Home > My Documents > How To Stop Home Folders Being Renamed Documents in the Network Share

How To Stop Home Folders Being Renamed Documents in the Network Share

September 24th, 2010 Richard Leave a comment Go to comments

I’ve recently had a number of queries about why everyone’s home folders have been renamed to Documents in the network share they reside in.

documents

This obviously makes finding a particular users home folder difficult, especially in schools where administrators and teachers regularly look in the home folders.

This is a feature of Windows Vista, Windows 7 & Server 2008. A desktop.ini file is created when the user first accesses their home folder to give it a friendly display name of Documents and a custom icon. This is to make it look pretty and stand out when viewed under your profile in Windows Explorer.

However, the side effect is as above. Whenever anyone else views the folder, and this will normally be in the context of the network location it is stored, their Explorer will also read the desktop.ini file to get display information and give the impression that there are multiple folders called Documents.

As it’s only the display name which is changed you can still navigate into the folder by typing in the name in the address bar, which will auto-complete properly, but it’s not ideal.

The desktop.ini file is a hidden system file so you won’t see it unless you have your setting set up to view system files so unless you know what’s happening it can seem very mysterious.

Microsoft have a knowledge base article about this at http://support.microsoft.com/kb/947222.

In it, it suggests 3 options for stopping this behaviour.

1.    Put the home folder in a wrapper folder which is called the user’s username, but point the Active Directory attribute to the folder within it.

2.    Give the user exclusive rights to the folder.

3.    Deny read permission to the desktop.ini file in the home folder to other users. Then they won’t be able to read the display information and the name won’t change.

In a school environment, where there are legitimate reasons for other users to go into the students’ home folders option, 2 isn’t an option. Both 1 & 3 work nicely, but 3 seems cleaner to me as it doesn’t require any extra folders creating just to get round a display issue.

I’ve knocked up a quick PowerShell script to automate setting the permissions on the desktop.ini files. Note the groupName below should be changed to the name of an Active Directory group you want to be able to view the real folder names. Be careful that this group doesn’t include any back up process opoerators or backups could fail.

$folders = Get-ChildItem | where-object {$_.psiscontainer};

foreach ($folder in $folders)
{
    $ErrorActionPreference = "SilentlyContinue"
    $desktopIni = Get-ChildItem $folder -Filter desktop.ini -Force

    if ($desktopIni -ne $null)
    {
         $Acl = (Get-Item $desktopIni.FullName -Force).GetAccessControl("Access")
         $Ar = New-Object system.security.accesscontrol.filesystemaccessrule `
                   ("groupName","Read","Deny")
         $Acl.SetAccessRule($Ar)
         Set-Acl $desktopIni.FullName $Acl
    }
}

All you need to do is save this script as a .ps1 file in the directory containing your home folders. If they are split for example along intake years, you’ll need to do this in each containing folder. So in the example above, you would save in \\fileserver\Intake2008. Then change groupName to the name of an Active Directory group containing the users you want to see the real names. Open up PowerShell and navigate to the directory containing the script file and then run it.

If you haven’t run PowerShell scripts before you’ll need to set the execution policy to allow it, I normally use RemoteSigned. Run

help set-executionpolicy

and

help about_execution_policies

in your PowerShell prompt for more information.

Update 05 April 2011

Removed the use of Get-Acl as Set-Acl then tries to set the owner. Talked about back up operators. Thanks to Jay Hutter for both of those.
Update 16 September 2011

Added $ErrorActionPreference = “SilentlyContinue” at the start. Otherwise an error is thrown when re-running as you don’t have access to the desktop.ini files you modified last time.

  1. Daniel Cumming
    September 24th, 2010 at 16:22 | #1

    Richard,

    This is great! I think I’m almost there. I ran the file through PowerShell and recieved the error below on all folders. Is there something else I need to change in the script?

    You cannot call a method on a null-valued express
    At D:\2011\brhs.ps1:5 char:210
    + if ($desktopIni -ne $null) { $Acl
    ty.accesscontrol.filesystemaccessrule(“HS Student
    $desktopIni.FullName $Acl }
    + CategoryInfo : InvalidOperation: (
    + FullyQualifiedErrorId : InvokeMethodOnNull

  2. Daniel Cumming
    September 24th, 2010 at 16:55 | #2

    Richard,

    I don’t often use PowerShell so forgive me if I am doing something wrong. I went back and edited the PowerShell file to be spaced out of the amount of lines you used above. I again ran the file and recieved this shorter message. It did not run and error on all files like it did previously. Is there something in the script I need to change?

    Unexpected token ‘Ar’ in expression or statement.
    At D:\2011\brhs.ps1:8 char:32
    + $desktopIni.FullName $Ar <<<< = New-Object
    + CategoryInfo : ParserError: (Ar:String) [], ParseException
    + FullyQualifiedErrorId : UnexpectedToken

  3. September 25th, 2010 at 00:37 | #3

    Hi Daniel,

    WordPress seems to have eaten the correct spacing. I’ve adjusted it now so please try again.

