Wrong access rights for moved user shell folders

[xpman]

I successfully move the My Documents folder for each user to a specific directory by importing a REG_EXPAND_SZ value at T-12 as described in this post:

http://www.msfn.org/board/index.php?showto...7339&hl=cusrmgr

At the end of that post, an ACL problem is mentioned when reinstalling Windows because new user IDs are generated. Other posts I've read seem to content themselves with moving folders and do not even mention any ACL problems.

However, I do not even get that far. The folders that are created provide full access to the Everybody group and to that group alone. The corresponding user isn't even listed. This happens, although the folders

- are residing on an NTFS drive

- are being created by Windows itself during the first logon of each user (so Windows should know which user it creates the folder for and hence be able to set the access rights properly)

In addition, it would of course be nice to know how to get rid of the "ghost" user IDs during a reinstall, but for now I would be happy if anybody could help me with my current problem.

Every user being able to manupulate every other user's files is of course inacceptable. I wonder why Microsoft enables custom placements of these folders without setting the access rights accordingly. For any serious application this is unusable - but then again, you'd probably use a domain and a server hosted profile anyway for a "serious" application.

One thing I could imagine to be the reason is that access rights are inherited from the parent folder, i.e. the profiles directory. So if I move My Documents, there is no folder there to inherit the rights from. Again: Where's the sense in being able to move the folder then? I am not familiar enough with ACLs to verify this hypothesis, but I thought I'd still mention it.

[Yzöwl]

If you move your folders to a different drive, i.e. D:\%USERNAME%\My Documents, they inherit the settings of the drive, [D:], as their parent folder.

The only way to prevent other users from accessing others folders without changing the permissions is to make them all 'Limited Users'.

It's all a bit of a mess really!

Best solution I've found to date is to ensure that the redirected folders are on FAT32 drives/partitions and don't have multiple users