How To Stop Home Folders Being Renamed Documents in the Network Share
I’ve recently had a number of queries about why everyone’s home folders have been renamed to Documents in the network share they reside in.
This obviously makes finding a particular users home folder difficult, especially in schools where administrators and teachers regularly look in the home folders.
This is a feature of Windows Vista, Windows 7 & Server 2008. A desktop.ini file is created when the user first accesses their home folder to give it a friendly display name of Documents and a custom icon. This is to make it look pretty and stand out when viewed under your profile in Windows Explorer.
However, the side effect is as above. Whenever anyone else views the folder, and this will normally be in the context of the network location it is stored, their Explorer will also read the desktop.ini file to get display information and give the impression that there are multiple folders called Documents.
As it’s only the display name which is changed you can still navigate into the folder by typing in the name in the address bar, which will auto-complete properly, but it’s not ideal.
The desktop.ini file is a hidden system file so you won’t see it unless you have your setting set up to view system files so unless you know what’s happening it can seem very mysterious.
Microsoft have a knowledge base article about this at http://support.microsoft.com/kb/947222.
In it, it suggests 3 options for stopping this behaviour.
1. Put the home folder in a wrapper folder which is called the user’s username, but point the Active Directory attribute to the folder within it.
2. Give the user exclusive rights to the folder.
3. Deny read permission to the desktop.ini file in the home folder to other users. Then they won’t be able to read the display information and the name won’t change.
In a school environment, where there are legitimate reasons for other users to go into the students’ home folders option, 2 isn’t an option. Both 1 & 3 work nicely, but 3 seems cleaner to me as it doesn’t require any extra folders creating just to get round a display issue.
I’ve knocked up a quick PowerShell script to automate setting the permissions on the desktop.ini files. Note the groupName below should be changed to the name of an Active Directory group you want to be able to view the real folder names. Be careful that this group doesn’t include any back up process opoerators or backups could fail.
$folders = Get-ChildItem | where-object {$_.psiscontainer}; foreach ($folder in $folders) { $ErrorActionPreference = "SilentlyContinue" $desktopIni = Get-ChildItem $folder -Filter desktop.ini -Force if ($desktopIni -ne $null) { $Acl = (Get-Item $desktopIni.FullName -Force).GetAccessControl("Access") $Ar = New-Object system.security.accesscontrol.filesystemaccessrule ` ("groupName","Read","Deny") $Acl.SetAccessRule($Ar) Set-Acl $desktopIni.FullName $Acl } }
All you need to do is save this script as a .ps1 file in the directory containing your home folders. If they are split for example along intake years, you’ll need to do this in each containing folder. So in the example above, you would save in \\fileserver\Intake2008. Then change groupName to the name of an Active Directory group containing the users you want to see the real names. Open up PowerShell and navigate to the directory containing the script file and then run it.
If you haven’t run PowerShell scripts before you’ll need to set the execution policy to allow it, I normally use RemoteSigned. Run
help set-executionpolicy
and
help about_execution_policies
in your PowerShell prompt for more information.
Update 05 April 2011
Removed the use of Get-Acl as Set-Acl then tries to set the owner. Talked about back up operators. Thanks to Jay Hutter for both of those.
Update 16 September 2011
Added $ErrorActionPreference = “SilentlyContinue” at the start. Otherwise an error is thrown when re-running as you don’t have access to the desktop.ini files you modified last time.
Richard,
This is great! I think I’m almost there. I ran the file through PowerShell and recieved the error below on all folders. Is there something else I need to change in the script?
You cannot call a method on a null-valued express
At D:\2011\brhs.ps1:5 char:210
+ if ($desktopIni -ne $null) { $Acl
ty.accesscontrol.filesystemaccessrule(“HS Student
$desktopIni.FullName $Acl }
+ CategoryInfo : InvalidOperation: (
+ FullyQualifiedErrorId : InvokeMethodOnNull
Richard,
I don’t often use PowerShell so forgive me if I am doing something wrong. I went back and edited the PowerShell file to be spaced out of the amount of lines you used above. I again ran the file and recieved this shorter message. It did not run and error on all files like it did previously. Is there something in the script I need to change?
