By default the security rights on the C: disk of a RDSH server are set to:


These rights allow your users to create folders and documents in de C: disk, which are readable by every user on the system. Some old applications also like to have their save preferences set to C:\something, so im seeing all kinds of data on the C: disk on the RDSH server with these default settings. On a Windows 7 system this makes sense, but on a RDSH they do not.

You can remove these settings manually (ignore all the warnings you get) but as sysops we want to automate this. We did it with icalcs.exe:

icacls C:\ /remove:g BUILTIN\users
icacls C:\ /grant:r BUILTIN\users:(OI)(CI)RX
icacls C:\ /grant:r BUILTIN\users:(OI)(CI)(IO)(WD,AD)

You can put this in a startup script and put it in gpo.


DON’T remove the Read settings;

these read rights are set through:
icacls C:\ /grant:r BUILTIN\users:(OI)(CI)RX
which is the second line in the script.

DON’T remove these read/execute settings as this would remove the execution bit on the RDSH server and denies executing any application on the system. That would defeat the purpose of a RDSH won’t it? 😉



Categories: Citrix, Remote Desktop

1 Comment

  1. The user folder has been renamed, but you need to edit the Registry setting as well as the old folder path is still stored in the Registry. You would get profile not found errors if you would now try to log into the old user account.

Leave a Reply

Your email address will not be published. Required fields are marked *