Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

administrator not able to access redirection-created subfolders.

Posted on 2016-08-03
8
Medium Priority
?
90 Views
Last Modified: 2016-08-04
We have a Windows 2012 RDS collection with 1 connection broker, 2 hosts, 1 file server that holds the roaming profiles.

We have a group policy that redirect users' DESKTOP, DOCUMENTS, FAVORITES, DOWNLOADS to a network share (\\fileserver\userdata).

The redirections work.  I see the \\fileserver\usersdata contains the user profiles and within each profiles, the DESKTOP, DOCUMENTS, FAV, DOWNLOADS folders are created.  

The issue comes when I login as an administrator to the file server, when I try to access for example the DESKTOP folder within a user folder, I am getting access is denied.  After checking, I have realize only SYSTEM and the users themself have access.

I as an admin can probably take ownership of all the user profiles but I am wondering if this a normal file access security behavior for the subfolders being created by redirection?  

Please advise if there is a configuration I have missed.  

Thanks,
0
Comment
Question by:nav2567
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41740886
Yes, that is normal behavior. The group policy even has a checkbox to override that behavior, although I wouldn't unless you really have a reason to. Also note that changing the group policy to allow admin access will *only* impact new folders created moving forward. Folders already created will still be accessible only by the owner.
0
 
LVL 1

Expert Comment

by:Christopher Milligan
ID: 41740917
Hi,

had something very similar myself when I first deployed Citrix, yes you can take ownership but we found this caused headaches further down the line when users tried to make changes etc.

The way I have got around it is that I have a folder called RDS and inside that I have my Userhome and RDProfiles.  I set RD Admins to have Full Control on Userhome and RDProfiles then on the share I use the default share such that admins were the owner, then used the Advanced Sharing options to let RD Users have Full Control.  SYSTEM should have full control on the folders as default when you create them.

I found this allowed my RD Admins to always have Full Admin rights on any sub folders that were created.

Hope this helps.

Many Thanks

Christopher
Advanced-Sharing-Permissions.JPG
Default-Share.JPG
0
 

Author Comment

by:nav2567
ID: 41740974
Thanks, Cliff.  Thanks, CMIL.

Cliff, our environment requires administrators to be able to access the user profiles to work on things includes user profiles being created by redirection.  

I do not see the button to enable that in GP.  Would you advise where?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:nav2567
ID: 41741249
Chris, would you elaborate your trick?  So you have redirect to point to the \\server\rds share or \\server\rds\rdprofiles?  How did you setup RD Admins permission in share of userhome and rdprofile SHARE and SECURITY?  

Cliff, I do not think we want to uncheck "Grant the user exclusive rights to ....." as doing this will give everyone read access to everyone profile content.  

Thanks.
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 1600 total points
ID: 41741510
"Cliff, I do not think we want to uncheck "Grant the user exclusive rights to ....."

Yes, that's what you want to uncheck. And no, it doesn't grant everyone read access.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41741518
0
 
LVL 1

Assisted Solution

by:Christopher Milligan
Christopher Milligan earned 400 total points
ID: 41741886
Hi,

My folder structure is RDS and then two sub folders called TSProfiles and Userhome.  Both these sub folders are shared out using hidden shares (pop a $ at the end of a share name) and the securities are as per my attached screenshots from my last post.  Inside my group policy I set the computer policy to point Roaming User Profile to \\servername\tsprofiles$ and the User Home Directory to \\servername\userhome$.

The actual securities on both these folders are the same and are:

CREATOR - Full Control - Subfolder and Files Only
Administrators - Full Control - This folder, subfolders and files
SYSTEM - Full Control - This folder, subfolders and files
CTX Users - Special- This folder, subfolders and files (CTX Users is my usergroup from Remote Desktop Users)

The special settings are attached in the screenshot called "User Permissions".

Many Thanks

Christopher
User-Permissions.JPG
0
 

Author Comment

by:nav2567
ID: 41742615
I am using Cliff's approach.

Thanks, everyone.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What if you have to shut down the entire Citrix infrastructure for hardware maintenance, software upgrades or "the unknown"? I developed this plan for "the unknown" and hope that it helps you as well. This article explains how to properly shut down …
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question