System not assigning permissions properly on redirected My Documents

Here's the problem.

We have a GPO on a Citrix/Terminal server which assigns the folder
redirection policy for My Documents. Documentation says it is recommended
to leave the system to assign the permissions but it is not. I have
followed the technet document
http://technet.microsoft.com/en-us/l...16(WS.10).aspx to configure
the permissions. If I create the folder manually and give the user full
control, it is happy. I just don't want to have to create a folder for
every user when I shouldn't have to. On the file share where I want the
redirected My Documents I configure

Creator Owner
Full Control, Subfolders and Files Only

My user group
List Folder/Read Data, Create Folders/Append Data - This Folder Only

Local System
Full Control, This Folder, Subfolders and Files

The only way that I can get it to work is if I assign my user group modify
permissions on This Folder, Subfolders and Files. Obviously this is
unnacceptable.

My GPO is configured for Advanced folder redirection.because I have multiple
groups.

I select the option to Create a folder for each user under the root path. I
also uncheck Grant the user exclusive rights to My Documents and I check
Move the contents...

Any ideas?

Thanks
Pete

"PEter J. Dickason, MCSE" <>
wrote in message news:eNq$...
> Here's the problem.
>
> We have a GPO on a Citrix/Terminal server which assigns the folder
> redirection policy for My Documents. Documentation says it is recommended
> to leave the system to assign the permissions but it is not. I have
> followed the technet document
> http://technet.microsoft.com/en-us/l...16(WS.10).aspx to
> configure the permissions. If I create the folder manually and give the
> user full control, it is happy. I just don't want to have to create a
> folder for every user when I shouldn't have to. On the file share where
> I want the redirected My Documents I configure
>
> Creator Owner
> Full Control, Subfolders and Files Only
>
> My user group
> List Folder/Read Data, Create Folders/Append Data - This Folder Only
>
> Local System
> Full Control, This Folder, Subfolders and Files
>
> The only way that I can get it to work is if I assign my user group modify
> permissions on This Folder, Subfolders and Files. Obviously this is
> unnacceptable.
>
> My GPO is configured for Advanced folder redirection.because I have
> multiple groups.
>
> I select the option to Create a folder for each user under the root path.
> I also uncheck Grant the user exclusive rights to My Documents and I check
> Move the contents...
>
> Any ideas?
>
> Thanks
> Pete
>


The user account requires Full Control to their home folder for both of the
Share and NTFS permissions for it to work. The article you posted states
that as well in the permissions matrix table. IIRC, the MOC (Microsoft
Official Curriculum) courseware states the same thing.

From the article (keep in mind Share and NTFS permissions are combined and
enumerated giving the Most Restrictive permissions, therefore both Share and
NTFS need to be FC):

Share permissions:
Security group of users that need to put data on share - Full Control

NTFS permissions:
%Username% - Full Control, Owner of Folder

Here are additional articles to review:

Folder Redirection: Group Policy
http://technet.microsoft.com/en-us/l...07(WS.10).aspx

Security Considerations when Configuring Folder Redirection
http://technet.microsoft.com/en-us/l...53(WS.10).aspx

How To Configure Folder Redirection, Aug 22, 2007
http://www.msterminalservices.org/ar...direction.html

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer


For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

Thanks for the reply.

I am familiar with Group Policy and folder redirection and that the user
requires full control of his redirected folder. The problem is the system
is not giving him full control when the system creates the folder if the
folder does not already exist. Document
http://support.microsoft.com/kb/274443/ gives the share and NTFS permissions
required which is what I have configured. This is the same information that
Patrick Rouse in your link provides. Every document I look at says the
system will create the user folder with the proper propermissions but in our
environment it only creates the folder but assigns no permissions. I have
to go back in and take ownership to assign the proper permissions. As a
work around I have been manually creating the user folder before the user
logs on, and give the user full control but this does not give ownership and
it is too cumbersome to walk each and every user through how to take
ownership so you see why I want the system to autocreate the folder and
permissions. I just don't understand why with everything in place, this is
not happening.

