Solved

roaming profile security permission issue.

Posted on 2016-08-27
9
94 Views
Last Modified: 2016-09-10
We have a Windows 2012 RDS environment.  We redirect the user appdata and desktop to a centralized network share.  

A new user login to one of a RDS server, his new profile is created in the network share.  When I inspect folder permission of his profile in the network share, I do not see he has access at all.  Only administrator group.  

The local administrator group of that RDS server contains the domain admins group.  The local USERS group of the server contains the domain user group.

Under the security permission of the network share, I only grant the local USERS group to read only to "This Folder Only". This is because I do not want everybody to have access to everybody's profile.

Please advise if you know how to fix this or a better way to handle.  

Thanks a lot.
0
Comment
Question by:nav2567
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 41773369
redirected folder permissions
c:\share\user$
Allow System Full control this folder,subfolders and files
Allow Administrators Full control this folder only
CREATOR OWNER Full control subfolders and files only
Redirected Users Group This Folder ONLY
0
 

Author Comment

by:nav2567
ID: 41773384
Thanks.

In my setup, any idea of why a new user's security permission of his profile was not added when that profile was created
0
 
LVL 25

Expert Comment

by:Sekar Chinnakannu
ID: 41773396
Also you can try to use profile management to configure the redirection, for more details http://www.carlstalhood.com/citrix-profile-management/
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:nav2567
ID: 41773487
Thanks.

If I configured NTFS and security permission that way ( tried that before), as mentioned, everyone will be able to read everyone's profile which is not want we want.  

My share permission settings are same as what is in the article.  In NTFS security permission setting, I only have granted the local USERS group (which contains the RDS users) to read-only to "This Folder Only". This is because I do not want everybody to have access to everybody's profile.

When a new profile is created, I expected to see the user's is granted Change right in NTFS permission.
0
 
LVL 25

Expert Comment

by:Coralon
ID: 41773862
David Johnson's answer is 100% correct.  If you do it that way, then users will not be able to see the contents of other user's profiles.  Be sure you only use the permissions that David specified.  

Personally, I tend to just use Authenticated Users instead of a specific user group.

System:F
Administrators: F (you can make it This Folder Only if you want.. I tend to leave it at full control -- (needed to make it easier to delete the profiles as needed).
Authenticated Users:R, Add Folder/Append Data - This Folder Only
Creator Owner:F - Subfolders and files only

Coralon
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 41773919
not all of my users have roaming profiles. i.e. administrative and service accounts.
0
 

Author Comment

by:nav2567
ID: 41774176
Thanks.  

If you dont mind, would you specify again on what exactly I need to add inside the below tags

1. Sharing>Advanced Sharing
2. Security (NTFS)

I currently have authentic users (f), system (f), domain admins (f) in 1 and I have system (f), administrators (f), creator owner (f), users (r - this folder only) in 2.
0
 
LVL 81

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 41774344
in the sharing you can have everyone read/write
NTFS Security
Allow System Full control this folder,subfolders and files
Allow Administrators Full control this folder only
CREATOR OWNER Full control subfolders and files only
Redirected Users Group This Folder ONLY
You might want to enable ABE (Access Based Enumeration)
0
 
LVL 17

Expert Comment

by:Spike99
ID: 41774925
Have you checked share permissions?

In general, when restricting access using NTFS permissions, I would give the EVERYONE group FULL access in Share Permissions (which that Citrix article doesn't mention).

As this TechNet Article says:
If you want to manage folder access by using NTFS permissions exclusively, set share permissions to Full Control for the Everyone group.

https://technet.microsoft.com/en-us/library/cc754178(v=ws.11).aspx
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenDesktop 7.6 Citrix Policies Audio
The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question