Automatic creation of user folders for home, roaming profile and redirected folders.

re: Automatic creation of user folders for home, roaming profile and redirected folders.

astephon88 — Fri, 05 Feb 2010 23:37:14 GMT

I'm setting up roaming profiles between server 2008 and vista/7 clients. using the ntfs permissions mentioned in this article for the profile$ share (particularly for the Authenticated Users: Read & Execute, List Folder Contents, Read-this folder only), the clients report they cannot find the profile and uses a temporary one. If I change the permissions to allow authenticated users to have write permissions to this folder, it works no problem. I've seen the same recommendations for the NTFS permissions everywhere I've looked, yet it doesn't work. Why is this?

re: Automatic creation of user folders for home, roaming profile and redirected folders.

greener85 — Mon, 17 Aug 2009 17:26:24 GMT

Hey Dewa19,

So if you verified that the share permissions allow the user to make changes to files on the share, and that the user has Full Control to their profile directory. I can only think of one other problem.

With roaming profiles, there is a check to verify that the user is listed as the owener of the profile. They need to own the directory as well as all files under thier profile.

you can remove this requirement by implmenting the following GPO setting on the terminal server.

Computer Configuration\Administrative Templates\System\User Profiles\Do not chedck fo user ownership of Roaming Profile Folders.

Other then that, I would recommend opening a case with us here in support to dig deeper in to the issue.

Rob Greene

re: Automatic creation of user folders for home, roaming profile and redirected folders.

Dewa19 — Mon, 17 Aug 2009 09:28:15 GMT

Hi Robert,

Thanks for the info here, it was very useful. In testing, I followed your instructions regarding the Roaming Profiles in setting the Shared and Security permissions for the Profiles folder, however when I created an AD account which point to this profiles folder for the TS profile path I get an error when I log on using the account on a terminal server, saying it cannot locate the user's roaming profile due to some security restrictions. Any clues?

Sorry if this is the wrong place to ask but I've been going in circles trying to fix our profile folder security issue. The profile folder that is in production right now has the "Users" group added the root profile folder, and whenever a a new user profile gets created the default security permissions are only Administrators, SYSTEM and the user account even though we specified other admin groups on the root profile folder which we need to have replicated in all the user profile folders. This has been a legacy problem in the company which I'm trying to sort out.

Thanks for any help possible.

re: Automatic creation of user folders for home, roaming profile and redirected folders.

greener85 — Thu, 22 Jan 2009 03:46:32 GMT

Hey Boudewijn,

To answer the question about the permissions. You definately can use the settings recommended in the technet article you listed.

However, we have seen that those settings if applied to certain NAS appliances do not work with Windows Vista and Windows Server 2008 clients, but if you use those same exact settings on a Windows file server they do work.

The settings recommended in the blog will work with the Windows Vista/2008 on NAS appliances.

================================

As far as your other question. You are correct the user will not have access to the data that the administator copies into that directory.

This is because of what you are stating with the permissions of the user being set to This folder only. Why the user can see their data that was moved when folder redirection happened is because of the Creator Owner permissions. They see the data in the folder because Creator owner has full Control and apply to: "Subfolders and files" setting.

However I did notice one thing missing, in the for the Everyone special permissions you do need to give the "Create folders/append data" permission also.

The reason why I recommend this setting is because typically we get the folder redirection call where the Admin cannot see the users data and that violates a policy that an Admin should be able to see all files on the file server. If you do not need this ability you can check the box for exclusive use.

re: Automatic creation of user folders for home, roaming profile and redirected folders.

Boudewijn Plomp — Mon, 19 Jan 2009 16:25:26 GMT

Another important issue I noticed with Windows Vista is the following...

Imagine you have enable Folder Redirection by a Group Policy, and you have NOT select "Grant the user exclusive rights to ...". When a user logs on a computer with Windows Vista, it automatically creates the redirected folders. Because the user does not have exclusive rights it adds the local Administrators group. But the problem is, the user itself only has special folder permission with "This folder only" and NOT "This folder, subfolders and files". When an administrator then adds files (e.g. during migration) to the redirected folder, the user is unable to read the files. This causes serveral issues.

