AC 10.1 remove tabs from Access Request

Hello,
I checked the forum for my specific issue but didn't find what I was looking for.
We're on GRC 10.1 V1100 SP04
Here's the scenario...
- We're requesting a new role to be assigned to an existing user in ECC using the Access Request form from GRC AC 10.1 system.
- I've created a new Request Type "Change Account" with actions Retain/Remove/Assign under process id SAP_GRAC_ACCESS_REQUEST
- We cannot modify the default EUP ID 999 Maintain EUP as they are SAP values & hard coded
- We even copied the 999 and made a custom EUP and made these fields non-mandatory but we want to remove these unnecessary tabs
So what's happening is when we put in a request for assignment of a new role to a user...and hit submit after selecting the role it is asking for "Enter the value for Email" & "Enter the value for Last Name"...which are mandatory fields.
Does anyone know how I can remove/hide the Risk Violations, User Details, Parameters, User Groups etc tabs which are NOT required in this request...we only need the User Access & Attachments tab.
I know in SE80\Access Request package there is a way to hide these BUT I do not see this form under the packages.
Is there any other way?
Thanks in advance,
Rajiv

Hi Rajiv,
Please check the below path
Go to SE80 T-code and select package from the drop down and enter GRAC_ACCESS_REQUEST.
Then in the Web Dynpro tab go to FPM Applications and there you can find the aplication GRAC_OIF_REQUEST_SUBMISSION where you can make your changes.
Regards,
Neeraj

Similar Messages

  • Removing tab from VA01

    HI EXPERTS
    I searched on sdn on how to remove tab from va01 and created a transaction variant through shd0
    i made the tab appearing at item level data invisible but when i test it it still shows that tab please help.
    being specific i need to remove the  tab " Request for Quote Addln Data" at item level detail , this is the last tab .

    Hi
    If you want to put the  tabs in invisible mode  then you have to use SHD0 only. Even 'Request for Quote Addnl Data'  can be done using SHD0 . But also make sure that you are putting  in invisible mode . So once again you run SHD0 then check wheather you are able to see that tab or not
    Regards
    Srinath

  • How to delete i.e. clear the pending access requests list from Access request page in SharePoint 2013

    Hi Team,
    I am site collection admin of a SP13 site. The issue is we have added some of the users manually after we got requests from them for site access. But this has left those users as pending on Access requests page. We don't want that list to stack up.
    I can not decline those requests as those users will be notified with declined mail. I searched for clearing the list of those pending requests but did't find any guidelines for this. 
    Is there any way I can do this. Any help is appreciated thanks in advance  

    You might consider using PowerShell to remove unwanted items from the "Access Requests" list of the web site.  This list holds all of the access requests including pending, declined and approved.  The following example demonstrates removing
    the first item from the list.  Please note, I'm not aware whether or not there are any negative side effects to removing items from this list so doing so would be at your own risk.
    $web = get-spweb https://yoursharepointsite
    $list = $web.lists["Access Requests"]
    $list.items[0].delete()

  • ARQ: How to Specify specific system in "System" Field in "Risk Violations" Tab in Access Request???

    Hi,
    I would like restrict users from selection systems from the drop down in "Risk Violations" Tab. In order to achieve this, I opened  GRAC_OIF_RQUEST_SUBMISSION" application in Admin mode and disabled. As a result, this field is disabled. But this is blank. I am unable to maintain any value in it. I tried to select a value from the drop down and then disabling the field. I saved with the selected value. But later when Access Request application accessed, it is again showed blank.
    However, when a user performs risk analysis, application still performs for all the connectors!
    user is authorized to perform risk analysis for specific connector (controlled using GRAC_SYS object). But not sure where from application is picking up different connectors?
    Secondly, I also noticed that this "System" drop down has multiple entries in it along with "ALL". I dont have any clue where these values are coming from!
    Can anybody help me in understanding and addressing this?
    Also, may I know how other are tackling this? I mean, is "System" drop down disabled with specific value as default or enabled with ONLY specific value?
    Please advise.
    Regards,
    Faisal

    Hi Faishal,
    I went through the challenge you have described. On top of mentioned issues - do you know that if a user select a system (has requested a role for it) but you have no sod rule book defined for it - grc will identify no sod risks for request and will mark all roles (even those for other systems for which rulebook is defined) as 'green' on access approver screen. The expected behavior would be only selected role would be marked as green and others would be still red. We have tried also with option 'ALL' however results provided in our case were not accurate (we did recons to single systems)
    This strange system behavior (SP14) was reported to SAP. In this case if you have path defined for SoD detour - system will not go on detour as there is no risk defined.
    What we did -was we setup a fix value in this field (our production system with rulebook) an put this system as parameter TVARV (system depended) and using the value of this parameter we fixed the system against which the analysis are executed.
    Filip

  • How to keep .tag-files from accessing request?

