Granting domain administrators access to redirected folders for View Persona Management (2058932)
With View Persona Management, you can use group policy settings to redirect user profile folders to a network share. When a folder is redirected, all data is stored directly on the network share during the user session.
Windows folder redirection has a check box called Grant user exclusive rights to folder-name, which gives the specified user exclusive rights to the redirected folder. As a security measure, this check box is selected by default. When this check box is selected, administrators do not have access to the redirected folder. If an administrator attempts to force change the access rights for a user's redirected folder, View Persona Management no longer works for that user.
- Upgrade to VMware Horizon View 5.3.
- Copy the install-directory\VMware\VMware View\Server\extras\GroupPolicyFiles\ViewPM.adm file on the View Connection Server host to your Active Directory server.
- Apply the policy settings in the ViewPM.adm file to the GPO for your View desktops.
- Enable the Add the Administrators group to redirected folders group policy setting.
For complete information about configuring group policy settings, see the VMware Horizon View Administration Guide.
Set ownership for the administrator on the files and folders.
icacls "persona-share /setowner "domain\admin" /T /C /L /Q
For example: icacls " \\vmware-jjgp4e1c\folders\* " /setowner "view-cpd\vcadmin" /T /C /L /Q
Modify the ACLs for the files and folders.
icacls " \\file-server\persona- share\*" /grant "admin-group":F /T /C /L /Q
For example: icacls " \\vmware-jjgp4e1c\folders\* " /grant "Domain Admins":F /T /C /L /Q
For each user folder, revert ownership from the administrator to the corresponding user.
icacls " \\file-server\persona- share\user-folder" /setowner "domain\folder-owner" /T /C /L /Q
For example: icacls " \\vmware-jjgp4e1c\folders\u8.VIEW-CPD " /setowner "view-cpd\u8" /T /C /L /Q
Note: If non-exclusive access is required, the user must be the owner of the folder and the creator/owner permission must have full control. The Access Control List (ACL) should contain:
CREATOR/OWNER – Full Control
Alternatively, %Username% – Full Control (Must still own the folder)
Each group that requires non-exclusive access
Each user that requires non-exclusive access
Local System (on Windows shares) – Full Control