Move OneDrive folder to D:\ for all users - NTFS permission question.

Highlighted
Senior Member

Assume the following scenario:

 

1) Users are not local admins and access to C drive is very restricted,

2) OneDrive folder has been moved to D:\ drive and placed inside OneDrives subfolder.

3) OneDrive itself is configured to store data in "D:\OneDrives\%Username%\OneDrive - ORG NAME GOES HERE" so everyone's data is separated and doesn't go into one big bucket.

 

I am pre-creating D:\OneDrives\%Username% using the GPO but permissions are all wrong (as they are inherited from root of D) meaning anyone can get to their own OneDrive folder as well as the others i.e.

 

D:\OneDrives\JoePublic

D:\OneDrives\JoePublic2

D:\OneDrives\JoePublic3

 

and so on. If I don't pre-create the D:\OneDrives\%Username% folder autoconfiguration of OneDrive doesn't work and automatic signing in is not working so the folder has to exist before OneDrive can do its business.

 

All files under D:\OneDrives are visible and accessible to anyone - question is, how do I restrict this so only the logged on user can see their own data and nothing else underneath D:\OneDrives?

 

If OneDrive is left in the users profile the permissions are set correctly plus you can't jump to someone else's profile anyway but my requirement is to have the data store away from users profiles and on the D drive.

 

Any help or ideas are much appreciated :)

 

Many thanks,

Adrian

3 Replies
Highlighted

How do you precreate those folders? You should disable inheritance on each user folder, then set explicit permissions for each user on their respective folders, that should work fine :)

Manually doing that would be a chore, but you can automate it with Powershell or a tool like XCACLS.

Highlighted

We use GP folder redirection to redirect folders to D and use the information from the first link below to set permissions.  These permissions are set via GPO and this is explained in the second link. 

 

https://support.microsoft.com/en-us/help/274443/how-to-dynamically-create-security-enhanced-redirect...

 

https://www.linkedin.com/pulse/assign-file-folder-permissions-via-group-policy-farid-soltani/ 

 

with the second component, don't forget to remove permissions for "Everyone"

 

Hope this helps.  

Highlighted

forgot to mention.  we created a D:\Users directory and our profiles are directed to here.  permissions set on D:\Users for us, but can't see why the same process wouldn't work on the Root as well.  

 

so for onedrive for example, you would end up with D:\Users\USERNAME\Onedrive