    How can i keep .tag-files from accessing the request? I only want to allow the .tag-file access to parameters given to it as input attributes.

    Don't use the request object then.
    People on the forum help others voluntarily, it's not their job.
    Help them help you.
    Learn how to ask questions first: http://faq.javaranch.com/java/HowToAskQuestionsOnJavaRanch
    (Yes I know it's on JavaRanch but I think it applies everywhere)
    ----------------------------------------------------------------

  • Removing invitees from calendar requests

    Can anyone advise how to remove old email addresses from the drop down list of invitees shown in a MAC calendar event? There are two shown and MAC seems to default to the first in the list despite selecting or typing the second address before sending. The created meeting event shows the correct email and the one I typed but the meeting request never arrives in the recipient account. Any help would be appreciated please.

    Kynan,
    Individual events can be assigned to another calendar, but only one calendar at a time. Therefore if a color of a single event is changed, it belongs to another calendar.

  • Remove tab from settings

    Hi,
    I am using a layout set to modify certain settings of a file in a km folder.
    I am changing the layout set->resource render ->Resource Command Group.
    Then i go to the ''single details group''.
    Here for a resource i only get ''details'' command not a group,so i can not modify it.
    I am unable to remove the option "CLASSIFICATION" from the files context menu details->settings.I need to remove this callsification tab how can i do this?
    Nikhil

    Hi,
    the menu items appearing in the details screen are assigned directly at the layout set whith parameter <i>Commands for the details menu</i>.
    Normally this should be the <i>DetailsGroup</i> in this group you find the <i>DetailsSettingsGroup</i> and in this one the <i>DetailsSettingsSecondGroup</i> in which you find the command <i>classification</i> which you can remove.
    Alternatively you could build your own groups and assign it to the layout set you use. That is more safe when thinking of upgrade or support packages.
    Regards,
    Sascha
    p.s.: we talk about this topic in SAP Education class EP300

  • Remove tabs from string

    hey
    I've a string like "1 2 3 4" and i want to filter the tabs, the requested result is : "1234"
    I was wondering if there any easy way (some String method ?) that i can use
    Thanks

    igalep132 wrote:
    thanks for quick answer
    it's not what i need...
    eventually i need one string like "1234", without empty sringsCute; how many characters does the String "abcd" contain? Four? Nope, there are a kazillion empty strings between each character, you just can't see them ;-)
    kind regards,
    Jos

