Automatic creation of user folders for home, roaming profile and redirected folders.

Automatic creation of user folders for home, roaming profile and redirected folders.

  • Comments 16
  • Likes

Hi Rob here again. Periodically we’re asked "what is the best way to auto-create home, roaming profile, and folder redirection folders instead of Administrators creating and configuring the NTFS permissions manually?" The techniques in this post requires you to use the environment variable %USERNAME% in the user’s home folder attribute when you create the users account.

We will also make use of the “$” symbol in the share name; which makes the share hidden from anyone who attempts to list the shares on the file server via computer browsing.

Alright let’s get started.

Home directory:

Home folders are created automatically when the user’s account is created and an administrator has enabled the use of home folders. You change the home folders for the user afterwards, but we are all about making the Admin’s life easier.

Create the folder and enable sharing

image

As you can see we create the share name and added a dollar sign ($) to the end.

Next, we’ll configure the share permissions. It is important to note that there is a difference in the default permissions for a share between Windows NT/Windows 2000 and Windows Server 2003. By default, Windows 2000 gives the Everyone group Full Control permissions. Windows Server 2003 gives the Everyone group Read permissions. However, we’ll change this to:

Administrators: Full Control
System: Full Control
Authenticated Users: Full Control

image 

If you expect or want users to be able to select their home directory to be available while they are not connected to the network (also known as Offline Files), then you’ll want to make sure you turn on Offline file caching of the HOME$ share. You do this by:

1. Click Offline Settings on Windows 2000 or Caching on Windows Server 2003 or later, which is located on the Sharing tab.
2. Click Only the files and programs that users specify will be available offline. If you would like more information on the different options and what they mean you can click here.
3. Then click OK.

NOTE: You should consider configuring Offline Files settings even if you do not want users to work with files while they are not connected to the network—you’ll want to disable Offline Files by clicking Files or programs from the share will not be available offline.

Configuring NTFS Permissions

Now we need to configure the NTFS permissions, so we need to be on the “Security” tab of the folder we created earlier.

1. Turn off inheritance on the folder and copy the permissions. You do this by:

a. Click the Advanced button found on the Security tab.
b. Clear Allow inheritable permissions to propagate to this object check box in the Advanced Security Settings dialog box.
c. Click Copy when prompted by the Security dialog box.

2. Click OK to return to the Security tab. Ensure we have the following permissions set:

Administrators: Full Control
System: Full Control
Creator Owner: Full Control
Authenticated Users: Read & Execute, List Folder Contents, Read

3. Change permissions for Authenticated Users so they cannot access other users’ folders. You do this by:

a. Click Advanced on the Security tab.
b. Click Authenticated Users, and then click Edit.
c. On the Permissions Entry for HOME dialog box, drop down the Apply onto and select This folder only.
d. Click OK twice.

Here is a screen shot of this step:

image 

We now have the permissions configured properly. Next, let’s create a user and specify the home folder location. This is done by going to the Profile tab of the user account in Active Directory Users and Computers. In the following screen shot shows an example of a drive mapping.

image 

Yep, the TOM folder got created without a problem:

image

When we look at the permissions of the TOM folder we see the following:

image 

We see that only Administrators, System, Tom, and Creator Owner have permissions to the folder. Other users do not.

Roaming Profile:
Configuring roaming profiles uses the same procedure as the home folder share, except for one difference. You should disable Offline Files and you should always hide the profile share using a dollar sign ($).

Since the setup is pretty much exactly the same (except for the share name) so I’m not going to bore you with the same steps as earlier.

The main difference between the roaming profile folder and the home folder is that the roaming profile folder is not created until the user logs on and then logs off. Windows creates the profile directory and copies the profile to the share once the user has completed one successful logon and logoff.

