Dan Holme - All Comments

What a difference three years makes: SharePoint 2010 revealed beta club

What a difference three years makes: SharePoint 2010 revealed beta club — Mon, 19 Oct 2009 21:10:52 GMT

Pingback from What a difference three years makes: SharePoint 2010 revealed beta club

Redirect Favorites Folder for XP using Windows 2008 GPO or SBS2008

Computer Troubleshooters — Thu, 08 Oct 2009 23:09:28 GMT

Redirect Favorites Folder for XP using Windows 2008 GPO or SBS2008

re: User Data & Settings (Connections 2008)

typeoneg — Mon, 02 Mar 2009 13:10:29 GMT

Hey Dan,

Thx for the response.

I have checked in the registry for those settings. Here is an example for PERSONAL: \\ei-ie.local\usersei\testmc\Documents

The security settings are all ok to me.

Can I maybe upload some pictures of these settings to u?

Wim

re: User Data & Settings (Connections 2008)

danholme — Mon, 02 Mar 2009 05:50:22 GMT

Hello, Greets!

I'm not sure what could be going wrong for you... It definitely "works as advertised" . Please go to one of your clients that you've configured, go to REGEDIT, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserShellFolders and look at the values there for PERSONAL (which is "documents'), DESKTOP & FAVORITES. Do they really look right to you? Are the permissions correct?

re: User Data & Settings (Connections 2008)

typeoneg — Fri, 27 Feb 2009 16:09:33 GMT

Hey Dan,

I have recently implemented your solution for roaming profiles and offline files with the usage of redirection.

But i have some problems now.

In vista explorer all the special icons of the folders desktop, documents, favourites, music, pictures and videos.

(All the folders for which i have created a dfs share.) These folders are just showing as a yellow folder with a shortcut icon.

Also the favourites links are not working.

Is there something which i could i have done wrong?

I followed all of your instructions like u explained in your book.

Great if you would give me helping hand here.

Greets

BPSPC: Nuts and Bolts Governance - Practical Application of the Concepts with Dan Holme

The Bamboo Team Blog — Tue, 03 Feb 2009 08:12:43 GMT

Dan Holme, Director of Training & Consulting for Intellium , is a SharePoint MVP with a particular

re: User Data & Settings: New DFS recommendations

paulbrod — Tue, 20 Jan 2009 01:32:51 GMT

Another update about csccmd.exe & pinning "Offline Files", there's a good article on "Offline Files" at:

windowsteamblog.com/.../working-with-offline-files.aspx

Here (page 2) Brian Aust (MS) mentions that csccmd is not supported or compatible on Vista, though a Offline Files API is available to both C/C++ programming via COM objects and interfaces. Brian also says here "As for excluding a sub folder from being made avialable offline (i.e. pinned), that ability was removed in Vista."

Event Viewer System Log Error 13 | keyongtech

Event Viewer System Log Error 13 | keyongtech — Sun, 18 Jan 2009 17:43:36 GMT

Pingback from Event Viewer System Log Error 13 | keyongtech

listare gruppi cui un utente appartiene | hilpers

listare gruppi cui un utente appartiene | hilpers — Sun, 18 Jan 2009 13:50:55 GMT

Pingback from listare gruppi cui un utente appartiene | hilpers

re: Connections 2008 Presentations And Tools

curacaojay — Mon, 15 Dec 2008 20:40:54 GMT

Any tools yet Dan?

re: User Data & Settings: New DFS recommendations

paulbrod — Thu, 11 Dec 2008 04:08:51 GMT

I'd like to post some further information about some issues we've been experiencing and resolved. The issues were to do with the DFS folders being created in all lowercase and plain/blank folder icons being displayed in Windows Vista.

Refer to the following two articles for details:

forums.microsoft.com/.../ShowPost.aspx

blogs.technet.com/.../storage-tips-how-to-create-namespace-links-in-uppercase.aspx

re: User Data & Settings: New DFS recommendations

paulbrod — Thu, 04 Dec 2008 03:29:33 GMT

Hey Dan,

You're welcome, yes UDS is a beast but it is gradually being tamed ;)

We have found that the user does indeed need require READ on the %username% physical namespace folder, even with Bypass traverse checking enabled on the server.

We have also found the "Modify" (M) permissions were sufficient, however these permssions, we discovered, also permits the user to delete their Document, Desktop and Profiles folders when the (M) permission is set at those levels in the physical namespace.

I have determined that the modify permission actually equates to (X,RD,RA,REA,WD,AD,WA,WEA,DC,D,RC), when viewing permissions through the GUI. The D or Delete permission at the Document, Desktop & Profiles folders actually allows the user to delete these parent folders. So we are now using (X,RD,RA,REA,WD,AD,WA,WEA,DC,RC), basically (M) without the (D) and this works just fine and the user now cannot delete the parent folders. There is a catch though, when using icalcs to implement this set of permissions it has to be done using (RX,W,DC) or else there's issues. So in summary (RX,W,DC) = (X,RD,RA,REA,WD,AD,WA,WEA,DC,RC), when viewed through the GUI but use (RX,W,DC) when implementing this through icacls!!! Weird but works!!!