Pete

"PEter J. Dickason, MCSE" <>
wrote in message news:%...
> Thanks for the reply.
>
> I am familiar with Group Policy and folder redirection and that the user
> requires full control of his redirected folder. The problem is the
> system is not giving him full control when the system creates the folder
> if the folder does not already exist. Document
> http://support.microsoft.com/kb/274443/ gives the share and NTFS
> permissions required which is what I have configured. This is the same
> information that Patrick Rouse in your link provides. Every document I
> look at says the system will create the user folder with the proper
> propermissions but in our environment it only creates the folder but
> assigns no permissions. I have to go back in and take ownership to assign
> the proper permissions. As a work around I have been manually creating
> the user folder before the user logs on, and give the user full control
> but this does not give ownership and it is too cumbersome to walk each and
> every user through how to take ownership so you see why I want the system
> to autocreate the folder and permissions. I just don't understand why
> with everything in place, this is not happening.
>
> Pete

Pete, are you referring to when you create the user account in AD, and then
you supplied the home path under the Profile tab? If you use the %username%
variable, the system will create the folder, name it based on the user's
logon name giving the user account FC. Is that what you mean? If not, what
tool did you use to create it?


Ace

No they don't assign home directories at the user level here. That's left
up to me since it's my TS/Citrix servers that require it. My understanding
of the folder redurection rule is that it would AND it SHOULD be the one to
create the folders.
http://technet.microsoft.com/en-us/l.../cc785925.aspx In my GPO I
select the target location of "Create a folder for each user under the root
path". As I mention before, I had to uncheck "Grant exclusive rights to" in
the GPO since I have been forced to manually create these user folders up to
this point. I'm wondering if that is causing my grief in that it's all or
nothing. With that box checked, the system must create all home folders,
with it unchecked then I must create all folders. I cannot check it now
since I have so many folders created manually...over a thousand. We're
going to be adding thousands more so you can see why I really want this to
be an automated process.

thanks
Pete

"PEter J. Dickason, MCSE" <>
wrote in message news:eZGV%...
> No they don't assign home directories at the user level here. That's left
> up to me since it's my TS/Citrix servers that require it. My
> understanding of the folder redurection rule is that it would AND it
> SHOULD be the one to create the folders.
> http://technet.microsoft.com/en-us/l.../cc785925.aspx In my GPO I
> select the target location of "Create a folder for each user under the
> root path". As I mention before, I had to uncheck "Grant exclusive rights
> to" in the GPO since I have been forced to manually create these user
> folders up to this point. I'm wondering if that is causing my grief in
> that it's all or nothing. With that box checked, the system must create
> all home folders, with it unchecked then I must create all folders. I
> cannot check it now since I have so many folders created manually...over a
> thousand. We're going to be adding thousands more so you can see why I
> really want this to be an automated process.
>
> thanks
> Pete

Oh, I see. Strictly on the TS/Citrix side. Darn, you do have an intereseting
dillema.

Can you create a test OU, copy the GPO to create a new GPO from the existing
one, then make the changes to it, and link it to the test OU, and create a
test account, and see what happens? Then take your own account (you will be
the guinea pig), move it to the test OU, and see what happens! Or if you
don't want to use your account (I actually wouldn't!!), create another test
account, put it where you have your other users, manually create or do what
you normally do, then move it to the test OU to see what effect it has on
the test account's home folder.

Just a suggestion....

Ace

Ok, I've proven it does work if I leave the system to create all folders.
Unfortunately I won't be able to utilize this since as the setting says,
only the user has permissions to his folder so it would be users
responsibility to move all of his stuff back after I move it out for the
system to recreate all the current users folders. Probably could script it
but that's too much risk. Oh well. At least I can stop beating my head
against the wall. Thanks again for the help.

Pete