I have a DFS share on "\\corp\content\", in this there is a folder named Personal. Owner Rights, Domain Admins and System all have full rights to this folder and Authenticated users can create folders, read attributes and permissions.
I have a Group Policy redirecting all possible folders on desktops to this share, eg \\corp\content\testuser\desktop. These policy applies to XP but does not Grant the user exclusive rights.
When a user logs in for the first time (on XP) they create a folder as expected and it has appropriate rights. When it gets to the Start Menu however it creates \\corp\content\personal\testuser\Start Menu\Programs and this folder lacks any rights for the Owner Rights (these rights seem not to be inherited). \\corp\content\personal\testuser\Start Menu\ does however have the rights as expected. The group policy then fails as it is unable to copy data to the directory that has been created.
This error isn't specific to Start Menu as disabling that error causes a similar fault in Application Data. The server is Windows Server 2008r2 Ent, the client is Windows XP. When the GPO dictates exclusive rights should be granted, the redirection functions as expected.
My goal is to have the Domain Admins group able to read the folders created by folder redirection (for backup and helpdesk requirements).
Has anyone accomplished this or know what could be causing the above error?
By request, gpresult section relevant to folder redirection:
Folder Redirection
------------------
GPO: Policy: Folder Redirection and Offline Files
Setting: InstallationType: basic
Grant Type: Not Exclusive Rights
Move Type: Contents of Local Directory moved
Policy Removal: Leave folder in existing location
Redirecting Group: Everyone
Redirected Path: \\corp\content\personal\test1\application data
GPO: Policy: Folder Redirection and Offline Files
Setting: InstallationType: basic
Grant Type: Not Exclusive Rights
Move Type: Contents of Local Directory moved
Policy Removal: Leave folder in existing location
Redirecting Group: Everyone
Redirected Path: \\corp\content\personal\test1\start menu\Programs\Startup
GPO: Policy: Folder Redirection and Offline Files
Setting: InstallationType: basic
Grant Type: Not Exclusive Rights
Move Type: Contents of Local Directory moved
Policy Removal: Leave folder in existing location
Redirecting Group: Everyone
Redirected Path: \\corp\content\personal\test1\desktop
GPO: Policy: Folder Redirection and Offline Files
Setting: InstallationType: basic
Grant Type: Not Exclusive Rights
Move Type: Contents of Local Directory moved
Policy Removal: Leave folder in existing location
Redirecting Group: Everyone
Redirected Path: \\corp\content\personal\test1\start menu
GPO: Policy: Folder Redirection and Offline Files
Setting: InstallationType: basic
Grant Type: Not Exclusive Rights
Move Type: Contents of Local Directory moved
Policy Removal: Leave folder in existing location
Redirecting Group: Everyone
Redirected Path: \\corp\content\personal\test1\pictures
GPO: Policy: Folder Redirection and Offline Files
Setting: InstallationType: basic
Grant Type: Not Exclusive Rights
Move Type: Contents of Local Directory moved
Policy Removal: Leave folder in existing location
Redirecting Group: Everyone
Redirected Path: \\corp\content\personal\test1\start menu\Programs
GPO: Policy: Folder Redirection and Offline Files
Setting: InstallationType: basic
Grant Type: Not Exclusive Rights
Move Type: Contents of Local Directory moved
Policy Removal: Leave folder in existing location
Redirecting Group: Everyone
Redirected Path: \\corp\content\personal\test1\documents
Best Answer
I don't allow Windows clients to create their redirected folders. Frankly, it seems like a potential DoS attack to me to have a world-writeable folder on a server computer where any user account can create sub-folders. (The whole notion of the client creating important folders like this seems brain-damaged to me-- as does the default behavior of breaking the permission inheritance hierarchy and specifying "User / Full Control". Whoever in Microsoft thought up that behavior had their head firmly up their ass and obviously doesn't administer production file servers.)
When I provision a user account (via script) I also create the redirected Desktop, Application Data, and My Documents folders (I don't do Start Menu redirection anywhere, but it should function similiarly) in the correct location and add a "User / Full Control" ACL to the folder immediately after creating it. The parent directory of any redirected folder hierarchy has "Administrators / Full Control" and "Authenticated Users / List Folder Contents - This folder only" specified on it already. I end up with a nice clean permission inheritance hierarchy and no world-writeable folder.
This has worked well for me w/ Windows 2000 thru Windows 7 clients. I don't mind the provisioning, since I'm doing it via script, and it makes me happy not to have a world-writeable folder on my server computers.