Instead of using the PowerShell or VB scripts that are out there to address the User Profile Redirection display problem mentioned in Microsoft’s KB947222 article, I didn’t like the idea of having to waste precious CPU cycles on calling one of these scripts every couple of minutes so I decide to take matters into my own hands to come up with a different approach.
Those solutions do indeed work, but even if you’re running this script like once a minute, you still run into the possibility that a user might log in, which in turn creates their redirected documents folders, and then, anyone attempting to access the network share that contains the user profiles at that exact moment, would still run into the same issue until the next time the script ran via task scheduler. Not exactly a great solution.
In addition to that, at least for me, using the PowerShell script seemed to add a whole nother layer of document shortcuts that was reflected upon inside of the user’s environment making it to where they had to click on documents twice just to get into their documents folder. Again not an ideal solution.
I decided to put my thinking cap on and came up with this solution involving the use of a single Group Policy to create an HKCU\RunOnce policy that calls a batch file to set the user permissions on the desktop.ini file at the user’s first logon.
Download the FixKB947222DisplayIssue.bat script here.
:: User Profile Redirection Display Fix :: For Server 2008/Windows 7 and Up :: Author: Nathan Thomas :: Date: 02/13/2015 :: :: Here is a simple, elegant, solution to the user profile redirection display issue addressed in Microsoft Knowledge Base :: Article KB947222 that gave no real helpful options to fix that didn't require an administrator's manual intervention. :: Instead of having to use task scheduler to constantly run the PowerShell and VB scripts that I've found to update :: the file permissions on the desktop.ini file because you can't control how often a new user will login, you can use :: my "one and done" approach. Simply set up an HKCU\RunOnce rule in Group Policy to call this batch script that is placed :: somewhere on the local server so that it doesn't ask for user interaction or permission to run it (it will if you try :: from a network share). It will run one time when they first log in, set the permissions, and life will go on. If your :: running a Software Protection Policy, the only downside is that you will have to grant the user access to use :: icacls.exe and this batch file but if you are denying access to the command prompt anyway, it shouldn't be a problem. :: -- Group Policy Instructions -- :: Inside of Group Policy Editor for your RDS Server's User Policy, navigate to: :: User Configuration > Preferences > Windows Settings > Registry :: Right-click Registry > New > Registry-Item :: Action: Update :: Hive: HKEY_CURRENT_USER :: Key Path: Software\Microsoft\Windows\CurrentVersion\RunOnce :: Value name: FixRedirectedFolderDisplay :: Value type: REG_SZ :: Enter the local path to this script :: Value data: %SYSTEMDRIVE%\YourLocalPath\FixDisplay.bat :: On the Common tab, check "Apply once and do not reapply" and click OK :: Then place this script in the local path you entered above, edit, and uncomment the last line and this script will be called :: the first time the user logs in and the permissions will be set on desktop.ini, problem solved. :: :: Example: icacls "\\UNCPathName\Folder\%USERNAME%\desktop.ini" /inheritance:r /grant:r "NT AUTHORITY\SYSTEM":F "DomainName\%USERNAME%":F :: @ECHO OFF ::icacls "\\UNCPathName\Folder\%USERNAME%\desktop.ini" /inheritance:r /grant:r "NT AUTHORITY\SYSTEM":F "DomainName\%USERNAME%":F ::icacls "\\UNCPathName\Folder\%USERNAME%\Desktop\desktop.ini" /inheritance:r /grant:r "NT AUTHORITY\SYSTEM":F "DomainName\%USERNAME%":F ::icacls "\\UNCPathName\Folder\%USERNAME%\Documents\desktop.ini" /inheritance:r /grant:r "NT AUTHORITY\SYSTEM":F "DomainName\%USERNAME%":F