  • I need an urgent help  remove namespace from proxyServie request body

    I have EFIBetalingOrdningMisligholdt proxyService that called IMMultiHaendelseModtag IMMultiHaendelseModtag business Service, but they have different xsd, so i am transforming EFIBetalingOrdningMisligholdt proxy service reuest xsd to
    IMMultiHaendelseModtag business service xsd.
    Bellow i have my xq file for the transformation.
    IMMultiHaendelseModtag Business Service request parameter should look like this.
    here is partial request to IMMultiHaendelseModtagBusinessService
    <soapenv:Body>
         <ns:IMMultiHændelseModtag_I      revision="string" xmlns:ns="http://skat.dk/begrebsmodel/2009/01/15/">
         <ns:Kontekst>
         <!--You may enter ANY elements at this point-->
         <AnyElement/>
         </ns:Kontekst>
    IMMultiHaendelseModtagBusinessService is called
    here is a partial of the transformed request
    Route to: "IMMultiHaendelseModtag"
         $outbound:
         <con:endpoint      name="BusinessService$dk.skat.efi.im$biz$IMMultiHaendelseModtag" xmlns:con="http://www.bea.com/wli/sb/context">
         <con:service>
         <con:operation>getIMMultiHændelseModtag</con:operation>
         </con:service>
         <con:transport>
         <con:mode>request-response</con:mode>
         <con:qualityOfService>best-effort</con:qualityOfService>
         <con:request      xsi:type="http:HttpRequestMetaData" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
         <tran:headers      xsi:type="http:HttpRequestHeaders" xmlns:tran="http://www.bea.com/wli/sb/transports">
         <http:Content-Type>text/xml</http:Content-Type>
         <http:SOAPAction>
         "http://skat.dk/begrebsmodel/2009/01/15/getIMMultiHændelseModtag"
         </http:SOAPAction>
         </tran:headers>
         </con:request>
         </con:transport>
         <con:security>
         <con:doOutboundWss>false</con:doOutboundWss>
         </con:security>
         </con:endpoint>
         $body (request):
         <soapenv:Body      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
         <ns:EFIBetalingOrdningMisligholdt_I      revision="string" xmlns:ns="http://skat.dk/begrebsmodel/2009/01/15/">
         <ns:IMMultiHændelseModtag_I>
         <ns:HændelseSamling>
         <ns:EFIHændelseStruktur>
    but the problem this :
    <soapenv:Body      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
         <ns:EFIBetalingOrdningMisligholdt_I      revision="string" xmlns:ns="http://skat.dk/begrebsmodel/2009/01/15/">
    question.
    How can I transforme :<ns:IMMultiHændelseModtag_I      revision="string" xmlns:ns="http://skat.dk/begrebsmodel/2009/01/15/"> to <soapenv:Body      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
         <ns:EFIBetalingOrdningMisligholdt_I      revision="string" xmlns:ns="http://skat.dk/begrebsmodel/2009/01/15/"> ?
    declare namespace xf = "http://skat.dk/begrebsmodel/2009/01/15/";
    declare namespace ns0 = "http://skat.dk/begrebsmodel/2009/01/15/";
    declare function xf:test($eFIBetalingOrdningMisligholdt_I1 as element(ns0:EFIBetalingOrdningMisligholdt_I))
    as element(ns0:IMMultiHændelseModtag_I) {
    let $EFIBetalingOrdningMisligholdt_I := $eFIBetalingOrdningMisligholdt_I1
    return
    <ns0:IMMultiHændelseModtag_I>
    <ns0:HændelseSamling>
    <ns0:EFIHændelseStruktur>
    let $KundeStruktur := $EFIBetalingOrdningMisligholdt_I/ns0:BetalingsordningMisligholdListe/ns0:Kunde[1]/ns0:KundeStruktur
    return
    <ns0:KundeStruktur>
    <ns0:KundeNummer>{ data($KundeStruktur/ns0:KundeNummer) }</ns0:KundeNummer>
    <ns0:KundeType>{ data($KundeStruktur/ns0:KundeType) }</ns0:KundeType>
    for $VirksomhedCVRNummer in $KundeStruktur/ns0:VirksomhedCVRNummer
    return
    <ns0:VirksomhedCVRNummer>{ data($VirksomhedCVRNummer) }</ns0:VirksomhedCVRNummer>
    for $KundeNavn in $KundeStruktur/ns0:KundeNavn
    return
    <ns0:KundeNavn>{ data($KundeNavn) }</ns0:KundeNavn>
    for $DriftFormKode in $KundeStruktur/ns0:DriftFormKode
    return
    <ns0:DriftFormKode>{ data($DriftFormKode) }</ns0:DriftFormKode>
    for $EnkeltmandVirksomhedEjer in $KundeStruktur/ns0:EnkeltmandVirksomhedEjer
    return
    <ns0:EnkeltmandVirksomhedEjer>{ $EnkeltmandVirksomhedEjer/@* , $EnkeltmandVirksomhedEjer/node() }</ns0:EnkeltmandVirksomhedEjer>
    </ns0:KundeStruktur>
    <ns0:IndholdValg>
    <ns0:EFIBetalingOrdningMisligholdtStruktur>
    let $BetalingsOrdningliste := $EFIBetalingOrdningMisligholdt_I/ns0:BetalingsordningMisligholdListe/ns0:Kunde[1]/ns0:BetalingsOrdningliste
    return
    <ns0:BetalingsOrdningliste>
    for $MisligholdtBetalingsordning in $BetalingsOrdningliste/ns0:MisligholdtBetalingsordning
    return
    <ns0:MisligholdtBetalingsordning>
    <ns0:BetalingOrdningEFIIndsatsID>{ data($MisligholdtBetalingsordning/ns0:BetalingOrdningEFIIndsatsID) }</ns0:BetalingOrdningEFIIndsatsID>
    <ns0:BetalingOrdningID>{ data($MisligholdtBetalingsordning/ns0:BetalingOrdningID) }</ns0:BetalingOrdningID>
    <ns0:BetalingOrdningRateID>{ data($MisligholdtBetalingsordning/ns0:BetalingOrdningRateID) }</ns0:BetalingOrdningRateID>
    <ns0:BetalingOrdningRateSRBDato>{ data($MisligholdtBetalingsordning/ns0:BetalingOrdningRateSRBDato) }</ns0:BetalingOrdningRateSRBDato>
    <ns0:BetalingOrdningRateBeløbStruktur>{ $MisligholdtBetalingsordning/ns0:BetalingOrdningRateBeløbStruktur/@* , $MisligholdtBetalingsordning/ns0:BetalingOrdningRateBeløbStruktur/node() }</ns0:BetalingOrdningRateBeløbStruktur>
    </ns0:MisligholdtBetalingsordning>
    </ns0:BetalingsOrdningliste>
    </ns0:EFIBetalingOrdningMisligholdtStruktur>
    </ns0:IndholdValg>
    </ns0:EFIHændelseStruktur>
    </ns0:HændelseSamling>
    </ns0:IMMultiHændelseModtag_I>
    declare variable $eFIBetalingOrdningMisligholdt_I1 as element(ns0:EFIBetalingOrdningMisligholdt_I) external;
    xf:test($eFIBetalingOrdningMisligholdt_I1)
    I have called the business proxy alone it works.
    errors
    The invocation resulted in an error: .
         <soapenv:Envelope      xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
         <soapenv:Body>
         <soapenv:Fault>
         <faultcode>soapenv:Server</faultcode>
         <faultstring>BEA-380000: Internal Server Error</faultstring>
         <detail>
         <con:fault      xmlns:con="http://www.bea.com/wli/sb/context">
         <con:errorCode>BEA-380000</con:errorCode>
         <con:reason>Internal Server Error</con:reason>
         <con:location>
         <con:node>RouteNode1</con:node>
         <con:path>response-pipeline</con:path>
         </con:location>
         </con:fault>
         </detail>
         </soapenv:Fault>
         </soapenv:Body>
         </soapenv:Envelope>
         System Error Handler
    $fault:      
         <con:fault      xmlns:con="http://www.bea.com/wli/sb/context">
         <con:errorCode>BEA-380000</con:errorCode>
         <con:reason>Internal Server Error</con:reason>
         <con:location>
         <con:node>RouteNode1</con:node>
         <con:path>response-pipeline</con:path>
         </con:location>
         </con:fault>

