Make folder private through Group Policy

We have a user profile with the My Documents folder with the contents being stored on a networked drive running Server 2003.

We are trying to make everybody users "My Documents" folder private where not even the administrators on the server where the data is stored can view the documents.

Is this possible through AD group policy?

How about if I mark the folder as private on the client side, will this translate over to the MS Server if an administrator logs onto the server and tries to view the files??

Please help

Thanks

Find more posts tagged with

Comments

dynamik

If you configure folder redirection in a GPO and have it automatically create the folders, you will have what (I believe) you're looking for. If you manually created the folders in advance, you're going to have to set the permissions manually.

Technet wrote:

Folder Redirection permissions
This is an advanced topic. If you let Folder Redirection create folders for you, which is the recommended procedure, correct permissions are set automatically. Usually, knowledge of these permissions is not necessary.

http://technet2.microsoft.com/windowsserver/en/library/a1b7ce04-708b-4145-830a-cadfc003acd31033.mspx?mfr=true

SWM

What prevents an Administrator from then "taking ownership" of the folder at a later date ??

famosbrown

SWM wrote:

What prevents an Administrator from then "taking ownership" of the folder at a later date ??

And they should be able to just in case the employee leaves or the company needs something that the employee has without their permission...if it's sitting on company equipment, it's company property.

Goldmember

That link talks about the Local System account.

Anybody familiar or have information about the Local System account.

I found some information by googling, but nothing which made life simpler.

Thanks

famosbrown

Goldmember wrote:

That link talks about the Local System account.

Anybody familiar or have information about the Local System account.

I found some information by googling, but nothing which made life simpler.

Thanks

Didn't look at the link, but what do you need to know about it.

I look at the account like this...it's a user/service account used by the Operating System to get certain stuff done. Check out your services and look at all of the services being ran with this account. Have you ever installed an enterprise application that needed a domain user account or an account with certian privileges for the application to work? Kind of the same principal as the Local System Account.

Gav0

We are trying to make everybody users "My Documents" folder private where not even the administrators on the server where the data is stored can view the documents.

Have you considered using EFS? you could create a DRA key and limit emergency access to 'an administrator' as opposed to 'all administrators'

wedge1988

Consider using CALCS commandline utility to mass change the permissions. Test it first obviously!

http://www.ss64.com/nt/cacls.html
http://www.ss64.com/nt/xcalcs.html