Solved

administrator not able to access redirection-created subfolders.

Posted on 2016-08-03
8
70 Views
Last Modified: 2016-08-04
We have a Windows 2012 RDS collection with 1 connection broker, 2 hosts, 1 file server that holds the roaming profiles.

We have a group policy that redirect users' DESKTOP, DOCUMENTS, FAVORITES, DOWNLOADS to a network share (\\fileserver\userdata).

The redirections work.  I see the \\fileserver\usersdata contains the user profiles and within each profiles, the DESKTOP, DOCUMENTS, FAV, DOWNLOADS folders are created.  

The issue comes when I login as an administrator to the file server, when I try to access for example the DESKTOP folder within a user folder, I am getting access is denied.  After checking, I have realize only SYSTEM and the users themself have access.

I as an admin can probably take ownership of all the user profiles but I am wondering if this a normal file access security behavior for the subfolders being created by redirection?  

Please advise if there is a configuration I have missed.  

Thanks,
0
Comment
Question by:nav2567
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41740886
Yes, that is normal behavior. The group policy even has a checkbox to override that behavior, although I wouldn't unless you really have a reason to. Also note that changing the group policy to allow admin access will *only* impact new folders created moving forward. Folders already created will still be accessible only by the owner.
0
 
LVL 1

Expert Comment

by:cmil
ID: 41740917
Hi,

had something very similar myself when I first deployed Citrix, yes you can take ownership but we found this caused headaches further down the line when users tried to make changes etc.

The way I have got around it is that I have a folder called RDS and inside that I have my Userhome and RDProfiles.  I set RD Admins to have Full Control on Userhome and RDProfiles then on the share I use the default share such that admins were the owner, then used the Advanced Sharing options to let RD Users have Full Control.  SYSTEM should have full control on the folders as default when you create them.

I found this allowed my RD Admins to always have Full Admin rights on any sub folders that were created.

Hope this helps.

Many Thanks

Christopher
Advanced-Sharing-Permissions.JPG
Default-Share.JPG
0
 

Author Comment

by:nav2567
ID: 41740974
Thanks, Cliff.  Thanks, CMIL.

Cliff, our environment requires administrators to be able to access the user profiles to work on things includes user profiles being created by redirection.  

I do not see the button to enable that in GP.  Would you advise where?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:nav2567
ID: 41741249
Chris, would you elaborate your trick?  So you have redirect to point to the \\server\rds share or \\server\rds\rdprofiles?  How did you setup RD Admins permission in share of userhome and rdprofile SHARE and SECURITY?  

Cliff, I do not think we want to uncheck "Grant the user exclusive rights to ....." as doing this will give everyone read access to everyone profile content.  

Thanks.
0
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 400 total points
ID: 41741510
"Cliff, I do not think we want to uncheck "Grant the user exclusive rights to ....."

Yes, that's what you want to uncheck. And no, it doesn't grant everyone read access.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41741518
0
 
LVL 1

Assisted Solution

by:cmil
cmil earned 100 total points
ID: 41741886
Hi,

My folder structure is RDS and then two sub folders called TSProfiles and Userhome.  Both these sub folders are shared out using hidden shares (pop a $ at the end of a share name) and the securities are as per my attached screenshots from my last post.  Inside my group policy I set the computer policy to point Roaming User Profile to \\servername\tsprofiles$ and the User Home Directory to \\servername\userhome$.

The actual securities on both these folders are the same and are:

CREATOR - Full Control - Subfolder and Files Only
Administrators - Full Control - This folder, subfolders and files
SYSTEM - Full Control - This folder, subfolders and files
CTX Users - Special- This folder, subfolders and files (CTX Users is my usergroup from Remote Desktop Users)

The special settings are attached in the screenshot called "User Permissions".

Many Thanks

Christopher
User-Permissions.JPG
0
 

Author Comment

by:nav2567
ID: 41742615
I am using Cliff's approach.

Thanks, everyone.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Active Directory Upgrade from 2008 to 2012 21 53
Folder Redirection GPO 8 50
Citrix Xenapp 7.12 Installation 6 17
Problem to Citrix 2 8
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question