    Thanks for answering.
    the situation is that I have to make a pass-trough proxyservice.
    That I have never done before.
    explanation:
    proxyservice A-calls business service B, B need password and user name, but proxyservice A does not have Process WS-Security Header to configured, so I have to create a pass-trough proxyService to call business Service B.
    What is the best way of doing that ?
    As I have read that to solve the problem one can set ./ctx:security/ctx:doOutboundWss to true, the only way I saw that was possible was by mean of xquery.
    I am trying to explaine the same situation here again:
    I have proxyService A that does not have :
    Process WS-Security Header in the configuration, that mean I can not set it in my proxy Configuration by way of normal proxy configuration.
    But A is calling a BS that need security, so I want to create a pass-trough proxyservice.
    in order to do that, I want to set ./ctx:security/ctx:doOutboundWss to true in the request
    how can I set ./ctx:security/ctx:doOutboundWss to true in xq ?
    Tks

  • CUP. How to remove a deleted active Request Type from Request Access screen

    Hi,
    I created a new Request Type in CUP, assigned actions, marked it active and saved.
    I then deleted the Request Type without first marking it as inactive.
    The request type is still visible on the 'Request Access' page but no longer visible on the 'Request Type' screen in Configuration.
    Is there a way to remove this from the 'Request Access' page without rebooting?
    Thanks,
    Babak

    Dude I just helped you pass the 1000 point barrier.
    Excellent answer, refreshing the cache in the Miscellaneous section worked.
    Well done.

