Once a user logs on and this policy is applied, the folder is created with ownership of the user only, and file permissions granted for that user only, too.

This has presented a big problem for me, having come from Windows 2000, where this was not the case. As you might guess, when only the user has permissions specified, no administrator can get access to this folder for backup purposes. Our backups always failed.

Well then, on Windows 2003 Server, two default policies are in place making the user’s folders more secure. Nice, but I don’t care. I want backup rights by default. Go into the Group Policy where you would like to define the new policy. I made a new Organizational Unit and put all my computers in there, so I could define the policy at a lower level, instead of at the domain level. Once into and editing you policy, drill down to here:
Computer Configuration –
Administrative Templates –
System –
User Profiles –

In here look for these two policies and enable them:
“Do not check for user ownership of Roaming Profile Folders”
“Add the Administrators security group to roaming user profiles”

Now this will allow Windows 2003 to behave more like Windows 2000 on the redirected folders. Unfortunately, there is one issue. It does not change permissions on previously created folders, only on newly created folders. That’s a pain, but not that big a deal, because I can probably script some folder moves and recreate them.

Also, even though this says “Roaming” in the policy items, they apply to local and roaming accounts.  So even if your users are normal, non-roaming profiles, you still need to set.  In my case, we did not have any roaming profiles and only used folder redirection OR simply had home folders mapped from the server.  Doing either of those had the same permissions problem and the policies mentioned solved the issue. (except for previously created folders, it only changes on newly created folders after the policy change.)