1

What is the best location to store the user redirected folders on windows server r2? At the moment I have it in a completely different share but the problem is that the ntfs permissions on the folder mean that any user can browse to the root of it and create folders. If there's a way of setting the permissions up that prevents this please let me know as I've been trying to figure it out for ages!

This tutorial recommends putting the redirected folders in the same location as where the roaming profile is stored on the server. I think this would sort the permissions problem (as I think the roaming profile folders are created by an admin account on first logon so domain users wouldn't need access to the root of the share) but is it a good idea?

By doing this could there be conflicts when the server re-uploads the user profile to the server when a user logs off?

Thanks.

Tom Jenkinson
  • 157
  • 2
  • 7

2 Answers2

2

At the moment I have it in a completely different share but the problem is that the ntfs permissions on the folder mean that any user can browse to the root of it and create folders

Change the NTFS permissions? Here's a shot of the what we allow regular users in the root of the redirected Users folder that all their profiles live in. We just use a folder off the root of a secondary [data] volume called Users.

Permissions

Note that by applying the permissions to this folder only (and then, obviously, giving users permissions to their profile folder, but not other peoples'), they have the access they need to traverse the share and get into their profile folder but don't even have access to see the other other users' folders if they get cute and go up a directory from their profile.

This tutorial recommends putting the redirected folders in the same location as where the roaming profile is stored on the server

That's an option too, though I don't use roaming profiles, (such a good idea with such awful implementation, nothing but headaches) so I couldn't say what issues that specifically might cause, however, it is a fairly common choice.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • Thanks. I was under the impression that the folders for folder redirection were created in the scope of the user logging on (when logging on the first time) so they would need the permission to create the folder. I have the same but with the 'create folders/append data' checked. Do you create the folders yourself for each user or does it happen automatically? I'd test it myself but I don't have access to the server this week. – Tom Jenkinson Aug 24 '12 at 19:39
  • The folders were created automatically last I checked, though someone may have screwed it up since then. You should be good to remove that permission from the users, as I believe that it's `SYSTEM` that creates the redirected folders. Not 100% sure, since it's been a while since I set one of these up... price of being lazy and copying the same configs and scripts I've been using for a decade. :) – HopelessN00b Aug 24 '12 at 20:01
  • Ok thanks. When I'm back in work I'll try it and let you know if it works :) – Tom Jenkinson Aug 24 '12 at 20:09
  • I set the permissions like that but couldn't get it to work :( I created a new user in ad and then logged in. It failed to create the folder and didn't redirect the folders. I then checked the 'create folders' box and did the same again with another new user straight after and the folders were created and redirected. @HopelessN00b please can you check if it works with those permissions on your network when a new user is created? I'm pretty confused right now – Tom Jenkinson Aug 31 '12 at 19:07
0

It looks like for redirected folders the domain users have to access to create directories in order from the folders to be created automatically with the initial log on. This is what Microsoft says here.

I'm guessing from this that the folders aren't created with the SYSTEM account like the user roaming profile directory is.

Maybe they might change this in the future.

Tom Jenkinson
  • 157
  • 2
  • 7