Solved

administrator not able to access redirection-created subfolders.

Posted on 2016-08-03
8
73 Views
Last Modified: 2016-08-04
We have a Windows 2012 RDS collection with 1 connection broker, 2 hosts, 1 file server that holds the roaming profiles.

We have a group policy that redirect users' DESKTOP, DOCUMENTS, FAVORITES, DOWNLOADS to a network share (\\fileserver\userdata).

The redirections work.  I see the \\fileserver\usersdata contains the user profiles and within each profiles, the DESKTOP, DOCUMENTS, FAV, DOWNLOADS folders are created.  

The issue comes when I login as an administrator to the file server, when I try to access for example the DESKTOP folder within a user folder, I am getting access is denied.  After checking, I have realize only SYSTEM and the users themself have access.

I as an admin can probably take ownership of all the user profiles but I am wondering if this a normal file access security behavior for the subfolders being created by redirection?  

Please advise if there is a configuration I have missed.  

Thanks,
0
Comment
Question by:nav2567
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41740886
Yes, that is normal behavior. The group policy even has a checkbox to override that behavior, although I wouldn't unless you really have a reason to. Also note that changing the group policy to allow admin access will *only* impact new folders created moving forward. Folders already created will still be accessible only by the owner.
0
 
LVL 1

Expert Comment

by:cmil
ID: 41740917
Hi,

had something very similar myself when I first deployed Citrix, yes you can take ownership but we found this caused headaches further down the line when users tried to make changes etc.

The way I have got around it is that I have a folder called RDS and inside that I have my Userhome and RDProfiles.  I set RD Admins to have Full Control on Userhome and RDProfiles then on the share I use the default share such that admins were the owner, then used the Advanced Sharing options to let RD Users have Full Control.  SYSTEM should have full control on the folders as default when you create them.

I found this allowed my RD Admins to always have Full Admin rights on any sub folders that were created.

Hope this helps.

Many Thanks

Christopher
Advanced-Sharing-Permissions.JPG
Default-Share.JPG
0
 

Author Comment

by:nav2567
ID: 41740974
Thanks, Cliff.  Thanks, CMIL.

Cliff, our environment requires administrators to be able to access the user profiles to work on things includes user profiles being created by redirection.  

I do not see the button to enable that in GP.  Would you advise where?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:nav2567
ID: 41741249
Chris, would you elaborate your trick?  So you have redirect to point to the \\server\rds share or \\server\rds\rdprofiles?  How did you setup RD Admins permission in share of userhome and rdprofile SHARE and SECURITY?  

Cliff, I do not think we want to uncheck "Grant the user exclusive rights to ....." as doing this will give everyone read access to everyone profile content.  

Thanks.
0
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 400 total points
ID: 41741510
"Cliff, I do not think we want to uncheck "Grant the user exclusive rights to ....."

Yes, that's what you want to uncheck. And no, it doesn't grant everyone read access.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41741518
0
 
LVL 1

Assisted Solution

by:cmil
cmil earned 100 total points
ID: 41741886
Hi,

My folder structure is RDS and then two sub folders called TSProfiles and Userhome.  Both these sub folders are shared out using hidden shares (pop a $ at the end of a share name) and the securities are as per my attached screenshots from my last post.  Inside my group policy I set the computer policy to point Roaming User Profile to \\servername\tsprofiles$ and the User Home Directory to \\servername\userhome$.

The actual securities on both these folders are the same and are:

CREATOR - Full Control - Subfolder and Files Only
Administrators - Full Control - This folder, subfolders and files
SYSTEM - Full Control - This folder, subfolders and files
CTX Users - Special- This folder, subfolders and files (CTX Users is my usergroup from Remote Desktop Users)

The special settings are attached in the screenshot called "User Permissions".

Many Thanks

Christopher
User-Permissions.JPG
0
 

Author Comment

by:nav2567
ID: 41742615
I am using Cliff's approach.

Thanks, everyone.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question