You configure the profile location on the Profile or Terminal Services Profile tab within Active Directory Users and Computers. Type a UNC path to where Windows should create the user profile. The following screen shot gives you an example a user account configured with a profile path.

image

Folder Redirection:
For the most part the share and NTFS permissions are the same as the Home folder configuration except we need to replace Authenticated Users with the Everyone group. This is required for Windows to automatically create the redirected folders. These two KB articles provide more information:

291087 Event ID 101 and Event ID 1000 Messages May Be Displayed When Folder
http://support.microsoft.com/?id=291087
274443 How to dynamically create security-enhanced redirected folders by using
http://support.microsoft.com/?id=274443

Create the folder and enable sharing

So, we need to create a folder on a file server and enable it for sharing, again I would recommend that you hide the share using the dollar sign ($) at the end of the share name.

image

If you expect or want users to be able to select their home directory to be available while they are not connected to the network (also known as Offline Files), then you’ll want to make sure you turn on Offline file caching of the HOME$ share. You do this by:

1. Click Offline Settings on Windows 2000 or Caching on Windows Server 2003 or later, which is located on the Sharing tab.
2. Click Only the files and programs that users specify will be available offline. If you would like more information on the different options and what they mean you can click here.
3. Then click OK.

We will also need to set the following permissions for the share:

Administrators: Full Control
System: Full Control
Everyone: Full Control

image

Configuring NTFS Permissions

We need to configure NTFS permissions for the newly created folder. You’ll want to remove inheritance from this folder, as we did when configuring home folders.

1. Turn off inheritance on the folder and copy the permissions. You do this by:

a. Click the Advanced button found on the Security tab.
b. Clear Allow inheritable permissions to propagate to this object check box in the Advanced Security Settings dialog box.
c. Click Copy when prompted by the Security dialog box.

2. Click OK to return to the Security tab. Ensure we have the following permissions set:

Administrators: Full Control
System: Full Control
Creator Owner: Full Control
Everyone: Read & Execute, List Folder Contents, Read

3. Now we need change the permissions a bit for “Everyone” so that they do not have any permission to other users’ folders. This is done by doing the following:

a. Click Advanced on the Security tab.
b.Click Everyone, and then click Edit.
c. On the Permissions Entry for FldrRedir dialog box, drop down Apply onto and select This folder only.
d. Click OK twice.

Here is a screen shot of this step:

image

4. Configuring Folder Redirection settings within Group Policy:

a. Use the Group Policy Management Console (GPMC) and edit the GPO containing the Folder Redirection settings you want modified. Configure each from the following list to use the Basic – Redirect everyone’s folder to the same location Folder Redirection setting. Type the UNC path listed in the table into the Root Path setting for each folder listed in the following table.

Redirected Folder

 

UNC Path

 

Application Data

 

\\contoso-rt-mem1\FldrRedir$

 

Desktop

 

\\contoso-rt-mem1\FldrRedir$

 

My Documents

 

\\contoso-rt-mem1\FldrRedir$

 

Start Menu

 

\\contoso-rt-mem1\FldrRedir$

 

Here is a screen shot of Application Data being redirected:

image

You can see that Windows shows you the entire path used for the Folder Redirection. So although we didn’t specify the user’s name in the Root Path, the redirection example shows the folder path as: \\contoso-rt-mem1\FldrRedir$\Clair\Application Data

b. By default, Administrators do not have permissions to users’ redirected folders. If you require the ability to go into the users folders you will want to go to the “Settings” Tab, and uncheck: "Grant the user exclusive rights to" on each folder that is redirected. This allows Administrators to enter the users redirected folder locations without taking ownership of the folder and files.

image

When you’re all done, you can kick back and enjoy the easy life of being an administrator. Now when you create the user and define the home path it will create the user’s home folder immediately. When Group Policy applies Folder Redirection; folders are created automatically. And, when the user logs off their roaming profile folders will be created after the first logon.

