Tuesday, October 16, 2007

Folder Redirection: Not to the user's home directory

I remembered a problem I had during the development of my Folder Redirection solution that I think you should know about. It's a problem that you might not notice during testing but that can really get you once you roll out to many users.

For those of you just joining us, you will want to be familiar with User Files Folders (Introducing the User Files Folders!). Some other useful background reading from my site is User Files Folders and the Desktop.INI and Folder Redirection: Specifying a target share. I will be building on some of the lessons learned in those articles. Now let's get started...

In my past articles I discussed how to redirect User Files Folders to a target, but I didn't really talk about what target to choose. I think it was typical for most of us in the XP days to redirect the My Documents folder (which was the parent Personal Folder) to the root of the user's network drive - H: in my case. The inclination will be for you to want to do the same thing in Vista. This inclination is further re-enforced by Microsoft who provide you with the Redirect to the user's home directory GPO. This GPO basically redirects the Documents folder to the user's Home Path specified in AD without any further configuration details required. -- I'm here to tell you not to use this GPO!

If you try using that GPO, everything will look like it works just fine and your tests will tick along beautifully. But try redirecting folders for multiple user accounts whose Home Paths exist in the same network share (i.e. \\server\share\FRTest & \\server\share\SRDTest01). Then take a look at the share that houses these Home Paths. In my example I had a third account called SRDTest02 for whom I did not configure folder redirection. When I browsed to \\server\share, this is what I saw:

Twins! The two users who received Folder Redirection to their Home Path got the folders renamed to Documents! There isn't even a unique identifier like "(1)" after the name - I have two folders named Documents. Now imagine how you would handle seeing 500 of these side-by-side.

Have you figured out what happened yet? Do the green icons give you a clue? It's the Desktop.INI doing its job folks! By implementing the GPO, you have specified that the user's home folder will be the documents folder. The redirection brought along all the Documents folder files - including the Desktop.INI which specifies that the folder is to be named Documents - and so it is.

Because the Desktop.INI is specifying a "Friendly" name, Vista is quite happy to show you 500 aliases with the same friendly name - there is no need for it to add unique identifiers because the underlying folder is unique. But this causes us admins a bit of a problem doesn't it. Here's a little test for you. See if you can figure out what the real underlying name of the folder is? I have not found any GUI interface (Explorer, etc.) that is willing to show me anything other than the friendly name. Viewing the properties or browsing by typing in real paths does not reveal any secrets. The only method I have found is to look at the folders from a CMD prompt. The CMD prompt does not interpret the Desktop.INI. - Here's what I saw:

Finally some information I can use!

"How do I fix this?", you ask. There are two things you can do and they both involve the Desktop.INI. One solution is to simply delete the file so that Vista isn't told to use a friendly name. Another might be to edit the Desktop.INI and hard-code the folder name so that it matches the user's account name and you get to keep the associated icon. Both solutions might fix a current predicament but they are not very practical for the long term. The only real solution is to avoid the problem in the first place. Don't use the Redirect to the user's home directory GPO.

Also, if you are redirecting with other methods such as the Redirect to the following location GPO, ensure that you continue to avoid the root of the user's home path. Pick a more suitable target such as \\server\share\FRTest\Documents. It is important that you never end up with a folder structure where a single folder contains a bunch of redirected Users Files Folders of the same type (i.e. Pictures). There is one thing I have come to terms with for my Vista implementation. It is not possible to give my user an identical experience to XP - changes are coming for my users and they are going to feel it.

That concludes the instructional portion of this article. Feel free to stick around for the geeky analysis portion...

I got to wondering how this problem could occur and how Microsoft didn't notice it before releasing Vista. I think I came up with an answer. Let me know what you think of this theory:

If you remember back to my article, User Files Folders and the Desktop.INI, we know a few things:

  • "Documents" is a Friendly Name created on the fly by passing Shell32 a folder ID number.
  • XP also understands this number but comes up with the Friendly Name "My Documents".
  • Vista no longer adds the "Owner" property to the Desktop.INI like XP did.
I think the whole thing can be traced back to XP where everything was working fine and probably a last minute change to Vista caused it all to fall apart...

Although XP can understand the LocalizedResourceName that holds the folder ID Number for Shell32, we have never seen it actually implemented in XP. If you look at the offending folders above using XP, you will see that it is also willing to show you two "My Documents" folders. Now add a missing XP element to the Desktop.INI. Specify the owner of each folder (be unique). Now look again. Suddenly XP springs to life and shows you unique folders! - namely, "FRTest's Documents" and "SRDTest01's Documents". When XP detects that the current user is the owner of a folder it is looking at, it uses the prefix "My", otherwise it uses the owner's name as a prefix.

Had XP been implementing the LocalizedResourceName, it would have done it correctly. With Vista, the developers have removed the prefix "My" - and with it any chance that Vista will be able to provide any unique friendly names. We are left with a reduced set of options when designing our folder structures. I don't see any easy way out of this problem for Microsoft. I think we are stuck with it. One change that might help a little is if Microsoft was to add an option to Windows Explorer that would allow us admins to "hide the Friendly Name" in much the same way we hide file extensions now. This change would also help me when dealing with users who are using an alternate GUI language -- are you listening Microsoft?


Dan said...