  • Site Access Request EMail not being sent

    Like others, my Access Request email messages aren't going out. I've read numerous blogs and such about this, but haven't found anything that is quite fitting my happenings.
    I'm using IIS 6 SMTP server on my SP server, Incoming Mail is configured as Advanced Mode, sites can receive mail (and some do and it works), No on SharePoint Directory Management Service, incoming email addy is configured and the e-mail drop folder is c:\inetpub\mailroot\drop.
    Outgoing mail points directly to my Exchange (2007) server, from and reply-to addys are configured, char set is 65001.
    As with others, outgoing email from SharePoint, other than access requests, is working. I get plenty of notices about documents changing, alerts, etc. But the alerts from Access Requests aren't going out. I found one blog somewhere that mentioned permissions
    to the \inetpub\mailroot folders, so I searched my ULS logs for system.net.mail issues, found one where it had an error about insufficient permissions to the \inetpub\mailroot\drop folder. Okay, seems odd, but what the heck, give it a shot. I grant some permissions
    to the drop folder and, surprise, the Outgoing Access Request EML file is dropped in the drop folder!
    But why? It should be going out to my Exchange server! I look in the message, there aren't any routing headers in the message indicating that it even tried the Exchange server, much less got bounced back to SP from Exchange. If I manually copy the EML file
    to the Pickup folder - off it goes and is properly mailed to my Exchange account.
    I don't get it.
    Thanks in advance,
    Steven

    Never mind. Stupid stupid stupid dumb dumb dumb...
    My IIS 7 .NET SMTP settings were to configured to drop outgoing mail in the DROP folder. Changed this setting to the Pickup folder and it starts working.
    Sorry for the interruption, now back to our regularly scheduled emergencies...
    Steven

  • Removing book from Adobe Content Server

    Hello.
    I would like to remove book from Adobe Content Server. I used answers from that thread http://forums.adobe.com/thread/621994 .I successfully removed book from distributor inventory but can not remove it from operator (built-in distributor) inventory. I got this error:
    data="E_ADEPT_DATABASE http://acs.authorcloudware.com:8080/admin/ManageResourceKey Cannot delete or update a parent row: a foreign key constraint fails (`adept`.`fulfillmentitem`, CONSTRAINT `fulfillmentitem_ibfk_2` FOREIGN KEY (`resourceid`) REFERENCES `resourcekey` (`resourceid`))"
    How can I delete data from 'fulfillmentitem' table from php script?
    Best regards,
    Tamara.

    Finally, I found a way to remove book from adobe content server. This article Public Knowledge Base helped me a lot.
    So, in order to remove book from acs you need to make 4 requests:
    - request to admin/ManageDistributionRights with distributor ID
    - request to admin/ManageDistributionRights built-in distributor ID
    - request to admin/ManageResourceItem
    - request to admin/ManageResourceKey
    This is how my requests look like:
    //Remove book from distributor
    <request action='delete' auth='builtin' xmlns='http://ns.adobe.com/adept'>
         <nonce>Mjc3MjQzMTI=</nonce>
         <expiration>2014-05-26T09:57:37+00:00</expiration>
         <distributionRights>
              <distributor>urn:uuid:3bbdd5ee-c325-4ba9-86d9-8cc428d725ac</distributor>
              <resource>urn:uuid:cd9879ce-7648-49ad-8202-243a54486938</resource>
         </distributionRights>
    </request>
    //Remove book from built-in distributor
    <request action='delete' auth='builtin' xmlns='http://ns.adobe.com/adept'>
         <nonce>MjYzNDA0ODQ=</nonce>
         <expiration>2014-05-26T09:57:38+00:00</expiration>
         <distributionRights>
              <distributor>urn:uuid:00000000-0000-0000-0000-000000000001</distributor>
              <resource>urn:uuid:cd9879ce-7648-49ad-8202-243a54486938</resource>
         </distributionRights>
    </request>
    //Remove Resource Item Info
    <request action='delete' auth='builtin' xmlns='http://ns.adobe.com/adept'>
         <nonce>MjYxMDgxOTI=</nonce>
         <expiration>2014-05-26T09:57:38+00:00</expiration>
         <resourceItemInfo>
              <resource>urn:uuid:cd9879ce-7648-49ad-8202-243a54486938</resource>
              <resourceItem>0</resourceItem>
         </resourceItemInfo>
    </request>
    //Remove the resource key
    <request action='delete' auth='builtin' xmlns='http://ns.adobe.com/adept'>
         <nonce>MjgyNjU2NDI=</nonce>
         <expiration>2014-05-26T09:57:39+00:00</expiration>
         <resourceKey>
              <resource>urn:uuid:cd9879ce-7648-49ad-8202-243a54486938</resource>
              <resourceItem>0</resourceItem>
         </resourceKey>
    </request>
    Value of "resourceItem" tag is important. Actually I didn't find description in documentation what this tag means. I found that this is optional resource item index and that default value is 1. But when I send delete request with 1 in <resourceItem> the last request, which remove resource key, return error. If you know what this tag mean please answer in this thread.

