How To Stop Home Folders Being Renamed Documents in the Network Share

I’ve recently had a number of queries about why everyone’s home folders have been renamed to Documents in the network share they reside in.


This obviously makes finding a particular users home folder difficult, especially in schools where administrators and teachers regularly look in the home folders.

This is a feature of Windows Vista, Windows 7 & Server 2008. A desktop.ini file is created when the user first accesses their home folder to give it a friendly display name of Documents and a custom icon. This is to make it look pretty and stand out when viewed under your profile in Windows Explorer.

However, the side effect is as above. Whenever anyone else views the folder, and this will normally be in the context of the network location it is stored, their Explorer will also read the desktop.ini file to get display information and give the impression that there are multiple folders called Documents.

As it’s only the display name which is changed you can still navigate into the folder by typing in the name in the address bar, which will auto-complete properly, but it’s not ideal.

The desktop.ini file is a hidden system file so you won’t see it unless you have your setting set up to view system files so unless you know what’s happening it can seem very mysterious.

Microsoft have a knowledge base article about this at

In it, it suggests 3 options for stopping this behaviour.

1.    Put the home folder in a wrapper folder which is called the user’s username, but point the Active Directory attribute to the folder within it.

2.    Give the user exclusive rights to the folder.

3.    Deny read permission to the desktop.ini file in the home folder to other users. Then they won’t be able to read the display information and the name won’t change.

In a school environment, where there are legitimate reasons for other users to go into the students’ home folders option, 2 isn’t an option. Both 1 & 3 work nicely, but 3 seems cleaner to me as it doesn’t require any extra folders creating just to get round a display issue.

I’ve knocked up a quick PowerShell script to automate setting the permissions on the desktop.ini files. Note the groupName below should be changed to the name of an Active Directory group you want to be able to view the real folder names. Be careful that this group doesn’t include any back up process opoerators or backups could fail.

$folders = Get-ChildItem | where-object {$_.psiscontainer};

foreach ($folder in $folders)
    $ErrorActionPreference = "SilentlyContinue"
    $desktopIni = Get-ChildItem $folder -Filter desktop.ini -Force

    if ($desktopIni -ne $null)
         $Acl = (Get-Item $desktopIni.FullName -Force).GetAccessControl("Access")
         $Ar = New-Object `
         Set-Acl $desktopIni.FullName $Acl

All you need to do is save this script as a .ps1 file in the directory containing your home folders. If they are split for example along intake years, you’ll need to do this in each containing folder. So in the example above, you would save in \\fileserver\Intake2008. Then change groupName to the name of an Active Directory group containing the users you want to see the real names. Open up PowerShell and navigate to the directory containing the script file and then run it.

If you haven’t run PowerShell scripts before you’ll need to set the execution policy to allow it, I normally use RemoteSigned. Run

help set-executionpolicy


help about_execution_policies

in your PowerShell prompt for more information.

Update 05 April 2011

Removed the use of Get-Acl as Set-Acl then tries to set the owner. Talked about back up operators. Thanks to Jay Hutter for both of those.
Update 16 September 2011

Added $ErrorActionPreference = “SilentlyContinue” at the start. Otherwise an error is thrown when re-running as you don’t have access to the desktop.ini files you modified last time.

32 thoughts on “How To Stop Home Folders Being Renamed Documents in the Network Share

  1. Richard,

    This is great! I think I’m almost there. I ran the file through PowerShell and recieved the error below on all folders. Is there something else I need to change in the script?

    You cannot call a method on a null-valued express
    At D:\2011\brhs.ps1:5 char:210
    + if ($desktopIni -ne $null) { $Acl
    ty.accesscontrol.filesystemaccessrule(“HS Student
    $desktopIni.FullName $Acl }
    + CategoryInfo : InvalidOperation: (
    + FullyQualifiedErrorId : InvokeMethodOnNull

  2. Richard,

    I don’t often use PowerShell so forgive me if I am doing something wrong. I went back and edited the PowerShell file to be spaced out of the amount of lines you used above. I again ran the file and recieved this shorter message. It did not run and error on all files like it did previously. Is there something in the script I need to change?