    Richard

  4. Steve
    September 26th, 2010 at 09:40 | #4

    i keep getting this error any ideas??

    Set-Acl : The security identifier is not allowed to be the owner of this object.

  5. Michael Collinson
    October 12th, 2010 at 09:38 | #5

    I Keepp getting the security identifier error too. Has anyone resolved this?

  6. Erik
    November 1st, 2010 at 16:33 | #6

    Instead of using a script you could also just add an extra column to the view of windows explorer called “Filename”

    “View”, “Choose Details…”, activate “Filename” and press “OK”

  7. Ken
    December 1st, 2010 at 22:28 | #7

    @Steve

    I get the same error message. I am fairly certain that the user has to be owner of the folder for redirection to work.

  8. Daniel Russell
    December 11th, 2010 at 20:33 | #8

    What I did to fix the issue was to install FSRM and make a file screen for the share where their home directory is mapped disallowing any ini files. That did the trick for me.

  9. Steve
    December 17th, 2010 at 15:45 | #9

    If you’re denying access to an entire group, doesn’t that include the user you want to see it in many cases?

    For example I have a “students” group, and all of the users are in that group. If I deny access to a file for the “students” group, that will include the user who I want to see it. What am I missing?

  10. Steve
    December 17th, 2010 at 16:11 | #10

    Nevermind, I see what MS is doing.. They assume the user is outside the group (in their example deny access for the admins group).

  11. Cyprian Wyatt
    March 16th, 2011 at 17:08 | #11

    A fourth option is to add the ‘Filename’ column to your Windows Explorer view. Much easier then other options.

  12. Jay Hutter
    March 30th, 2011 at 05:13 | #12

    Steve :i keep getting this error any ideas??
    Set-Acl : The security identifier is not allowed to be the owner of this object.

    There are errors in this code because you are not allowed to do this if you are not the owner of the file/folder. Set-ACL also wants to write the owner even if you have not changed it or don’t want to change it. So you are getting that error because it is tring to change the owner. Instead try this which will use the GetAccessControl method to specify what part of the security description you want to read (and change)

    Replace

    $Acl = Get-Acl $desktopIni.FullName

    With

    $Acl = (Get-Item $desktopIni.FullName -Force).GetAccessControl(“Access”)

  13. Jay Hutter
    March 30th, 2011 at 05:30 | #13

    @Jay Hutter
    This script may cause errors if you do what Microsoft say and apply it to administrators if you backup files or try to move them since you not can’t access the desktop.ini in these folders. Option #1 is what should be done on http://support.microsoft.com/kb/947222

  14. April 5th, 2011 at 14:13 | #14

    Cyprian Wyatt :

    A fourth option is to add the ‘Filename’ column to your Windows Explorer view. Much easier then other options.

    Adding a filename column only works for you though and not everyone else. Most of my work is in schools and quite often they want all teachers to access the student’s home directories.

  15. Bert Vogel
    May 3rd, 2011 at 00:52 | #15

    We got the same problem on one of our servers.
    I am working for a school board, and all the users home drives are set in the folder D:\users (D:\users\students, D:\users\staff, D:\users\admin staff)
    This program is using xcacls.vbs
    I wrote this vbs script and it’s working well on a 2003 server. Its well commented and you should not have any problems to follow my code.
    This program runs from the command prompt with or without argument:
    c:\: will run to the default folder hard coded in the program (defpath)
    c\:\ d:\other users: will run on the folder d:\other users.

    Here is the code (tested and working):

    ‘**********************************************************************************
    ‘* Bert, April 30 2011 *
    ‘* To prevent administration group to read desktop.ini inside a user Home Drive. *
    ‘* Reading desktop.ini prevents to display the right folder name *
    ‘*(ie: displaying My music, My Documents or My video in stead of the folder name) *
    ‘* Usage: At the cmd prompt > DRD.vbs *
    ‘* if no argument is passed, the default path (defpath) *
    ‘* will be selected to apply the restriction setup *
    ‘**********************************************************************************

    Option Explicit
    Dim strFolderToSearch, strfolder, WshShell, objRootFolder, objFolder, colSubfolders, strOutput, objFSO,_
    strxcacls, arg, x, y, filesys, filetxt, defpath, usersarray()
    Set Arg = Wscript.Arguments
    x = 0
    y = 1
    Const ForReading = 1, ForWriting = 2, ForAppending = 8

    ‘++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ‘+ Begining of custom settings +
    ‘++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    ‘**********************
    ‘* Location of xcacls *
    ‘**********************
    strxcacls = “c:\xcacls.vbs”

    ‘******************************************************************************************
    ‘* Path for the default user’s folders (if no argument is passed from the command prompt) *
    ‘* This will be used when running as a scheduled task *
    ‘******************************************************************************************
    Defpath = “D:\users”