  • How do I access open tabs from other devices in Firefox 4 for desktop (windows version)

    I want to see the open tabs from other devices but I can't find how to access it.
    Where do I find them in firefox 4?
    I use the windows version.
    Thank you!

    This is for all versions (image attached below):
    1. In the top navigation (you might have to press the ALT key to reveal the menu), navigate to '''History - Tabs From Other Computers'''
    2. Alternatively; open a new tab and type '''about:sync-tabs''' then press enter.
    NB: When you open a tab in the 'Tabs From Other Computers' window it '''WILL NOT''' remove that tab from the other device.

  • Unable to remove sub-tab from portal page

    Hi,
    Get the following error when trying to remove a sub-tab from one of our portal pages;
    An unexpected error occurred: User-Defined Exception (WWC-44082)
    An unexpected error occurred: User-Defined Exception (WWC-44082)
    Error while deleting page. (WWC-44130)
    An unexpected error occurred: ORA-20100:
    ORA-06512: at "PORTAL.WWSBR_STDERR", line 437
    ORA-06512: at "PORTAL.WWV_THINGDB", line 4021
    ORA-01403: no data found
    ORA-01403: no data found (WWC-44082)
    An unexpected error has occurred (WWS-32100)
    ORA-1403: ORA-01403: no data found
    ORA-01403: no data found (WWC-36000)
    Unexpected error encountered in wwsec_api.remove_group_acl (ORA-01403: no data found
    ORA-01403: no data found) (WWC-41417)
    In advanced options for the tab, 'Inherit Access Settings From The Page' is selected.
    Under page access settings, the 'From page template' option is selected.
    Any ideas?
    Cheers,
    Chris

    Please report this problem to Oracle Support. This is not normal behaviour.

  • Removed user from group, user no longer has access to documents even though user is owner of documents

    I'm running a server 2012 std domain and I'm in the process of rebuilding our fileserver after we had some pretty serious permission issues. Bad permissions (Everyone had full access to user documents share) were migrated when we move to the new server and
    then by some strange Monday morning freak out all users lost access to their documents. I restored from backups, redirected everyone's folders back to local computer and started to reconfigure the share permissions. I moved our administration group back to
    the server after securing proper permissions for folder redirection (permissions copied from https://technet.microsoft.com/en-us/library/jj649078.aspx?f=255&MSPPError=-2147217396 table 1, only difference is instead of creating a new security group
    for redirection users, I used the everyone group) to test and everything went perfectly. The GPO created the users folders under the root and redirection was good to go. Along with that, other users cannot access other users documents anymore which was the
    intended outcome. 
    Last night I was looking at security groups and see that our administration group (back office group: accounting, HR, etc..) was a member of the domain admins. I removed them from the domain admins group and added them to the administrators group (they do
    need regular admin access) then went on like normal. This morning, all users in that group can no longer access their documents on the server. I immediately think that permissions were broken again and started to get angry, but then realize that all the files
    are still accessible on the server (no lost permissions like before) and the user is still shown as the owner with full permissions, but the files are inaccessible to those users. I re-added them to the domain admins group, logged out, logged back in and documents
    are back and accessible by the user. Remove them from the domain admins group, log out, log back in and the documents are inaccessible again. Re-add to the domain admins group and back to normal. 
    Which leads me to now. If the users are part of the domain admins group, they have access to their files. If they are removed from the domain admins group, they lose access. When they lose access, they are still the owners of the files/folders with full
    permissions, yet they can't access their documents. Also, just to add, the domain admins group has no specified permissions on the files or folders. See screenshots below..
    Here is the root share. 
    And the user's desktop folder. The folder is owned by the user with full permissions. This is the folder the redirection GPO created.
    Any ideas why removing the group from domain admins would drop access to their files? They are still the owners of the files and should have full access but they don't. Is there something I'm not seeing here?