We are running into this very issue - though I was not using the reidirect to home directory, I was using the other GPO to redirect to the home directory - with over 3000 vista users I didnt notice the problem until its too late. The only solution I have is to create container folders for all the users, move the doc folders inside those and change the folder redirection... And cross my fingers and hope it all works out.. My biggest concern and the thing that REALLY blows up in testing this fix is Offline files... Since most of my users use offline files this presents a HUGE problem. Anywho - the only good fix i guess, is make sure the users are fully synced, and then flush the Offline cache, create the GPO changes and force them to the client... It sucks all the same. Do you have any other suggestions And FYI the other odd thing I am seeing is that for some reason the desktop.ini for alot of my users is becomming corrupt, and taking on the "name" of another users docs (IE a user changes her "documents" to "My Filez" then for some reason another user logs into that machine and their "documents are now "My Filez" and same on the win2003 server side of thins... - I am still trying to figure out what is causing this.

you can email me at dbaker at ursulinestl dot org

Gordon Martin said...

Hi Dan,

I guess it's not a lot of fun to hear "Yep, I think you've got a problem thar!". But that is about all I can offer. My only hope is that while you are here you will learn about other problems you can avoid in the future.

In answer to your question, having a container folder is the easiest solution if you can get there from here. I wasn't aware that changing the folders around would have a negative impact of Offline Files. I'm guessing that you are thinking that if the partnership gets changed to a new path, that Vista will lose track of things... I have no experience in this regard. I was hoping that Vista would be smart enough to take care of itself - maybe diconnect from the old partnership and connect to the new one and then eventually clean up the old one in the future. Let us all know what your experience ends up being. (Feel free to update us here, or if you have a lot to write, send it to my e-mail and I can credit you with a resulting article.)

Another option for you might be to attack the Desktop.ini files - particularly if they are corrupting. It would be a simple matter to write a script that forces a name for the folders like "Dan's Documents" or something. - Of course, this would break the bilingualism features of the Desktop.ini. But maybe that doesn't matter to you.

If you figure out anything regarding the corruption issue, e-mail me and we can come up with an article for it.

Anonymous said...

A possible for you

Gordon Martin said...

Thanks for the link anonymous! It's nice to see that Microsoft has provided some additional advice on the problem. I'm already committed to my solution and so will be unable to test it, but if anyone else has luck with this, please post your results for everyone.

I do have some comments though...

1) Granting exclusive rights will only work if you let the GPO create the folder. It will not work if the folder has already been created or if someone is already experiencing the problem.

2) The exclusive rights trick works by preventing the administrator from being able to see the contents of each user's folder - including the Desktop.ini file that causes the problem. But the problem is evident again the minute you do grant admin access in order to fix something for a user. It also means that users will be unable to share data with one-another (some organizations like doing this sort of thing).

Dave said...

Gordon - great article and one of the few that I have found close to my issue. This is more simplistic that the environment you have but is a pain nevertheless.

I have moved my Documents folder from c:\ to d:\ through the LOCATION tab in the properties menu. It worked well for most of my 11 DOCUMENTS folders however the VIDEO and PICTURES folders are duplicated. The first icon for Pictures is the regular green icon and the second one is a yellow folder. I can delete the yellow folder (there is nothing in it) but it will return when I reboot the machine. Weird. I am fairly new to Vista but have done this before in 2000/XP with no problem. Any ideas on how this nuisance might be remedied?

Much thanks,

PS - Also a consultant in Ottawa - see you around the Feds some day!

Gordon Martin said...

The Video and Pictures folders are different from all the others (at least a little). In XP the folders were stored as children of the Documents folder. If you kept this structure alive in Vista then you would get a duplication of folders. This is because the User Files Folder would show the ones in the location you specified and the Documents folder would show it to you again since it would still be found under that folder as well.

Also, the Vista GPO for those two folders is a little different. It has an option that acknowledges that old relationship in XP. It offers to make the folders children of the Documents folder or something. I know I got unpredictable results when I tried that option. - Take a look, you'll see what I mean.

Johan said...

I am having the exact same issue, we took over an environment and that has indeed 50 "Documents" folders.

The quick fix is good old total commander which shows the usernames, but what is the quickest way to repair this, rebuild the policy in a good way? Have you since your encounter receive any quick fix that shows the folder names within explorer.

Gordon Martin said...

There isn't really any new information on this topic - Microsoft hasn't offered any solutions to these problems. I'm waiting to see what Windows 7 does.

Thankfully you only have 50 users so a manual process isn't out of the question.

You just need to create a subfolder for the documents under each user's home folder, move all the data to it and add the folder to the path in the GPO. (Make sure the Move Data option in the GPO isn't set or you'll have more problems.)

Anonymous said...

It`s an easy fix for this..

Like my environment i have 50 diferent companyes on a citrix farm, and i do not want to mix their homefolder with several companies, and i do not want to have to edit the GPO each time we get a new contract and making a share for a new company and using the "advanced" with groups folder redirection.

Make one gpo, use "redirect to users home folder"

and make a logon scripts that executes this command:
%windir%\system32\icacls.exe %homedrive%\Desktop.ini /deny "Domain Admins":r

Deny admin read access for the Desktop.ini will solve the problem, and keep the administration of new companies easy.