Can someone explain me why?

Boudewijn

re: Automatic creation of user folders for home, roaming profile and redirected folders.

Boudewijn Plomp — Mon, 19 Jan 2009 16:10:36 GMT

Hi Robert,

What I notice is that you have configured more NTFS perrmission on the HOME directory as described on Microsoft TechNet. According the following link (based on Windows Server 2003) you should only configure List Folder/Read Data, Create Folders/Append Data - This Folder Only. Can you tell on what online information your special security settings are based?

Security Recommendations for Roaming User Profiles Shared Folders: Group Policy

http://technet.microsoft.com/en-us/library/cc757013.aspx

After playing with Roaming Profiles and Redirected Folders I noticed several problems. (Windows Server 2008 and Windows Vista) Ofcourse I'm not gonna mention them all here. There is a lot of information about Windows Server 2003, Windows XP and etc. But what I miss is up-to-date documentation that rely on Windows Server 2008 and Windows Vista.

Boudewijn

Automātiksa lietotāju mājas un profila mapju izveidošana.

Arņa piezīmes — Thu, 14 Aug 2008 11:33:19 GMT

Jaunu lietotāju mājas un profila mape veido&scaron;ana un tiesību pie&scaron;ķir&scaron;ana ir papildus

re: Automatic creation of user folders for home, roaming profile and redirected folders.

Pronichkin — Wed, 09 Jul 2008 20:10:33 GMT

Hi Rob and thank you for your reply. I was very glad that you generally agree with me that mapped network drives are not very useful in "pure AD" environment. I also hope you would generally agree with me that end user experience of this feature is not very good. Why the heck the user must think in terms of 'Disk'?

So to my mind, if we can not completely avoid mapping network folders locally, it is better to leave them be folders, not disks. I love the feature of Windows XP which allows users to use 'My Network Places" and navigate not network computers, but shared folders. In Vista you went even further and made it possible to map any single network folder directly to the 'Computer' catalog.

But there's a little silly problem with these features. I found no easy way (e.g. group policy) to manage them from one place. Maybe it is possible to write a custom logon script, but unfortunately I'm not very goot at it. So is there a recommended solution for centrally managing these features, or they are supposed to be available for end users only?

Thanks in advance.

re: Automatic creation of user folders for home, roaming profile and redirected folders.

greener85 — Wed, 09 Jul 2008 19:01:10 GMT

Hey Artem,

This is actually a very good question, or in some circles I guess it could be called a debate.

Most of us here in Directory Services support would definitely agree with you. For most customers HOME directories should be a dead subject; the concept of user home directories have been replaced with folder redirection of My Documents (as well as other folders). However, some customers do not really want to redirect the My Documents folder for certain reasons (of course almost all the reasons I have heard are really not valid). Like they might not want to put all the users data on the server because of disk space concerns, but want to have a location where users could store important files to be backed up. Here is another reason, may be the customer is migrating from NetWare or some other Operating System, and they are just not comfortable with Folder Redirection yet, and the user base already has the concept of home directories down. To make the migration less stressful for their users they might decide to keep the concept of 'you put your personal data on the "H" drive'.

Moreover when you do decide to implement folder redirection we would strongly recommend that you implement the solution on a Domain-based DFS namespace. This way, if you decide to move or migrate the users folders to a new file server folder redirection will not break or cause a move of the data back to the users machine (based on the setting of the folder redirection GPO).

The second thing that I want to make sure everyone understands, this blog is not saying to implement all the features, it is really just giving you all the different technologies where the users' personal folders could be created on the fly instead of manually by the administrator and how the administrator would go about setting up the functionality.

Again, thanks for reading our blogs and giving us a chance to improve your experience with Microsoft Products!

Rob Greene

Interesting Links 7/09/2007

Matt Johnson's Technical Adventures — Wed, 09 Jul 2008 15:38:43 GMT

The list is a little longer today because of not posting last week. Enjoy! Microsoft Advanced Windows