    Effective Access shows the user has full control of the Desktop folder
    This is a problem with the Effective Access tab when using CREATOR OWNER.  As you have noticed, the user doesn't really have the access that the tab says it does.  This is because of how CREATOR OWNER works.
    CREATOR OWNER is only evaluated when a file/folder is created. 
    IF a user can create a file/folder, then the permissions assigned to CREATOR OWNER are copied to a new permissions entry for that user.
    To see this:
    Logon as an administrator and create a file in the Desktop folder in your screenshot.
    Examine the permissions of the new file.
    You'll see that there is a new entry for the account you logged on with.
    CREATOR OWNER is gone.  CREATOR OWNER would still be there if you created a folder (because of "subfolders and files").
    In the Desktop folder (in your screenshot), only SYSTEM and Administrator can create/access files.
    To fix this, you need to grant the users the ability to list the directory contents and create new files/folders.  This corresponds with the suggestion of Table 1 in the document you found.
    I see what you're saying about Administrators domain group. I'll just add them as local admins via GPO and that should solve that issue. 
    No, scary!  This will grant those users administrative permission on your server.  They will be able to see any file anywhere on that server.
    If your goal is to provide a place that is private for each user, then the simplest approach is to grant each user permission to their own folder.  Like this for Test User:
    Notes for above:
    I set the user's permission to Modify because there is no good reason why the user should change these permissions
    The owner of this folder is unimportant.  I leave it set to Administrators
    You can, and I do, remove CREATOR OWNER.  It adds no value in this situation and just causes confusion.
    As for the second screen shot, the *-Admins folder is the root to which Everyone has special permissions on and can create folders. The folder for M* was created by the GPO, which makes M* the owner to which they have Full control of subfolders and files.
    The GPO also created the Desktop folder, giving owner full permissions of subfolders and files. Inside the Desktop folder, permissions remain Full control for owner for subfolders and files. Even if it was the case that they only had permissions on subfolders
    and files, wouldn't each subfolder under that one be considered a subfolder and file of the top folder?
    If this works as you say, then Yes, it should work.  But, I don't see the entries for use M*.  Remember, there should be entries for the M* user that is a duplicate of CREATOR OWNER.
    I suspect that Group Policy is creating the directories (elevated) and then changing the owner to M* afterward.  This does not duplicate the CREATOR OWNER entries as needed.  If this is the case, I consider it a flaw because your permissions do
    not allow user M* to create files/folders, and group policy shouldn't bypass security.
    I'm not saying your wrong, I'm just curious why the technet article would advise Creator/Owner giving full control of subfolders and files only if that were not correct. I can add the permissions for the users easily, I just don't see why I need to give
    explicit permissions to access something when the GPO created those folders for me, which Microsoft recommends you allow. If the GPO can create folders and the folders are owned by the user, then the user can obviously add/create/modify/view those files and
    folders. 
    When I restored the data, no permission were reset. Permissions were restored to the wonky version where the Everyone group has full access to everything. Ownership of the files/folders remained the same.
    A couple things:
    The article instructed the use of Folder Redirection Users group that had permissions to create files.  Your examples didn't have that.  Because of this, your user could create new files.
    The article assumes that the directories you are creating will be empty.  Existing files will be unreadable to everyone except Admins.
    If you follow the directions in the article, then anyone in the Folder Redirection Users group can write files to anyone else's directory.
    One benefit of the document's approach is that all the users could be redirected to the same folder using the article, and it would work.  A benefit, I guess.
    But, I like my user's separate and unable to see each other's files -- at all.  This is why I recommend replacing CREATOR OWNER with the specific user.
    I believe this document is a "how to get it done" document, not necessarily a best practices document.  I see it as a starting point, and that's why I didn't follow it exactly.
    Lastly, CREATOR OWNER permissions are useful but confusing.  I avoid them unless I have the rare circumstance where they are perfect.
    When I restored the data, no permission were reset. Permissions were restored to the wonky version where the Everyone group has full access to everything. Ownership of the files/folders remained the same.
    To summarize:
    In the user's directory, you need to provide permission to list and create new files/folders, and you need grant the user permission to the existing files.
    -Tony

Maybe you are looking for