Restoring Inheritance for Work Folders SyncShare on Server
Hi Mike.
The sync share created with the WSE WorkFolders wizard is set up with an access policy to “disable inherited permissions and grant users exclusive access to their files”. For a business, this is sensible as it maintains user privacy and security.
However, for my home use case (for me and my immediate family), this configuration is undesirable, is it prevents us from setting up file-level synchronization for the Work Folders storage share between our primary and backup servers.
Unfortunately, this setting cannot be changed through Server Manager once the sync share is created, apparently.
My question is, is there a safe way to change security descriptors for WseSyncShare to: 1) enable inheritance, and 2) ensure that domain admins have access to all files and folders within? I am hesitant to try to do this in File Explorer without checking with you in case it would mess something up for your product.
Please let me know your thoughts.
- Gary Voth asked 1 month ago
- last edited 1 month ago
- You must log in to post comments.
WorkFolders is actually a Microsoft server role/feature that’s included with the server OS and WSE WorkFolders simply instructs that role/feature to create the sync share in its default configuration for you (via it’s Essentials Dashboard integration). It has been many years since I first wrote the add-in and so I don’t recall off the top of my head if there was a specific setting to not disable inherited permissions on the newly created sync share (although I assume there must be since there’s a checkbox for doing that within the WorkFolders server manager UI – as you’ve shown).
My guess would be that it is disabled by default when first creating the sync share (for security reasons) and that it can’t be enabled/changed once the sync share has been initially created, although I don’t know for sure. You’d most likely need to start over and recreate the synch share from scratch again and not disable the inherited permissions. I’d need to dig into the source code and see if that could be accomplished via WSE WorkFolders though.
That being said… Since WorkFolders is a Microsoft product, you might be able to do a general Internet search and see if inherited permissions can be enabled on an existing synch share (i.e. why is that checkbox disabled within the WorkFolders server manager UI). In all the years that WSE WorkFolders has been around (nearly a decade now I believe), I’ve never had anyone inquire about this before and so I don’t really know the answer I’m afraid (as I’ve never looked into it before).
- Mike answered 1 month ago
- last edited 1 month ago
- You must log in to post comments.
Okay, I took a quick look back at the source code and the sync share is being created in WSE WorkFolders using the New-SyncShare PowerShell command. The “InheritParentFolderPermission” property isn’t being specified to the command and so each user is granted exclusive access to their user folder, and administrators have no access rights by default.
Apparently, you can modify the settings on the existing sync share to enable the share to inherit permissions from the parent folder using the Set-SyncShare command and specifying the InheritParentFolderPermission property like so:
Set-SyncShare -Name "WseSyncShare" -InheritParentFolderPermission
SEE: Modify a sync share to enable inherited permissions
I’ve never tested this before and so I’d make sure that you have a good working backup of your server before attempting it (i.e. you’re on your own). If it ends up working out for you then let me know and I’ll see what I can do about adding a UI to WSE WorkFolders that allows folks to be able to change it (or at least to set it up that way initially when first creating the sync share anyway).
Lastly, I don’t know why that checkbox is disabled within the WorkFolders server manager UI, and so there may be some limitation to doing this that I’m not aware of ATM. Thus, the Set-SyncShare command may possibly fail on you it that is indeed the case.
- Mike answered 1 month ago
- last edited 1 month ago
- You must log in to post comments.
Thank you for looking into this so quickly.
I’ll have a look at the PowerShell cmdlet. It seems straightforward enough, and I’ve got backups of everything in case I need.
Since I’m now on Server 2022 Standard, I realize I could probably create my own Work Folders syncshare, but I like the WSE Dashboard integration provided by your product and didn’t want to roll my own.
I’ll let you know how it works out.
Best,
Gary
- Gary Voth answered 1 month ago
- last edited 1 month ago
- You must log in to post comments.
Hi Mike. This attempt was successful. I was able to disable encryption in Server Manager and then enable inheritance with PowerShell, and so my admin account can manage the share.
FWIW, I just bought a lifetime license for your add-ins. Not sure how many of us are left, haha, but I appreciate the work you do to keep WSE alive.
Best,
Gary
- Gary Voth answered 1 month ago
- last edited 1 month ago
- You must log in to post comments.
That’s good news. I’m very glad to hear it worked for you. I’ll look into adding that functionality to the WSE WorkFolders UI for folks. Thanks for letting everyone know. ; -)
While the numbers of folks still using Essentials is indeed on the decline, you’d actually be amazed by how many still do. It’s really sad that Microsoft has given up on it seeing as there’s still nothing like it on the market today. It’ll be sorely missed once its end of life arrives on January 12, 2027 that’s for sure (although I suppose many folks will be holdouts, just as you are for your Windows 7 clients, especially now that they can continue using it in Windows Server 2019, 2022, and 2025 thanks to the WSEE Installer).
- Mike answered 1 month ago
- last edited 1 month ago
- You must log in to post comments.