    ‘+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    ‘+ End of custom settings +
    ‘+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

    Set WshShell = WScript.CreateObject(“WScript.Shell”)
    Set objFSO = CreateObject(“Scripting.FileSystemObject”)
    Set filesys = CreateObject(“Scripting.FileSystemObject”)

    ‘Deleting the previous batch file
    If filesys.FileExists(“c:\changeACL.bat”) Then
    filesys.DeleteFile “c:\changeACL.bat”
    End If

    ‘Creating the an empty batch file
    Set filetxt = filesys.OpenTextFile(“c:\changeACL.bat”, ForAppending, True)

    ‘Checking if the user’s folder has been passed to the program.
    ‘If yes, take arg.item(0) as a folder to apply the permissions
    ‘if no use the default path (Defpath) defined earlier.
    If Arg.count = 0 then
    set objRootFolder = objFSO.GetFolder(Defpath)
    Else
    Set objRootFolder = objFSO.GetFolder(arg.item(0))
    End If

    set colsubfolders = objRootFolder.subfolders

    ‘Find Group folders under users folder and store it into an array
    For each objfolder in colSubfolders
    x = x + 1
    ReDim Preserve usersarray(x)
    usersarray(x)= objfolder
    next

    ‘Find user’s folders for each group stored in the array,create the command line and copy it to a batch file.
    for y = y to x
    Set objRootFolder = objFSO.GetFolder(usersarray(y))
    Set colSubfolders = objRootFolder.SubFolders

    For Each objFolder in colSubfolders
    strfolder = usersarray(y)& “\” & objfolder.name
    ‘********************************************************************************************************
    ‘* The following is copyied to changeACL.bat to remove the read right of the INI file *
    ‘* (/R user Revoke specified user’s access rights.) *
    ‘* here is an example: cscript c:\xcacls.vbs D:\users\admin staff\1adm\desktop.ini /D “Domain Admins”:R *
    ‘********************************************************************************************************
    filetxt.WriteLine(strOutput & “cscript ” & strxcacls & ” ” & strfolder &_
    “\desktop.ini /D ” &chr(34) & “Domain Admins” &chr(34) & “:R” & vbCrLf)
    Next
    next

    filetxt.Close

    ‘Running the batch file to set restriction
    WshShell.Run(“c:\changeACL.bat”),1,True
    ‘If an argument was passed to the command line, tell the user that the process ended successfully
    if Arg.count > 0 then
    Wscript.echo “User’s folders located in ” & objRootFolder & ” have been successfuly processed”
    End If

  16. Bob Marks
    September 28th, 2011 at 11:04 | #16

    Have never used powershell before but copied and pasted the scipt into a ps1 file. Changed the word groupName to StaffTemp which is the group I made to test this (the staff want to know whos documents relate to each user) then I ran powershell as an administrator, did “Set-ExecutionPolicy RemoteSigned”, located the ps1 folder which I had placed in the root of where all the Documents folders were and ran it by running .\scipt.ps1
    It just went to the next line and nothing haappened! no desktop.ini file was changed. Help! What am I doing wrong?
    Thanks

  17. Stein
    October 3rd, 2011 at 18:24 | #17

    I love powershell and the issue can be resolved by using it but I solved it by using a simple batch file.

    Just add a logon script (.bat) on the GPO that you used for folder redirection:

    %windir%\system32\icacls.exe %homedrive%\Desktop.ini /deny “Domain Admins”:r

    For further information see:

    http://salfischberger.blogspot.com/2011/09/homedirectory-naamprobleem-na.html

    It’s in dutch, but the screenshot should say it all ;)

  18. Gavin
    October 31st, 2011 at 10:46 | #18

    Denying Domain admins could have a negative effect on processors such as backup routines which rely on admin accounts to access files and folders.

    We worked around the problem by initally replacing all the desktop.ini files with empty copys. The permissions of these files were then changed to deny write access to the user thus leaving all higher level admin permissions intact.

  19. November 18th, 2011 at 00:46 | #19

    @Gavin
    Backup routines should have their own user to run as, not a standard user account. Just don’t deny those accounts.

  20. February 6th, 2012 at 15:43 | #20

    Would setting the desktop.ini files in all the directories to blank, and then setting them as Read Only do the trick?

  21. September 19th, 2012 at 09:08 | #21

    Should do.

  22. March 11th, 2013 at 13:47 | #22
  23. raiderdave
    March 14th, 2014 at 05:28 | #23

    @Erik Oh my God, Erik! These guys are talking about scripting and you just did this simple folder view change and it looks like it should! Thanks so much!

  24. March 14th, 2014 at 10:14 | #24

    That only works on an individual basis though. It’s no good for all teachers in a school needing to see all students home directories.

  1. September 24th, 2010 at 15:58 | #1
  2. September 24th, 2010 at 16:00 | #2