This last part is for the former Novell Admins out there. Yes, you could use Access Based Enumeration (ABE) on these new shares; however if there is going to a lot of user folders on any one of these shares you could experience degradation of performance. Enabling ABE on a share does come at a price of performance. If you are still all hyped up to enable this feature please read ABE whitepaper available information so that you make an informed decision.

- Robert Greene

  • PingBack from http://www.savagenomads.net/2008/06/30/automatic_creation_of_user_folders_for_home_roaming_profile_and_redirected_folders/

  • Hi Rob and thank you for this post. I't a nice summary for several different TechNet articles that I had to read through before -- every time I was building a new User Shares tree.

    I have one question though. Why do I ever may want to explicitly configure a 'Home Folder'? As far as I can understand, that's concidered to be a legacy feature which is still here for some compatibility or interoperability scenarios. (Just as network disks which are totally obsolete since we have no restrictions using UNC paths and even mounting them to 'My Network Places' [XP] or 'My Computer' [Vista]).

    So if I'm working with a modern Windows-only environment, there's no need to create and specify 'Home Folders' for users. This entire functionality can be fully replaced by simply redirecting 'My Documents', which are better and more tightly integrated with Windows and Office. Correct?

  • The list is a little longer today because of not posting last week. Enjoy! Microsoft Advanced Windows

  • Hey Artem,

    This is actually a very good question, or in some circles I guess it could be called a debate.  

    Most of us here in Directory Services support would definitely agree with you. For most customers HOME directories should be a dead subject; the concept of user home directories have been replaced with folder redirection of My Documents (as well as other folders). However, some customers do not really want to redirect the My Documents folder for certain reasons (of course almost all the reasons I have heard are really not valid).  Like they might not want to put all the users data on the server because of disk space concerns, but want to have a location where users could store important files to be backed up.  Here is another reason, may be the customer is migrating from NetWare or some other Operating System, and they are just not comfortable with Folder Redirection yet, and the user base already has the concept of home directories down.  To make the migration less stressful for their users they might decide to keep the concept of 'you put your personal data on the "H" drive'.

    Moreover when you do decide to implement folder redirection we would strongly recommend that you implement the solution on a Domain-based DFS namespace. This way, if you decide to move or migrate the users folders to a new file server folder redirection will not break or cause a move of the data back to the users machine (based on the setting of the folder redirection GPO).

    The second thing that I want to make sure everyone understands, this blog is not saying to implement all the features, it is really just giving you all the different technologies where the users' personal folders could be created on the fly instead of manually by the administrator and how the administrator would go about setting up the functionality.

    Again, thanks for reading our blogs and giving us a chance to improve your experience with Microsoft Products!

    Rob Greene

  • Hi Rob and thank you for your reply. I was very glad that you generally agree with me that mapped network drives are not very useful in "pure AD" environment. I also hope you would generally agree with me that end user experience of this feature is not very good. Why the heck the user must think in terms of 'Disk'?

    So to my mind, if we can not completely avoid mapping network folders locally, it is better to leave them be folders, not disks. I love the feature of Windows XP which allows users to use 'My Network Places" and navigate not network computers, but shared folders. In Vista you went even further and made it possible to map any single network folder directly to the 'Computer' catalog.

    But there's a little silly problem with these features. I found no easy way (e.g. group policy) to manage them from one place. Maybe it is possible to write a custom logon script, but unfortunately I'm not very goot at it. So is there a recommended solution for centrally managing these features, or they are supposed to be available for end users only?

    Thanks in advance.

  • Jaunu lietotāju mājas un profila mape veidošana un tiesību piešķiršana ir papildus

  • Hi Robert,

    What I notice is that you have configured more NTFS perrmission on the HOME directory as described on Microsoft TechNet. According the following link (based on Windows Server 2003) you should only configure List Folder/Read Data, Create Folders/Append Data - This Folder Only. Can you tell on what online information your special security settings are based?

