Redirection Folder permissions on Windows 2012 R2

folder-redirectionwindows-server-2012-r2

I have a 2012R2 File Server (server-docs) and a 2012R2 Citrix XenApp/RDS Server (server-rds). Users must be members of UsersRDS to log on server-rds.

Here are my GPO settings for Documents redirection :

  • Basic : Redirect everyone's folder to the same location
  • Create a folder for each user under the root path
  • Root folder : \\server-docs\UserDocs
  • Exclusive rights unchecked

I followed this article from MS for setting permissions on root folder : https://technet.microsoft.com/en-us/library/cc737633%28v=WS.10%29.aspx

  • Owner : Full Control, Subfolders And Files Only
  • UsersRDS : List Folder/Read Data, Create Folders/Append Data – This Folder Only
  • Administrators : Full Control
  • System : Full Control, This Folder, Subfolders And Files

When I log on server-rds with TestUser, the folder redirection occurs and I get a folder \\server-docs\UserDocs\TestUser\Documents.

TestUser and it's subfolder Documents have both the same permissions :

  • Owner : Full Control, Subfolders And Files Only
  • UsersRDS : List Folder/Read Data, Create Folders/Append Data – This Folder Only
  • Administrators : Full Control
  • System : Full Control, This Folder, Subfolders And Files
  • TestUser : Full Control, This Folder Only

I have another 2003 File server and a 2003 RDS server, with the same root folder permissions I have only this on user Documents folder :

  • Administrators : Full Control
  • TestUser : Full Control

If I check Grant the user exclusive Rights on Document folder in GPO, run gpupdate /force on server-rds, server-rds cannot do the folder redirection at logon and I get the event id 1085 : Windows failed to apply folder redirection settings.

How can I disable inheritance for user documents to get the same permissions (like my 2003 servers) ?

Best Answer

As the strange ACL seems to be by design, I had to check and change them if needed during user logon with a Powershell script : 

Function Repair-UserFullControlACL {
Param(
    [Parameter(Mandatory=$true)]
    [ValidateScript({Test-Path $_ -PathType "Container"})]
    [string]$Folder
)

# We also add System account and local administrators (Replace these french account names if needed)
$OtherAccounts = @("AUTORITE NT\Système", "BUILTIN\Administrateurs", "CREATEUR PROPRIETAIRE")

# `FullControl` for the user
$ACLUser = New-Object System.Security.Principal.NTAccount($FullUserName)
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($ACLUser, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

# We need the actual folder ACL
$Acl = Get-ACL $Folder

# Checking if everything already OK...
$RuleOK = $False
ForEach ($ACLRule in $Acl.Access){
    If (-not(Compare-Object ($Rule | Format-List * | Out-String -Stream) ($ACLRule | Format-List * | Out-String -Stream))){
        $RuleOK = $True
        break
    }
}
# Adding fullControl if needed
If (-not($RuleOK)){
    Try{
        $Acl.AddAccessRule($Rule)

        ForEach ($Account in $OtherAccounts){
            $ACLAccount = New-Object System.Security.Principal.NTAccount($Account)
            $Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($ACLAccount, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
            $Acl.AddAccessRule($Rule)
        }
        # Saving ACL
        Set-ACL $Folder $Acl -ErrorAction Stop
    }catch{
        Write-Warning "Erreur : Impossible d'accorder le droit 'FullControl' à l'utilisateur sur $Folder : $($_.Exception.Message)"  
    }
}}

Example : 

Repair-UserFullControlACL "\\server\shared\userHomeDir"
Related Topic