administrator not able to access redirection-created subfolders.

We have a Windows 2012 RDS collection with 1 connection broker, 2 hosts, 1 file server that holds the roaming profiles.

We have a group policy that redirect users' DESKTOP, DOCUMENTS, FAVORITES, DOWNLOADS to a network share (\\fileserver\userdata).

The redirections work.  I see the \\fileserver\usersdata contains the user profiles and within each profiles, the DESKTOP, DOCUMENTS, FAV, DOWNLOADS folders are created.  

The issue comes when I login as an administrator to the file server, when I try to access for example the DESKTOP folder within a user folder, I am getting access is denied.  After checking, I have realize only SYSTEM and the users themself have access.

I as an admin can probably take ownership of all the user profiles but I am wondering if this a normal file access security behavior for the subfolders being created by redirection?  

Please advise if there is a configuration I have missed.  

Thanks,
nav2567Asked:
Who is Participating?
 
Cliff GaliherConnect With a Mentor Commented:
"Cliff, I do not think we want to uncheck "Grant the user exclusive rights to ....."

Yes, that's what you want to uncheck. And no, it doesn't grant everyone read access.
0
 
Cliff GaliherCommented:
Yes, that is normal behavior. The group policy even has a checkbox to override that behavior, although I wouldn't unless you really have a reason to. Also note that changing the group policy to allow admin access will *only* impact new folders created moving forward. Folders already created will still be accessible only by the owner.
0
 
Christopher MilliganIT ManagerCommented:
Hi,

had something very similar myself when I first deployed Citrix, yes you can take ownership but we found this caused headaches further down the line when users tried to make changes etc.

The way I have got around it is that I have a folder called RDS and inside that I have my Userhome and RDProfiles.  I set RD Admins to have Full Control on Userhome and RDProfiles then on the share I use the default share such that admins were the owner, then used the Advanced Sharing options to let RD Users have Full Control.  SYSTEM should have full control on the folders as default when you create them.

I found this allowed my RD Admins to always have Full Admin rights on any sub folders that were created.

Hope this helps.

Many Thanks

Christopher
Advanced-Sharing-Permissions.JPG
Default-Share.JPG
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
nav2567Author Commented:
Thanks, Cliff.  Thanks, CMIL.

Cliff, our environment requires administrators to be able to access the user profiles to work on things includes user profiles being created by redirection.  

I do not see the button to enable that in GP.  Would you advise where?
0
 
nav2567Author Commented:
Chris, would you elaborate your trick?  So you have redirect to point to the \\server\rds share or \\server\rds\rdprofiles?  How did you setup RD Admins permission in share of userhome and rdprofile SHARE and SECURITY?  

Cliff, I do not think we want to uncheck "Grant the user exclusive rights to ....." as doing this will give everyone read access to everyone profile content.  

Thanks.
0
 
Cliff GaliherCommented:
0
 
Christopher MilliganConnect With a Mentor IT ManagerCommented:
Hi,

My folder structure is RDS and then two sub folders called TSProfiles and Userhome.  Both these sub folders are shared out using hidden shares (pop a $ at the end of a share name) and the securities are as per my attached screenshots from my last post.  Inside my group policy I set the computer policy to point Roaming User Profile to \\servername\tsprofiles$ and the User Home Directory to \\servername\userhome$.

The actual securities on both these folders are the same and are:

CREATOR - Full Control - Subfolder and Files Only
Administrators - Full Control - This folder, subfolders and files
SYSTEM - Full Control - This folder, subfolders and files
CTX Users - Special- This folder, subfolders and files (CTX Users is my usergroup from Remote Desktop Users)

The special settings are attached in the screenshot called "User Permissions".

Many Thanks

Christopher
User-Permissions.JPG
0
 
nav2567Author Commented:
I am using Cliff's approach.

Thanks, everyone.
0
All Courses

From novice to tech pro — start learning today.