    Security Recommendations for Roaming User Profiles Shared Folders: Group Policy

    http://technet.microsoft.com/en-us/library/cc757013.aspx

    After playing with Roaming Profiles and Redirected Folders I noticed several problems. (Windows Server 2008 and Windows Vista) Ofcourse I'm not gonna mention them all here. There is a lot of information about Windows Server 2003, Windows XP and etc. But what I miss is up-to-date documentation that rely on Windows Server 2008 and Windows Vista.

    Boudewijn

  • Another important issue I noticed with Windows Vista is the following...

    Imagine you have enable Folder Redirection by a Group Policy, and you have NOT select "Grant the user exclusive rights to ...". When a user logs on a computer with Windows Vista, it automatically creates the redirected folders. Because the user does not have exclusive rights it adds the local Administrators group. But the problem is, the user itself only has special folder permission with "This folder only" and NOT "This folder, subfolders and files". When an administrator then adds files (e.g. during migration) to the redirected folder, the user is unable to read the files. This causes serveral issues.

    Can someone explain me why?

    Boudewijn

  • Hey Boudewijn,

    To answer the question about the permissions.  You definately can use the settings recommended in the technet article you listed.

    However, we have seen that those settings if applied to certain NAS appliances do not work with Windows Vista and Windows Server 2008 clients, but if you use those same exact settings on a Windows file server they do work.

    The settings recommended in the blog will work with the Windows Vista/2008 on NAS appliances.

    ================================

    As far as your other question.  You are correct the user will not have access to the data that the administator copies into that directory.  

    This is because of what you are stating with the permissions of the user being set to This folder only.  Why the user can see their data that was moved when folder redirection happened is because of the Creator Owner permissions.  They see the data in the folder because Creator owner has full Control and apply to:  "Subfolders and files" setting.

    However I did notice one thing missing, in the for the Everyone special permissions you do need to give the "Create folders/append data" permission also.

    The reason why I recommend this setting is because typically we get the folder redirection call where the Admin cannot see the users data and that violates a policy that an Admin should be able to see all files on the file server.  If you do not need this ability you can check the box for exclusive use.

  • Hi Robert,

    Thanks for the info here, it was very useful. In testing, I followed your instructions regarding the Roaming Profiles in setting the Shared and Security permissions for the Profiles folder, however when I created an AD account which point to this profiles folder for the TS profile path I get an error when I log on using the account on a terminal server, saying it cannot locate the user's roaming profile due to some security restrictions. Any clues?

    Sorry if this is the wrong place to ask but I've been going in circles trying to fix our profile folder security issue. The profile folder that is in production right now has the "Users" group added the root profile folder, and whenever a a new user profile gets created the default security permissions are only Administrators, SYSTEM and the user account even though we specified other admin groups on the root profile folder which we need to have replicated in all the user profile folders. This has been a legacy problem in the company which I'm trying to sort out.

    Thanks for any help possible.

  • Hey Dewa19,

    So if you verified that the share permissions allow the user to make changes to files on the share, and that the user has Full Control to their profile directory.  I can only think of one other problem.  

    With roaming profiles, there is a check to verify that the user is listed as the owener of the profile.  They need to own the directory as well as all files under thier profile.

    you can remove this requirement by implmenting the following GPO setting on the terminal server.

    Computer Configuration\Administrative Templates\System\User Profiles\Do not chedck fo user ownership of Roaming Profile Folders.

    Other then that, I would recommend opening a case with us here in support to dig deeper in to the issue.

    Rob Greene

  • I'm setting up roaming profiles between server 2008 and vista/7 clients. using the ntfs permissions mentioned in this article for the profile$ share (particularly for the  Authenticated Users: Read & Execute, List Folder Contents, Read-this folder only), the clients report they cannot find the profile and uses a temporary one. If I change the permissions to allow authenticated users to have write permissions to this folder, it works no problem. I've seen the same recommendations for the NTFS permissions everywhere I've looked, yet it doesn't work. Why is this?