Re: Folder Redirection and Permissions
Hey Guys,
I think i;m starting to understand the concept here about start menu
redirection and maybe if I outline what it is I want to achieve you guys can
point me to how to do it. So here goes..
I would like to redirect all allowable folders.... So for start menu I would
like to redirect everyones to the same location. All Users of the TS Cluster
should be able to access all software installed on the TS servers. They
should not be able to install any (and I believe they cant as they are only
members of the RDU group - i'll test this to be sure).
My TS Servers are in an OU of their own. On that OU is 2 GPOs... A machine
GPO with settings such TS configurations (Session Directory, LoopBack=Replace
etc) and a User GPO (filtered to the same Domain Group added to the Local RDU
group), this GPO has the redirection settings...
So this is my issue if I use the 'Basic - Redirect everyone's folder to the
same location' setting and specify the network location as
\\NAS\Share\TerminalServices\StartMenu
and permission this to only allow read and execute to Domain User Group
(that is a member of the Local RDU Group)... how will that redirected start
menu update itself when an admin comes along and adds another piece of
software... Effectively does that update to the software hosted on the server
even matter to the redirected folder in this case?
Let me give my reasoning...
1) All users use a redirected Start Menu (that has been copied and pasted
from a given start menu, any start menu of the server will do I guess, even
ALL USERS). Permission to this is granted for only read and execute.
2) Admin comes along and adds a bit of software. The software writes a
shortcut to the ALL USERS start menu on the local TS Server. Admin does this
on each TS Server in the cluster. Therefore each ALL USERS folder on each TS
Server gets the new shortcut to the start menu for the new software installed.
3) User logs on... pulls their read only start menu from the network
location (which i believe will NOT have the new shortcuts to the new
software) and at this point, does the local ALL USERS start menu also merge
with this network located start menu to give the user shortcuts to all
applications hosted on the machine?
In essence, what I'm saying is, in my situation do I even need to redirect
the start menu? I guess I am relying on the fact that each bit of software
installed adds a shortcut to the Local ALL USERS start menu so all users
logging in can access neccessary software. If a bit of software does not
write to the ALL USER area, then I guess I would have to paste a shortcut in
there myself into EITHER the ALL USERS local start menu OR the Redirected
Start Menu.
I am also assuming I would only need to mess about with Start Menu
redirection when different group of users are supposed to have different sets
of start menus. In which case, wont I need to ensure the ALL USERS area NEVER
gets written to? and control which shortcuts go into which groups of users
Start Menu manually by editing the network location of these redirected Start
Menus.... as this in this controlled state, if the ALL USERS menu is always
merged in, those software shortcuts might have to be hidden to some groups of
users
If I haven't confused you... please do let me know, if I have a point
Lozza
Lozza
"Vera Noest [MVP]" wrote:
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote
> on 25 feb 2008 in microsoft.public.windows.terminal_services:
>
> > lozza <lozza@discussions.microsoft.com> wrote:
> >> Hey Lanwench,
> >>
> >> Thanks for response. As soon as I have figured out what I dont
> >> understand I will post. I think i'm struggling around the
> >> permissions of the share this folder is redirected to, whether
> >> one user changing the start menu will affect all users
> >
> > No - each user gets his/her own.
>
> Well, that depends on how you configure it.
> I have always used a single read-only redirected start menu. Users
> cannot change anything there.
>
> >> and how to update the redirected
> >> start menu when installing new programs...
> >
> > That should be the "all users" not the user's start menu bits.
>
> That also depends. You can create different start menus for
> different user groups, and then you certainly don't want to put
> things in the All Users profile. Check here:
>
> How can I configure different TS desktops, based on user group
> membership?
> http://ts.veranoest.net/ts_faq_configuration.htm#desktopredirection
>
> You can update the start menu and the All User profile by simply
> copying the necessary folders and shortcuts into it. You just have
> to make sure that the permissions are correct (Read + Execute will
> do in most cases).
>
>
> >> so new program groups are
> >> visible, and how to go about managing this without causing a
> >> nightmare for our support staff.
>
> If all users share the same read-only Start Menu, your support
> staff will have little to do in this area.
