I don't allow Windows clients to create their redirected folders. Frankly, it seems like a potential DoS attack to me to have a world-writeable folder on a server computer where any user account can create sub-folders. (The whole notion of the client creating important folders like this seems brain-damaged to me-- as does the default behavior of breaking the permission inheritance hierarchy and specifying "User / Full Control". Whoever in Microsoft thought up that behavior had their head firmly up their ass and obviously doesn't administer production file servers.)

When I provision a user account (via script) I also create the redirected Desktop, Application Data, and My Documents folders (I don't do Start Menu redirection anywhere, but it should function similiarly) in the correct location and add a "User / Full Control" ACL to the folder immediately after creating it. The parent directory of any redirected folder hierarchy has "Administrators / Full Control" and "Authenticated Users / List Folder Contents - This folder only" specified on it already. I end up with a nice clean permission inheritance hierarchy and no world-writeable folder.

This has worked well for me w/ Windows 2000 thru Windows 7 clients. I don't mind the provisioning, since I'm doing it via script, and it makes me happy not to have a world-writeable folder on my server computers.


make sure the settings are per this link

http://support.microsoft.com/kb/274443