Unexpected token ‘Ar’ in expression or statement.
At D:\2011\brhs.ps1:8 char:32
+ $desktopIni.FullName $Ar <<<< = New-Object
+ CategoryInfo : ParserError: (Ar:String) [], ParseException
+ FullyQualifiedErrorId : UnexpectedToken
Hi Daniel,
WordPress seems to have eaten the correct spacing. I’ve adjusted it now so please try again.
Richard
i keep getting this error any ideas??
Set-Acl : The security identifier is not allowed to be the owner of this object.
I Keepp getting the security identifier error too. Has anyone resolved this?
Instead of using a script you could also just add an extra column to the view of windows explorer called “Filename”
“View”, “Choose Details…”, activate “Filename” and press “OK”
@Steve
I get the same error message. I am fairly certain that the user has to be owner of the folder for redirection to work.
What I did to fix the issue was to install FSRM and make a file screen for the share where their home directory is mapped disallowing any ini files. That did the trick for me.
If you’re denying access to an entire group, doesn’t that include the user you want to see it in many cases?
For example I have a “students” group, and all of the users are in that group. If I deny access to a file for the “students” group, that will include the user who I want to see it. What am I missing?
Nevermind, I see what MS is doing.. They assume the user is outside the group (in their example deny access for the admins group).
A fourth option is to add the ‘Filename’ column to your Windows Explorer view. Much easier then other options.
There are errors in this code because you are not allowed to do this if you are not the owner of the file/folder. Set-ACL also wants to write the owner even if you have not changed it or don’t want to change it. So you are getting that error because it is tring to change the owner. Instead try this which will use the GetAccessControl method to specify what part of the security description you want to read (and change)
Replace
$Acl = Get-Acl $desktopIni.FullName
With
$Acl = (Get-Item $desktopIni.FullName -Force).GetAccessControl(“Access”)
@Jay Hutter
This script may cause errors if you do what Microsoft say and apply it to administrators if you backup files or try to move them since you not can’t access the desktop.ini in these folders. Option #1 is what should be done on http://support.microsoft.com/kb/947222
Adding a filename column only works for you though and not everyone else. Most of my work is in schools and quite often they want all teachers to access the student’s home directories.
We got the same problem on one of our servers.
I am working for a school board, and all the users home drives are set in the folder D:\users (D:\users\students, D:\users\staff, D:\users\admin staff)
This program is using xcacls.vbs
I wrote this vbs script and it’s working well on a 2003 server. Its well commented and you should not have any problems to follow my code.
This program runs from the command prompt with or without argument:
c:\: will run to the default folder hard coded in the program (defpath)
c\:\ d:\other users: will run on the folder d:\other users.
Here is the code (tested and working):
‘**********************************************************************************
‘* Bert, April 30 2011 *
‘* To prevent administration group to read desktop.ini inside a user Home Drive. *
‘* Reading desktop.ini prevents to display the right folder name *
‘*(ie: displaying My music, My Documents or My video in stead of the folder name) *
‘* Usage: At the cmd prompt > DRD.vbs *
‘* if no argument is passed, the default path (defpath) *
‘* will be selected to apply the restriction setup *
‘**********************************************************************************
Option Explicit
Dim strFolderToSearch, strfolder, WshShell, objRootFolder, objFolder, colSubfolders, strOutput, objFSO,_
strxcacls, arg, x, y, filesys, filetxt, defpath, usersarray()
Set Arg = Wscript.Arguments
x = 0
y = 1
Const ForReading = 1, ForWriting = 2, ForAppending = 8
‘++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
‘+ Begining of custom settings +
‘++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
‘**********************
‘* Location of xcacls *
‘**********************
strxcacls = “c:\xcacls.vbs”
‘******************************************************************************************
‘* Path for the default user’s folders (if no argument is passed from the command prompt) *
‘* This will be used when running as a scheduled task *
‘******************************************************************************************
Defpath = “D:\users”
‘+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
‘+ End of custom settings +
‘+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Set WshShell = WScript.CreateObject(“WScript.Shell”)
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Set filesys = CreateObject(“Scripting.FileSystemObject”)
‘Deleting the previous batch file
If filesys.FileExists(“c:\changeACL.bat”) Then
filesys.DeleteFile “c:\changeACL.bat”
End If
‘Creating the an empty batch file
Set filetxt = filesys.OpenTextFile(“c:\changeACL.bat”, ForAppending, True)
‘Checking if the user’s folder has been passed to the program.