Additionally, we had issues with the XP SP3 version of fdeploy.dll (Folder Redirection CSE) and are now running with the SP2 version on an SP3 XP build. This is as per a posted answer by Microsoft (Aug 2008) on a Microsoft TechNet forum at social.technet.microsoft.com/.../9301539b-9a3d-4701-8411-ca2b857167b2 .

Thanks for the suggestion about pinning redirected folders. Haven't been able to find Vista equivilant to csccmd.exe yet but can see that csccmd has a /PIN switch.

Cheers, will keep you posted.

re: User Data & Settings: New DFS recommendations

danholme — Thu, 04 Dec 2008 01:16:42 GMT

Paul! Thanks for the note!!! I’m in the middle of a 10k user UD&S as well. You’re right that MS’s tools (autocreation of Profile & folders) are not in any way least privilege—the client side code that does that was built long before “least privilege” was a real concern :-)

I have some new information on permissions, but it depends on your folder namespace. The %username% folder doesn’t need ANY permissions (to the user) thanks to the native traverse folders system privilege, unless your DFS namespace is built a certain way for the roaming profile, in which case the user needs READ (and only read) on the %username% folder.

I discourage you from giving W on the %username% folder (above Documents/Desktop/etc.) because it gives the user the ability to add unmanaged files & folders to that root. Instead, start giving permissions at the ‘specific folder’ (documents/desktop/etc.) level, and yes I believe we found that “M” (Modify) is enough, rather than Full Control.

Thanks for all your other observations!!!! I hope to have a chance to revise all my guidance next year as Win7 comes out (with backfill to XP & Vista).

One other big note. We’ve found it very helpful for many reasons to MANUALLY PIN all redirected folders offline on the computer (s) that a user uses on a day-to-day basis. Helps availability, helps offline work (laptops), and provides a last-ditch backup/recovery solution. You still want to turn off the default policy that automatically caches redirected folders, because you don’t want every user logging on to your conference room computer getting a full cache of their redirected folders. It has to be done on a per-machine, per user bases. CSCCMD.exe (in XP) and the equivalent command in Vista (which escapes me right now) can be automated to do this ‘manual’ step automatically.

Please keep me posted… I *REALLY* appreciate feedback from the field. UDS is such a beast, with so many moving parts, that all input helps!!!!!!

re: User Data & Settings: New DFS recommendations

paulbrod — Thu, 04 Dec 2008 00:44:12 GMT

Dan,

Thought I'd drop you a line concerning the our experience with permissions on %username% and subfolders, since you mention you'll test MODIFY.

We are implementing a similar UDS solution in a Windows 2003 R2 Native environment (10,000+ users), using XPSP3 (Desktops) and VistaSP1 (Laptops).

We've decided to implement 26 DFS root namespaces such as \\domain\usersa through to \\domain\usersz. And plan to use SAN replication not DFSR due to DFSR compatibility issues highlighted with our File archiving vendor, apparently this vendors file stubs don't work too well with DFSR .

Also amended the provisioning script to accept only users region, sAMAccount name, Firstname and Lastname as arguments. This provisions the user on the correct file server, assigns them their folder structure (with NTFS permissions detailed below) a user profile path, puts them in the correct policy group for folder redirection and can be used in any domain, Production or test.

Redirected folders are Desktop, Documents (Pictures, Videos, Music follows) and we use Profile and Profile.v2.

With respect to permissions:

We too are using a Least User Privilge model and don't use full control on any parent folder or subfolder for the user. Instead we use something like modify but not delete parent, this I've found translates to an ACE of <Domain>\%username%:(OI)(CI)(RX,W,DC) on those redirected folders listed above. We did originally use these permissions(X,RD,RA,REA,WD,AD,WA,WEA,DC,RC) because when viewed through the GUI, these items are cheked as they are when implemeted using (RX,W,DC) i.e. they appear to be exactly the same. However the later permission caused us no end of grief (access deinied, unable to create profile error messages), so we are now using the former permissions.

Also found the DFSRoot permissions at the %username% level had to match the physcial namespace target or else the grief would return, also ref. KB907458.

What's interesting is that MS Best Practice suggests that the system should create the Profile directories or if you do have to precreate them, then use Full Control for the user on the Profile directories. Surely not a Least User Privilege approach?

Thanks and keep up the great work.

Paul

re: Download the External Collaboration Toolkit for SharePoint

tylerw — Mon, 01 Dec 2008 18:46:28 GMT

thanks dan. That is what I thought.