    Unexpected token ‘Ar’ in expression or statement.
    At D:\2011\brhs.ps1:8 char:32
    + $desktopIni.FullName $Ar <<<< = New-Object
    + CategoryInfo : ParserError: (Ar:String) [], ParseException
    + FullyQualifiedErrorId : UnexpectedToken

  3. Hi Daniel,

    WordPress seems to have eaten the correct spacing. I’ve adjusted it now so please try again.


  4. i keep getting this error any ideas??

    Set-Acl : The security identifier is not allowed to be the owner of this object.

  5. I Keepp getting the security identifier error too. Has anyone resolved this?

  6. Instead of using a script you could also just add an extra column to the view of windows explorer called “Filename”

    “View”, “Choose Details…”, activate “Filename” and press “OK”

  7. @Steve

    I get the same error message. I am fairly certain that the user has to be owner of the folder for redirection to work.

  8. What I did to fix the issue was to install FSRM and make a file screen for the share where their home directory is mapped disallowing any ini files. That did the trick for me.

  9. If you’re denying access to an entire group, doesn’t that include the user you want to see it in many cases?

    For example I have a “students” group, and all of the users are in that group. If I deny access to a file for the “students” group, that will include the user who I want to see it. What am I missing?

  10. Nevermind, I see what MS is doing.. They assume the user is outside the group (in their example deny access for the admins group).

  11. A fourth option is to add the ‘Filename’ column to your Windows Explorer view. Much easier then other options.

  12. Steve :i keep getting this error any ideas??
    Set-Acl : The security identifier is not allowed to be the owner of this object.

    There are errors in this code because you are not allowed to do this if you are not the owner of the file/folder. Set-ACL also wants to write the owner even if you have not changed it or don’t want to change it. So you are getting that error because it is tring to change the owner. Instead try this which will use the GetAccessControl method to specify what part of the security description you want to read (and change)


    $Acl = Get-Acl $desktopIni.FullName


    $Acl = (Get-Item $desktopIni.FullName -Force).GetAccessControl(“Access”)

  13. Cyprian Wyatt :

    A fourth option is to add the ‘Filename’ column to your Windows Explorer view. Much easier then other options.

    Adding a filename column only works for you though and not everyone else. Most of my work is in schools and quite often they want all teachers to access the student’s home directories.

  14. We got the same problem on one of our servers.
    I am working for a school board, and all the users home drives are set in the folder D:\users (D:\users\students, D:\users\staff, D:\users\admin staff)
    This program is using xcacls.vbs
    I wrote this vbs script and it’s working well on a 2003 server. Its well commented and you should not have any problems to follow my code.
    This program runs from the command prompt with or without argument:
    c:\: will run to the default folder hard coded in the program (defpath)
    c\:\ d:\other users: will run on the folder d:\other users.

    Here is the code (tested and working):

    ‘* Bert, April 30 2011 *
    ‘* To prevent administration group to read desktop.ini inside a user Home Drive. *
    ‘* Reading desktop.ini prevents to display the right folder name *
    ‘*(ie: displaying My music, My Documents or My video in stead of the folder name) *
    ‘* Usage: At the cmd prompt > DRD.vbs *
    ‘* if no argument is passed, the default path (defpath) *
    ‘* will be selected to apply the restriction setup *

    Option Explicit
    Dim strFolderToSearch, strfolder, WshShell, objRootFolder, objFolder, colSubfolders, strOutput, objFSO,_
    strxcacls, arg, x, y, filesys, filetxt, defpath, usersarray()
    Set Arg = Wscript.Arguments
    x = 0
    y = 1
    Const ForReading = 1, ForWriting = 2, ForAppending = 8

    ‘+ Begining of custom settings +

    ‘* Location of xcacls *
    strxcacls = “c:\xcacls.vbs”

    ‘* Path for the default user’s folders (if no argument is passed from the command prompt) *
    ‘* This will be used when running as a scheduled task *
    Defpath = “D:\users”

    ‘+ End of custom settings +

    Set WshShell = WScript.CreateObject(“WScript.Shell”)
    Set objFSO = CreateObject(“Scripting.FileSystemObject”)
    Set filesys = CreateObject(“Scripting.FileSystemObject”)

    ‘Deleting the previous batch file
    If filesys.FileExists(“c:\changeACL.bat”) Then
    filesys.DeleteFile “c:\changeACL.bat”
    End If

    ‘Creating the an empty batch file
    Set filetxt = filesys.OpenTextFile(“c:\changeACL.bat”, ForAppending, True)

