Question about VMware View Persona repository permissions

[Cerulean]

I did research earlier this year on setting up a VMware View Persona repository with correct NTFS and Share permissions. These are the results of my findings with approval from a VMware support technician:

Please see http://technet.microsoft.com/en-us/library/cc757013(WS.10).aspx
Do not force access into Profiles or AppData folders or you will screw up correctly set permissions (unless someone broke them already, then whatever) and go against official requirements & recommendations of Microsoft and VMware

Security permissions for X:\Testbed-Persona\AppData & X:\Testbed-Persona\Profiles

+-------+-------------------------------+---------------+-----------------------+--------------------------------
Owner:	SYSTEM
Type	Principal			Access		Inherited from		Applies to
Allow	SYSTEM				Full control	None			This folder, subfolders and files
Allow	CREATOR OWNER			Full control	None			Subfolders and files only
Allow	vdi_FCTY1 (COMPANY1\vdi_FCTY1)	Special		None			This folder only
Allow	vdi_FCTY2 (COMPANY1\vdi_FCTY2)	Special		None			This folder only

'Special' entails ONLY the following Advanced permissions (everything else uncheckmarked):
List folder / read data
Create folders / append data



Share permissions for X:\Testbed-Persona\AppData & X:\Testbed-Persona\Profiles

+---------------------------------------+---------------------------------
Group or user name			Permissions
vdi_FCTY1 (COMPANY1\vdi_FCTY1)		Allow Full Control + Change + Read
vdi_FCTY2 (COMPANY1\vdi_FCTY2)		Allow Full Control + Change + Read

Share name for X:\Testbed-Persona\AppData is AppData$
Share comments for X:\Testbed-Persona\AppData is: Application Data (Roaming)

Share name for X:\Testbed-Persona\Profiles is Profiles$
Share comments for X:\Testbed-Persona\Profiles is: Persona repository location



If I am dead or gone, to change permissions you must modify the NTFS security permissions by changing the owner to %hostname%\Administrators (do not "Replace owner on subcontainers and objects") --> OK out of everything. Changing owner is enough to at least let you see what the permissions are on the folder and be able to modify share permissions. Be sure to remove %hostname%\Administrators from the permissions and change the owner back to SYSTEM --> OK out of everything. I have not done research yet to see what the appropriate owner is supposed to be on the folder, so I had decided to set it to SYSTEM to be on the safe side.

IF NECESSARY (which you shouldn't even need to do) add %hostname%\Administrators with "Full control" applying to "This folder, subfolders and files" but do not replace objects/containers.

My question is regarding the Owner of X:\Testbed-Persona\Profiles and X:\Testbed-Persona\AppData so that an administrator could login under their credentials into the server storing the Persona repository and browse into these directories. If the Owner is set to SYSTEM, the administrators will get an error when they try to open the folder saying they don't have permission to access the folder.

The Microsoft article http://lucca.hardforum.com/rewrite/...spx&id=1&match=1&source=none&destination=none never said anything about what the correct Owner should be.

 

[shade91]

I would usually set the directory (and child directories) with the user who will be using them as the owner with read/write permissions (not full). I'd then set the domain administrators group to have full read/write but not ownership. That would correct a lot of the issues I'd run in to with View and View Persona.

 

[Cerulean]

I would usually set the directory (and child directories) with the user who will be using them as the owner with read/write permissions (not full). I'd then set the domain administrators group to have full read/write but not ownership. That would correct a lot of the issues I'd run in to with View and View Persona.

So on the parent directory that stores everyone's user profile folder, I should simply just add 'Domain Admins' with Modify permissions?

Allow	CREATOR OWNER			Full control	None			Subfolders and files only

This alone automatically takes care of setting the correct owner on the folder. Whoever creates a folder inside the share, the Owner is set as them.