Besides tweaking the SBS Folder Redirection Policy to point to the standalone server and the share that will be used as base for the user’s root redirected folder, we need to make sure that the permissions on the base folder are set properly before things start to work.
Unfortunately the base NTFS permission set that the SBS server sets to its own folder redirection share will not work when we are dealing with a separate server.
So, what we need to do is the following:
- CREATOR OWNER
- Domain Users
With those permissions set at the NTFS (Share = Everybody: FULL) folder redirection should work without a hitch.
Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book
*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.
3 comments:
Why would you use Everyone:Full, I would think a more secure arrangement would be Authenticated Users:Change. There is no good reason to give anyone aside from admins full.
I thought so too and the subject was brought up at a Deep Dive we MVPs had last year.
The question was asked about why the SBS Wizards were setting Everyone=FULL on shares.
The answer was essentially that if the NTFS permissions were set correctly there was no need to limit via share access.
Remembering back to my NT4 days when we constructed permissions pyramids with NTFS on one side and Share on the other I can see the logic in that answer. Things got really complicated really fast.
Tie in that when Access-based Enumeration is enabled, we enable it on all shares on our servers, users don't see any folders they do not have permissions to at the NTFS level anyway.
Thanks for the comment,
Philip
Any chance of a post definitively describing how you should set permsissions on redirected users folders, so admins and backup operators can gain access to them without having wrecking the permissions and casuing havoc with it working correctly?
your blog has been a great assistance whilst i go through my first SBS setup - many thanks!
Post a Comment