[Webinar] Streamline your web hosting managementRegister Today


Redirected Home Drives - Prolems installing software

Posted on 2009-05-13
Medium Priority
Last Modified: 2012-05-06
Ok, I'll start at the beginning.

I had an issue where a new user couldn't install software (windows installer), the error message they get is;

Error 1324. the path My Documents contains an invalid character.

I've also seen a similar message which I havn't got to hand which goes something like;

the <username> is not a valid short name.

Right, my documents has been redirected for all users to one of our file servers. After lot's of reading, I have nothing. I've done lot's of testing too and come up with something. If I make the user in question a local admin of the file server storing my documents, he can install with no errors.

So this leads me to the file server and permissions on that. They have full control to my documents and I tried giving him full control to the share but no joy. I've also looked at the local security policy and given them rights to any objects that seemed could be remotely relevant (like by traverse checking, backup files and directories etc) yes, clutching at straws here.

The answer has to be within the rights on the file server but I just can see what. Can anybody give me a clue on where I should be looking next. I naturally don't want to give them admin rights to the file server, nor do I want to do what the previous admins have done which is add them to domain admins :)

Oh, windows 2003 R2 SP2 servers Windows 2003 AD domain in mixed (I think)
Question by:stantechserv
  • 6
  • 3
  • 2
LVL 27

Expert Comment

ID: 24402352
When you applied Full Control permissions to the My Documents folder, did you ensure this change propagated to all sub folders/files?

On the top folder, go Properties | Security | Advanced | Tick 'Replace permission entries on all child objects...'

Also, do the users actually have permissions to install new software regardless of file redirection? Usually standard Domain Users do not.

There is a policy you can set to have Windows Installer run with elevated permissions:

Computer Configuration | Administrative Templates | Windows Components | Windows Installer | Always Install with Elevated Privileges

This would have to be applied to the users' workstations, not the server.

Hope this helps.


Author Comment

ID: 24411270
In order;

1. Yes. Full control is applied to all files and folders inherrited down through the three

2. The users in question have been put into the administrators group on the local security policy of the machine in question. so AFAIC they have sufficent rights to install software onto that machine

3. This doesn't seem relevant, the ssue seems to be around permissions or the way the windows installer sees the re-directed home drive. Regardless, I'll try this out and report back as anything is worth a try

Author Comment

ID: 24411655
#3 tested, sorry this didn't help :(

I think I might need to test the behaviour of redirected documents and installing windows installer apps in a test lab. see if it's my environment or a "feature"
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

LVL 27

Expert Comment

ID: 24411885
How have you redirected the folders in the policy? What string have you used to denote the username?

You should be using %username%.

Also, you haven't used an administrative share such as c$ in the UNC have you?

Author Comment

ID: 24411990
Good question.

We're using
User Config\Windows Settings\Folder Redirection\My Documents\
Setting : Basic : redirect everyone's folder to the same location
Path: \\<server>home drives\%username%\my documents

One thing I noticed there was Grant user exclusive rights to my documents was disabled
LVL 27

Expert Comment

ID: 24421730
Granting exclusive access just block administrators from accessing the profile, so this shouldn't be causing your problem.

Have a look in the registry under the following keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

How do the paths show in here? (My documents is 'Personal') Anything funny looking?

Author Comment

ID: 24515975
Personal shows as;

 \\<server>\home drives\<username>My Documents

in both locations. Nothing seems to suggest any foul play in that key. As a test, I can unc to that from that machine

Author Comment

ID: 24515977
Increasing points fwiw

Accepted Solution

trafsta earned 2000 total points
ID: 24714514
I had this same exact issue with only certain users. It occured in Windows Vista and Windows RC7 clients (one user was upgraded from Vista to Win7 and the issue still existed after that). UNC paths is "\\<server>\home$\<username>\My Documents" as well. I too figured it must be server-side permissions. And after some more digging, found out earlier today that indeed it was permissions.

The \\<server>\home$ share did not allow "Domain Users" to list contents of the root. The users only had permissions to their own subfolder of that root.

So, for example, 'testuser', could access \\<server>\home$\testuser, but could not access \\<server>\home$ (access denied).

I tried giving the group "Domain Users" special permissions on to the root home$ folder applied to "This Folder Only" and removed checkboxes on "read permissions" (so they only have "traverse folder/execute file", "list folder/read data", "read attributes", and "read extended attributes" to that one folder only, not subfolders [which would be a huge security issue :)])

Doing this instantly solved the problem. Users receiving the windows installer error could now install software without an issue.

I hope this resolves the problem for you, and many others out there. I probably wasted many many days in total resolving this little problem. ;)

Author Comment

ID: 24719379
Trafsta, you genious!

Strange thing is, I just came about another issue with people not benig able to create mail merges, this also boiled down to permisions on \\<server>\home. So I did exactly what you'd said on Monday and that problem went away but I never thought of testing the installation issue after making that change

So I just tested it and yes, the issue seems to be resolved.

Expert Comment

ID: 24719750
Hey strantechserv :) Yes it was a very strange problem. Fixing the permissions actually fixed another "Offline files" issues that I've been having for about 1 1/2 years (offlines files would stay offline and now allow the user to go back online after resuming from hibernate or sleep mode)... it was much more troublesome than this windows installer error even. I posted pretty much the same answer to that problem here (check it out): http://www.thebitguru.com/articles/21-Fixing%20Offline%20Files%20in%20Windows%20Vista

So I'm guessing there might be even more problems out there that can be solved by correcting permissions on users home folder share.

I'm going to check out other strange problems that users have been having today to see if this fix might have resolved their issues as well. :)

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question