    ‘Checking if the user’s folder has been passed to the program.
    ‘If yes, take arg.item(0) as a folder to apply the permissions
    ‘if no use the default path (Defpath) defined earlier.
    If Arg.count = 0 then
    set objRootFolder = objFSO.GetFolder(Defpath)
    Set objRootFolder = objFSO.GetFolder(arg.item(0))
    End If

    set colsubfolders = objRootFolder.subfolders

    ‘Find Group folders under users folder and store it into an array
    For each objfolder in colSubfolders
    x = x + 1
    ReDim Preserve usersarray(x)
    usersarray(x)= objfolder

    ‘Find user’s folders for each group stored in the array,create the command line and copy it to a batch file.
    for y = y to x
    Set objRootFolder = objFSO.GetFolder(usersarray(y))
    Set colSubfolders = objRootFolder.SubFolders

    For Each objFolder in colSubfolders
    strfolder = usersarray(y)& “\” &
    ‘* The following is copyied to changeACL.bat to remove the read right of the INI file *
    ‘* (/R user Revoke specified user’s access rights.) *
    ‘* here is an example: cscript c:\xcacls.vbs D:\users\admin staff\1adm\desktop.ini /D “Domain Admins”:R *
    filetxt.WriteLine(strOutput & “cscript ” & strxcacls & ” ” & strfolder &_
    “\desktop.ini /D ” &chr(34) & “Domain Admins” &chr(34) & “:R” & vbCrLf)


    ‘Running the batch file to set restriction
    ‘If an argument was passed to the command line, tell the user that the process ended successfully
    if Arg.count > 0 then
    Wscript.echo “User’s folders located in ” & objRootFolder & ” have been successfuly processed”
    End If

  15. Have never used powershell before but copied and pasted the scipt into a ps1 file. Changed the word groupName to StaffTemp which is the group I made to test this (the staff want to know whos documents relate to each user) then I ran powershell as an administrator, did “Set-ExecutionPolicy RemoteSigned”, located the ps1 folder which I had placed in the root of where all the Documents folders were and ran it by running .\scipt.ps1
    It just went to the next line and nothing haappened! no desktop.ini file was changed. Help! What am I doing wrong?

  16. Denying Domain admins could have a negative effect on processors such as backup routines which rely on admin accounts to access files and folders.

    We worked around the problem by initally replacing all the desktop.ini files with empty copys. The permissions of these files were then changed to deny write access to the user thus leaving all higher level admin permissions intact.

  17. Would setting the desktop.ini files in all the directories to blank, and then setting them as Read Only do the trick?

  18. @Erik Oh my God, Erik! These guys are talking about scripting and you just did this simple folder view change and it looks like it should! Thanks so much!

  19. That only works on an individual basis though. It’s no good for all teachers in a school needing to see all students home directories.

  20. I required a solution which would allow me to both block inheritance on this file but also allow for our Service Desk to delete or move the file when a user Home Drive is to be relocated or archived. It involves providing only TAKE OWNERSHIP, CHANGE PERMISSIONS and DELETE access to the file (after 1st removing previous access):

    $folders = Get-ChildItem | where-object {$_.psiscontainer};

    foreach ($folder in $folders)
    $ErrorActionPreference = “SilentlyContinue”
    $desktopIni = Get-ChildItem $folder -Filter desktop.ini -Force

    if ($desktopIni -ne $null)
    $Acl = (Get-Item $desktopIni.FullName -Force).GetAccessControl(“Access”)
    $acl.SetAccessRuleProtection($True, $True)
    $Ar = New-Object `
    $Ar = New-Object `
    Set-Acl $desktopIni.FullName $Acl
    $Ar = New-Object `
    (“”,”TakeOwnership, Delete, ChangePermissions”,,,”Allow”)
    Set-Acl $desktopIni.FullName $Acl

    #Along with configuring File screening on DESKTOP.INI, I have found this to be the optimal solution .

  21. Thanks for the info, but i did what Bob Marks did (Comment = September 28th, 2011 at 11:04 | #16) except i set “Set-ExecutionPolicy Unrestricted” then ran the script both as .\scipt.ps1 but the only thing that happens is it returns to the next line.
    When i check on permission they have not changed.

    Any suggestions?

Leave a Reply

Your email address will not be published. Required fields are marked *