When you enable Folder Redirection, the default behavior is to grant the user exclusive access to their folder.
When you implement this GPO, you should allow the client-side feature to automatically create the users folder. To make the redirected folder secure, Folder Redirection:
1. Gives ownership to the user.
2. Sets the ACL on the redirected folder to User:Full Control, System:Full Control.
3. Prevents inheritance from the parent folder.
You can configure Folder Redirection to allow administrators access and still automatically create client folders in a secure manner:
01. Log on to the server that hosts the redirected users folders.
02. If user sub-folders exist, open a CMD prompt in the System Context and start Windows Explorer.
03. Use Windows Explorer to navigate to the top-level folder (D:\Users shared as \\ServerName\Users).
04. Right-click the folder and press Properties.
05. On the Security tab, clear the Allow inheritable permissions from parent to propagate to this object box.
06. When you are prompted to copy or remove permissions, press Remove.
07. Press Add.
08. Add the Administrators group, System, and Creator Owner, all with Full Control. Add Everyone with Create Folder/Append Data (Apply onto: This Folder Only), List Folder/Read Data (Apply onto: This Folder Only), and Read Attributes (Apply onto: This Folder Only).
09. On the Advanced tab, clear the Allow inheritable... check box and check the Reset permissions.... check box. Press Apply.
10. Open the Group Policy object where the Folder Redirection policy is set.
11. User Configuration / Windows Settings / Folder Redirection.
12. Select the folder that you want to configure (My Documents) and press Properties.
13. On the Settings property, clear the Grant user exclusive rights to ......
14. Close all windows.
When a user logs on, the Folder Redirection Group Policy extension creates the \\ServerName\Users\%UserName% folder and sets the owner as %UserName%. Because you cleared the Grant user exclusive rights to ..... box in step 13, the \\ServerName\Users\%UserName% folder will inherit the ACLs from the \\ServerName\Users folder, granting:
System: Full Control
Creator Owner: Full Control