Thursday, July 26, 2018

Excluding TEMP Directory from User Profile Disks in Remote Desktop Services

I had a customer with a line of business application attempting to open PDF files on a Server 2016 RD Session Host with User Profile Disks configured.
  • When a user attempts to open a PDF document within the application, they get an Access Denied Error.
  • When a user attempts to open a PDF document of a standard file share, the document opens correctly.

I used Microsoft Sysinternals process monitor to view what was happening.  The application was dumping the PDF document to the %TEMP% folder which was in the Profile Disk.  This was generating an Access Denied event.


During troubleshooting, I mounted one of the User Profile Disks and granted "EVERYONE" Full Control to AppData\Local\Temp folder as a test, unmounted the disk and got the user to login.

What I noticed was any changes to NTFS permissions on a UPD get reset back to default by RDS automatically upon user login.  Only the User, Administrators and SYSTEM have full control to all files/folders within a User Profile Disk.

I then looked at excluding the TEMP directory from the User Profile Disk as there is a way of adding Exclusions in the GUI.   There seems to be a known issue with excluding folders from user profile disks, this feature doesn’t seem to work and there are many threads about it.

I tried the following formats:

%TEMP%
AppData\Local\Temp
\AppData\Local\Temp
%userprofile\AppData\Local\Temp

All had no effect.


As a workaround, Instead of selecting "Store all user settings and data on the user profile disk", I selected "Store only the following folders on the user profile disk".  I then selected all folders which selects the entire user profile apart from the AppData and Favorites directory.


As you can see the AppData doesn’t have a redirect icon on it, all other folders in the profile do.

After making this change, this fixed my issue with the line of business application not being able to open PDF documents with Adobe Reader