Solved

Redirected Home Drives - Prolems installing software

Posted on 2009-05-13
11
1,119 Views
Last Modified: 2012-05-06
Ok, I'll start at the beginning.

I had an issue where a new user couldn't install software (windows installer), the error message they get is;

Error 1324. the path My Documents contains an invalid character.

I've also seen a similar message which I havn't got to hand which goes something like;

the <username> is not a valid short name.

Right, my documents has been redirected for all users to one of our file servers. After lot's of reading, I have nothing. I've done lot's of testing too and come up with something. If I make the user in question a local admin of the file server storing my documents, he can install with no errors.

So this leads me to the file server and permissions on that. They have full control to my documents and I tried giving him full control to the share but no joy. I've also looked at the local security policy and given them rights to any objects that seemed could be remotely relevant (like by traverse checking, backup files and directories etc) yes, clutching at straws here.

The answer has to be within the rights on the file server but I just can see what. Can anybody give me a clue on where I should be looking next. I naturally don't want to give them admin rights to the file server, nor do I want to do what the previous admins have done which is add them to domain admins :)

Oh, windows 2003 R2 SP2 servers Windows 2003 AD domain in mixed (I think)
Thanks
0
Comment
Question by:stantechserv
  • 6
  • 3
  • 2
11 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24402352
When you applied Full Control permissions to the My Documents folder, did you ensure this change propagated to all sub folders/files?

On the top folder, go Properties | Security | Advanced | Tick 'Replace permission entries on all child objects...'

Also, do the users actually have permissions to install new software regardless of file redirection? Usually standard Domain Users do not.

There is a policy you can set to have Windows Installer run with elevated permissions:

Computer Configuration | Administrative Templates | Windows Components | Windows Installer | Always Install with Elevated Privileges

This would have to be applied to the users' workstations, not the server.

Hope this helps.


0
 

Author Comment

by:stantechserv
ID: 24411270
In order;

1. Yes. Full control is applied to all files and folders inherrited down through the three

2. The users in question have been put into the administrators group on the local security policy of the machine in question. so AFAIC they have sufficent rights to install software onto that machine

3. This doesn't seem relevant, the ssue seems to be around permissions or the way the windows installer sees the re-directed home drive. Regardless, I'll try this out and report back as anything is worth a try
0
 

Author Comment

by:stantechserv
ID: 24411655
#3 tested, sorry this didn't help :(

I think I might need to test the behaviour of redirected documents and installing windows installer apps in a test lab. see if it's my environment or a "feature"
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 27

Expert Comment

by:bluntTony
ID: 24411885
How have you redirected the folders in the policy? What string have you used to denote the username?

You should be using %username%.

Also, you haven't used an administrative share such as c$ in the UNC have you?
0
 

Author Comment

by:stantechserv
ID: 24411990
Good question.

We're using
User Config\Windows Settings\Folder Redirection\My Documents\
Setting : Basic : redirect everyone's folder to the same location
Path: \\<server>home drives\%username%\my documents

One thing I noticed there was Grant user exclusive rights to my documents was disabled
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24421730
Granting exclusive access just block administrators from accessing the profile, so this shouldn't be causing your problem.

Have a look in the registry under the following keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

How do the paths show in here? (My documents is 'Personal') Anything funny looking?
0
 

Author Comment

by:stantechserv
ID: 24515975
Personal shows as;

 \\<server>\home drives\<username>My Documents

in both locations. Nothing seems to suggest any foul play in that key. As a test, I can unc to that from that machine
0
 

Author Comment

by:stantechserv
ID: 24515977
Increasing points fwiw
0
 
LVL 1

Accepted Solution

by:
trafsta earned 500 total points
ID: 24714514
I had this same exact issue with only certain users. It occured in Windows Vista and Windows RC7 clients (one user was upgraded from Vista to Win7 and the issue still existed after that). UNC paths is "\\<server>\home$\<username>\My Documents" as well. I too figured it must be server-side permissions. And after some more digging, found out earlier today that indeed it was permissions.

The \\<server>\home$ share did not allow "Domain Users" to list contents of the root. The users only had permissions to their own subfolder of that root.

So, for example, 'testuser', could access \\<server>\home$\testuser, but could not access \\<server>\home$ (access denied).

I tried giving the group "Domain Users" special permissions on to the root home$ folder applied to "This Folder Only" and removed checkboxes on "read permissions" (so they only have "traverse folder/execute file", "list folder/read data", "read attributes", and "read extended attributes" to that one folder only, not subfolders [which would be a huge security issue :)])

Doing this instantly solved the problem. Users receiving the windows installer error could now install software without an issue.

I hope this resolves the problem for you, and many others out there. I probably wasted many many days in total resolving this little problem. ;)
0
 

Author Comment

by:stantechserv
ID: 24719379
Trafsta, you genious!

Strange thing is, I just came about another issue with people not benig able to create mail merges, this also boiled down to permisions on \\<server>\home. So I did exactly what you'd said on Monday and that problem went away but I never thought of testing the installation issue after making that change

So I just tested it and yes, the issue seems to be resolved.
0
 
LVL 1

Expert Comment

by:trafsta
ID: 24719750
Hey strantechserv :) Yes it was a very strange problem. Fixing the permissions actually fixed another "Offline files" issues that I've been having for about 1 1/2 years (offlines files would stay offline and now allow the user to go back online after resuming from hibernate or sleep mode)... it was much more troublesome than this windows installer error even. I posted pretty much the same answer to that problem here (check it out): http://www.thebitguru.com/articles/21-Fixing%20Offline%20Files%20in%20Windows%20Vista

So I'm guessing there might be even more problems out there that can be solved by correcting permissions on users home folder share.

I'm going to check out other strange problems that users have been having today to see if this fix might have resolved their issues as well. :)
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question