A client has folder redirection in AD setup on each user's Home Folder set to the Z:\ drive as \server\share\username. A Group Policy redirects the user's Documents to the user's Home Folder with the option 'Grant the user to exclusive rights to Documents' selected.
The share on the server has permissions for the relevant user security group with 'Full Control', but each user's folder only have NTFS permissions only for 'CREATOR OWNER' and 'Domain Admins'.
Why can the different users access other user's folders? I thought the most restrictive permissions applied effectively between the share and the NTFS permissions.
Also, this setup has been like this for years, and this client recently updated all client computers to Windows 7. What is the best way to setup this redirection now? I assume only in Group Policy, also Basic Redirection - to create a folder for each user under the root path?
On one of the folders, Security tab > Advanced button, you can use the Effective Permissions tool to determine exactly what permissions are conferred to a particular security principal.
I would suspect that a user may have elevated permissions or rights that you are not aware of. This may occur due to inadvertent or inappropriate rights assignment or group membership nesting.
gpresult may be used on a user's station where they are logged on to get a complete report of their actual group membership. Or if you have access to a computer where one of the users has recently logged on, you can run
gpresult /user domain\username /h gpresult.htmlto generate the rsop data from their local profile.