System not assigning permissions properly on redirected My Documents

Discussion in 'Server Security' started by PEter J. Dickason, MCSE, Jun 5, 2009.

  1. Here's the problem.

    We have a GPO on a Citrix/Terminal server which assigns the folder
    redirection policy for My Documents. Documentation says it is recommended
    to leave the system to assign the permissions but it is not. I have
    followed the technet document
    http://technet.microsoft.com/en-us/library/cc736916(WS.10).aspx to configure
    the permissions. If I create the folder manually and give the user full
    control, it is happy. I just don't want to have to create a folder for
    every user when I shouldn't have to. On the file share where I want the
    redirected My Documents I configure

    Creator Owner
    Full Control, Subfolders and Files Only

    My user group
    List Folder/Read Data, Create Folders/Append Data - This Folder Only

    Local System
    Full Control, This Folder, Subfolders and Files

    The only way that I can get it to work is if I assign my user group modify
    permissions on This Folder, Subfolders and Files. Obviously this is
    unnacceptable.

    My GPO is configured for Advanced folder redirection.because I have multiple
    groups.

    I select the option to Create a folder for each user under the root path. I
    also uncheck Grant the user exclusive rights to My Documents and I check
    Move the contents...

    Any ideas?

    Thanks
    Pete
     
    PEter J. Dickason, MCSE, Jun 5, 2009
    #1
    1. Advertisements


  2. The user account requires Full Control to their home folder for both of the
    Share and NTFS permissions for it to work. The article you posted states
    that as well in the permissions matrix table. IIRC, the MOC (Microsoft
    Official Curriculum) courseware states the same thing.

    From the article (keep in mind Share and NTFS permissions are combined and
    enumerated giving the Most Restrictive permissions, therefore both Share and
    NTFS need to be FC):

    Share permissions:
    Security group of users that need to put data on share - Full Control

    NTFS permissions:
    %Username% - Full Control, Owner of Folder

    Here are additional articles to review:

    Folder Redirection: Group Policy
    http://technet.microsoft.com/en-us/library/cc781907(WS.10).aspx

    Security Considerations when Configuring Folder Redirection
    http://technet.microsoft.com/en-us/library/cc775853(WS.10).aspx

    How To Configure Folder Redirection, Aug 22, 2007
    www.msterminalservices.org/articles/Configure-Folder-Redirection.html

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    "Efficiency is doing things right; effectiveness is doing the right
    things." - Peter F. Drucker
    http://twitter.com/acefekay
     
    Ace Fekay [Microsoft Certified Trainer], Jun 7, 2009
    #2
    1. Advertisements

  3. Thanks for the reply.

    I am familiar with Group Policy and folder redirection and that the user
    requires full control of his redirected folder. The problem is the system
    is not giving him full control when the system creates the folder if the
    folder does not already exist. Document
    http://support.microsoft.com/kb/274443/ gives the share and NTFS permissions
    required which is what I have configured. This is the same information that
    Patrick Rouse in your link provides. Every document I look at says the
    system will create the user folder with the proper propermissions but in our
    environment it only creates the folder but assigns no permissions. I have
    to go back in and take ownership to assign the proper permissions. As a
    work around I have been manually creating the user folder before the user
    logs on, and give the user full control but this does not give ownership and
    it is too cumbersome to walk each and every user through how to take
    ownership so you see why I want the system to autocreate the folder and
    permissions. I just don't understand why with everything in place, this is
    not happening.

    Pete
     
    PEter J. Dickason, MCSE, Jun 8, 2009
    #3
  4. Pete, are you referring to when you create the user account in AD, and then
    you supplied the home path under the Profile tab? If you use the %username%
    variable, the system will create the folder, name it based on the user's
    logon name giving the user account FC. Is that what you mean? If not, what
    tool did you use to create it?


    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 8, 2009
    #4
  5. No they don't assign home directories at the user level here. That's left
    up to me since it's my TS/Citrix servers that require it. My understanding
    of the folder redurection rule is that it would AND it SHOULD be the one to
    create the folders.
    http://technet.microsoft.com/en-us/library/cc785925.aspx In my GPO I
    select the target location of "Create a folder for each user under the root
    path". As I mention before, I had to uncheck "Grant exclusive rights to" in
    the GPO since I have been forced to manually create these user folders up to
    this point. I'm wondering if that is causing my grief in that it's all or
    nothing. With that box checked, the system must create all home folders,
    with it unchecked then I must create all folders. I cannot check it now
    since I have so many folders created manually...over a thousand. We're
    going to be adding thousands more so you can see why I really want this to
    be an automated process.

    thanks
    Pete
     
    PEter J. Dickason, MCSE, Jun 8, 2009
    #5
  6. Oh, I see. Strictly on the TS/Citrix side. Darn, you do have an intereseting
    dillema.

    Can you create a test OU, copy the GPO to create a new GPO from the existing
    one, then make the changes to it, and link it to the test OU, and create a
    test account, and see what happens? Then take your own account (you will be
    the guinea pig), move it to the test OU, and see what happens! Or if you
    don't want to use your account (I actually wouldn't!!), create another test
    account, put it where you have your other users, manually create or do what
    you normally do, then move it to the test OU to see what effect it has on
    the test account's home folder.

    Just a suggestion....

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 9, 2009
    #6
  7. Ok, I've proven it does work if I leave the system to create all folders.
    Unfortunately I won't be able to utilize this since as the setting says,
    only the user has permissions to his folder so it would be users
    responsibility to move all of his stuff back after I move it out for the
    system to recreate all the current users folders. Probably could script it
    but that's too much risk. Oh well. At least I can stop beating my head
    against the wall. Thanks again for the help.

    Pete
     
    PEter J. Dickason, MCSE, Jun 9, 2009
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.