‘If yes, take arg.item(0) as a folder to apply the permissions
‘if no use the default path (Defpath) defined earlier.
If Arg.count = 0 then
set objRootFolder = objFSO.GetFolder(Defpath)
Else
Set objRootFolder = objFSO.GetFolder(arg.item(0))
End If
set colsubfolders = objRootFolder.subfolders
‘Find Group folders under users folder and store it into an array
For each objfolder in colSubfolders
x = x + 1
ReDim Preserve usersarray(x)
usersarray(x)= objfolder
next
‘Find user’s folders for each group stored in the array,create the command line and copy it to a batch file.
for y = y to x
Set objRootFolder = objFSO.GetFolder(usersarray(y))
Set colSubfolders = objRootFolder.SubFolders
For Each objFolder in colSubfolders
strfolder = usersarray(y)& “\” & objfolder.name
‘********************************************************************************************************
‘* The following is copyied to changeACL.bat to remove the read right of the INI file *
‘* (/R user Revoke specified user’s access rights.) *
‘* here is an example: cscript c:\xcacls.vbs D:\users\admin staff\1adm\desktop.ini /D “Domain Admins”:R *
‘********************************************************************************************************
filetxt.WriteLine(strOutput & “cscript ” & strxcacls & ” ” & strfolder &_
“\desktop.ini /D ” &chr(34) & “Domain Admins” &chr(34) & “:R” & vbCrLf)
Next
next
filetxt.Close
‘Running the batch file to set restriction
WshShell.Run(“c:\changeACL.bat”),1,True
‘If an argument was passed to the command line, tell the user that the process ended successfully
if Arg.count > 0 then
Wscript.echo “User’s folders located in ” & objRootFolder & ” have been successfuly processed”
End If
Have never used powershell before but copied and pasted the scipt into a ps1 file. Changed the word groupName to StaffTemp which is the group I made to test this (the staff want to know whos documents relate to each user) then I ran powershell as an administrator, did “Set-ExecutionPolicy RemoteSigned”, located the ps1 folder which I had placed in the root of where all the Documents folders were and ran it by running .\scipt.ps1
It just went to the next line and nothing haappened! no desktop.ini file was changed. Help! What am I doing wrong?
Thanks
I love powershell and the issue can be resolved by using it but I solved it by using a simple batch file.
Just add a logon script (.bat) on the GPO that you used for folder redirection:
%windir%\system32\icacls.exe %homedrive%\Desktop.ini /deny “Domain Admins”:r
For further information see:
http://salfischberger.blogspot.com/2011/09/homedirectory-naamprobleem-na.html
It’s in dutch, but the screenshot should say it all
Denying Domain admins could have a negative effect on processors such as backup routines which rely on admin accounts to access files and folders.
We worked around the problem by initally replacing all the desktop.ini files with empty copys. The permissions of these files were then changed to deny write access to the user thus leaving all higher level admin permissions intact.
@Gavin
Backup routines should have their own user to run as, not a standard user account. Just don’t deny those accounts.
Would setting the desktop.ini files in all the directories to blank, and then setting them as Read Only do the trick?