Solved

administrator not able to access redirection-created subfolders.

Posted on 2016-08-03
8
80 Views
Last Modified: 2016-08-04
We have a Windows 2012 RDS collection with 1 connection broker, 2 hosts, 1 file server that holds the roaming profiles.

We have a group policy that redirect users' DESKTOP, DOCUMENTS, FAVORITES, DOWNLOADS to a network share (\\fileserver\userdata).

The redirections work.  I see the \\fileserver\usersdata contains the user profiles and within each profiles, the DESKTOP, DOCUMENTS, FAV, DOWNLOADS folders are created.  

The issue comes when I login as an administrator to the file server, when I try to access for example the DESKTOP folder within a user folder, I am getting access is denied.  After checking, I have realize only SYSTEM and the users themself have access.

I as an admin can probably take ownership of all the user profiles but I am wondering if this a normal file access security behavior for the subfolders being created by redirection?  

Please advise if there is a configuration I have missed.  

Thanks,
0
Comment
Question by:nav2567
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41740886
Yes, that is normal behavior. The group policy even has a checkbox to override that behavior, although I wouldn't unless you really have a reason to. Also note that changing the group policy to allow admin access will *only* impact new folders created moving forward. Folders already created will still be accessible only by the owner.
0
 
LVL 1

Expert Comment

by:Christopher Milligan
ID: 41740917
Hi,

had something very similar myself when I first deployed Citrix, yes you can take ownership but we found this caused headaches further down the line when users tried to make changes etc.

The way I have got around it is that I have a folder called RDS and inside that I have my Userhome and RDProfiles.  I set RD Admins to have Full Control on Userhome and RDProfiles then on the share I use the default share such that admins were the owner, then used the Advanced Sharing options to let RD Users have Full Control.  SYSTEM should have full control on the folders as default when you create them.

I found this allowed my RD Admins to always have Full Admin rights on any sub folders that were created.

Hope this helps.

Many Thanks

Christopher
Advanced-Sharing-Permissions.JPG
Default-Share.JPG
0
 

Author Comment

by:nav2567
ID: 41740974
Thanks, Cliff.  Thanks, CMIL.

Cliff, our environment requires administrators to be able to access the user profiles to work on things includes user profiles being created by redirection.  

I do not see the button to enable that in GP.  Would you advise where?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:nav2567
ID: 41741249
Chris, would you elaborate your trick?  So you have redirect to point to the \\server\rds share or \\server\rds\rdprofiles?  How did you setup RD Admins permission in share of userhome and rdprofile SHARE and SECURITY?  

Cliff, I do not think we want to uncheck "Grant the user exclusive rights to ....." as doing this will give everyone read access to everyone profile content.  

Thanks.
0
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 400 total points
ID: 41741510
"Cliff, I do not think we want to uncheck "Grant the user exclusive rights to ....."

Yes, that's what you want to uncheck. And no, it doesn't grant everyone read access.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41741518
0
 
LVL 1

Assisted Solution

by:Christopher Milligan
Christopher Milligan earned 100 total points
ID: 41741886
Hi,

My folder structure is RDS and then two sub folders called TSProfiles and Userhome.  Both these sub folders are shared out using hidden shares (pop a $ at the end of a share name) and the securities are as per my attached screenshots from my last post.  Inside my group policy I set the computer policy to point Roaming User Profile to \\servername\tsprofiles$ and the User Home Directory to \\servername\userhome$.

The actual securities on both these folders are the same and are:

CREATOR - Full Control - Subfolder and Files Only
Administrators - Full Control - This folder, subfolders and files
SYSTEM - Full Control - This folder, subfolders and files
CTX Users - Special- This folder, subfolders and files (CTX Users is my usergroup from Remote Desktop Users)

The special settings are attached in the screenshot called "User Permissions".

Many Thanks

Christopher
User-Permissions.JPG
0
 

Author Comment

by:nav2567
ID: 41742615
I am using Cliff's approach.

Thanks, everyone.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question