>
> > This would be good to test before deploying - you're wise to be
> > cautious.
> >>
> >> Thank you for confirming the procedure for me
> >>
> >> I will check the article out you supplied. One last thing you
> >> say :
> >>
> >> "You won't be using roaming profiles per se as these are TS
> >> users (but you do need to specify dedicated TS profile paths
> >> for everyone in their ADUC properties). As in,
> >> \\fileserver\tsprofiles$\%username%."
> >>
> >> I am using Group Policy... Machine Policy. To set the path
> >> CC\AT\WC\Terminal Services\Set Path for TS Roaming Profiles.
> >> And pointing this to the network location
> >> \\NAS\Share\TerminalServices\UserProfiles (Allowing the GPO to
> >> append the %username% folder)... I assume this has the same
> >> effect?
> >
> > Yes....check out the link.
> >>
> >> Thanks Again... hope what I am saying is making sense.
> >> Lozza
> >>
> >> "Lanwench [MVP - Exchange]" wrote:
> >>
> >>> lozza <lozza@discussions.microsoft.com> wrote:
> >>>> Hey Guys,
> >>>>
> >>>> Okay for th first part of my question... I have just found :
> >>>> http://support.microsoft.com/kb/274443
> >>>>
> >>>> Could an expert confirm this is correct procedure?
> >>>
> >>> I don't know if I'm an expert, but yes, it's the correct
> >>> procedure.
> >>>>
> >>>> I am still working on the second question regarding the
> >>>> controlling of the start menu through GP...so any help would
> >>>> be great! this somewhat confuses me. In fact the whole
> >>>> redirection of start menu confuses me, however I cannot think
> >>>> of a suitable question to ask that will assist me in
> >>>> understanding this... i;m sure i will soon enough 
> >>>
> >>> I don't redirect the Start Menu, myself (I do MyDocs,
> >>> Application Data, Desktop), but you certainly can. What
> >>> exactly are you having trouble with?
> >>>
> >>> Check out
> >>> http://www.windowsnetworking.com/articles_tutorials/Profile-Fol
> >>> der-Redirection-Windows-Server-2003.html for a good start. You
> >>> won't be using roaming profiles per se as these are TS users
> >>> (but you do need to specify dedicated TS profile paths for
> >>> everyone in their ADUC properties). As in,
> >>> \\fileserver\tsprofiles$\%username%.
> >>>
> >>>>
> >>>> Lozza
> >>>>
> >>>>
> >>>>
> >>>> "lozza" wrote:
> >>>>
> >>>>> Hi Guys,
> >>>>>
> >>>>> Currently have a NAS device with a root share that everybody
> >>>>> uses... \\NAS\Share. This is at present configured for
> >>>>> everyone full control. Which i believe is the source of my
> >>>>> problems... Under this Folder I have created
> >>>>> \\NAS\Share\TerminalServices. I have not created a separate
> >>>>> share for the TerminalServices folder as it is accessible
> >>>>> via \\NAS\Share. This is where I have redirected all my
> >>>>> folders to. However it seems all users can access each
> >>>>> others Redirected folders. Could you guide me as to what
> >>>>> Share and Security permissions are required on the share
> >>>>> \\NAS\Share\TerminalServices to ensure these folders are
> >>>>> locked down and the system is able to create these
> >>>>> redirected folders with permissions for the user only? I
> >>>>> dont want to pre-create everyones folders as there are so
> >>>>> many users...
> >>>>>
> >>>>> Also I am difficulty understanding Start Menu redirection...
> >>>>> from :
> >>>>> http://technet2.microsoft.com/windowsserver/en/library/2b2487
> >>>>> 2a-05ca-41be-9887-33acc87a20561033.mspx?mfr=true
> >>>>>
> >>>>> It states "As a best practice for Windows XP-based
> >>>>> computers, do not use Folder Redirection to redirect the
> >>>>> Start Menu folder; instead, use Group Policy to control what
> >>>>> appears on the Start Menu" - How can one use Group Policy to
> >>>>> control what shortcuts/folders appear in a users start menu?
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>