If you redirect your users’ My Documents folders to a network share where each user maps to a subfolder of a root directory (e.g. all users redirect to \\SERVER\SHARE\%username% for the My Documents location), you may find some odd issues plaguing your support staff. When the admins of your system browse to \\SERVER\SHARE and look at the list of user folders, they may simply see a huge list of “My Documents” folders.
This behaviour is by design from Microsoft, which turns the folder \\SERVER\SHARE\%username% into a “My Documents” virtual folder by reading the entry LocalizedResourceName from the desktop.ini file which is placed in the directory. Resulting in chaos for any admins browsing the parent directory, as they struggle to identify the real names of the directories below.
Microsoft offer a few workarounds at https://support.microsoft.com/en-us/kb/947222, but Method 1 is a PITA because you may have already configured thousands of folders in this way, and Method 2 is quite simply a non-starter if you want your admin staff to actually have access to user’s data files for troubleshooting purposes. If you were to use Method 2 and just use Explorer to grant yourself access to certain folders as the need arose, you would eventually end up with a bunch of My Documents folders anyway, and the way Explorer handles this permissions change is a mess anyway, simply resulting in complete ACL chaos down the line (see Helge Klein’s anti-Explorer article for more examples of how useless it really is). Method 3 – changing the permissions on the underlying desktop.ini file so that your administrative group can’t read it – is probably the best bet, so let’s quickly use AppSense DesktopNow to remove the permissions from this file and stop this annoying occurrence.
Of course, this method is applicable to a wide range of products and technologies, not just AppSense, but being an AppSense bigot (and occasionally referred to by said moniker at conferences and user groups!), it just made sense 🙂
We will run this in the User | Logon | Pre-Desktop trigger (or just User | Logon if you’re pre-EM 8 FR 5).
What we need to do is uncheck the inheritance and then strip the permissions from the groups. Normally, in a user home drive, only the user themselves and the BUILTIN\Administrators group (and maybe occasionally the SYSTEM account) have permissions to the files, so you just need to remove the permissions from BUILTIN\Administrators. If you’ve got something funky (well, downright crazy, really) like the Users group sitting on the ACL with Read access, you’d need to remove that too.
Obviously when a user’s My Documents is redirected to this area for the first time the desktop.ini file will be created, so it makes sense to do this after the Folder Redirection has occurred.
The commands we need to put together are shown below, naturally replacing \\SERVER\SHARE with the relevant UNC path for your environment.
which would leave the whole node looking like this
So, this is a very simple problem that many may have come across before and resolved, but just in case you didn’t, this should serve as a quick reminder of how to get past it.