A VDI data-drive root can create folders but not files: how to repair the ACL consistently

Review advanced root permissions, OI/CI inheritance, user SIDs, persistent disks, and the master image, then repair through a pilot and controlled script or GPO rollout.

1. Conclusion and scope

Prepare the client and server versions, domain membership, DNS and gateway settings, network location, full error text, event timestamps, and recent changes. The reserved example domain corp.example is used throughout; no customer domain, IP address, account, or device identifier is included.

This issue falls under VMware Horizon and VDI. Logs and configuration can often be collected remotely first. Bulk permission changes, switch-path work, production cutovers, and recovery drills should use a controlled implementation window.

2. Symptoms and environment

• Capture the complete error text, event-log timestamp, and failed action rather than relying on a verbal description.
• Record the affected scope, first occurrence, reproducibility, and whether the result changes on another subnet.
• For Horizon lag and disconnects, measure round-trip latency, jitter, packet loss, and bursts of congestion; a normal average ping is not sufficient.

3. Troubleshooting sequence

1. For VDI data-drive issues, check the root ACL, OI/CI inheritance, user SID, master-image settings, and persistent-disk attachment state.
2. If a user can create folders but cannot create or save files, the Create Files/Write Data and Create Folders/Append Data rights are usually applied with different inheritance scopes.
3. Review inheritance scope on the root and child folders, including whether ACEs apply to this folder, subfolders, and files.
4. Use Effective Access to evaluate the permissions inherited through group membership, ACL inheritance, and explicit deny entries.
5. Change one variable at a time and export the current configuration before making changes.
6. Capture the complete error text, event-log timestamp, and failed action rather than relying on a verbal description.

icacls D:\ /save "%TEMP%\d-drive-acl.txt" /t

4. Safe remediation and rollout

Start with read-only queries, configuration exports, and one-system validation. Once the root cause is confirmed, define the target scope, change window, and rollback method. Test master-image or GPO changes in a pilot pool and validate sign-in, data drives, printing, redirection, and business applications before production rollout.

• Use Effective Access to evaluate the permissions inherited through group membership, ACL inheritance, and explicit deny entries.
• Change one variable at a time and export the current configuration before making changes.
• Capture the complete error text, event-log timestamp, and failed action rather than relying on a verbal description.

5. Validation, rollback and common mistakes

Do not stop when the service works once. Revalidate with the user workflow, logs, a restart or fresh sign-in, another network location where relevant, and the next policy or backup cycle.

Validation and rollback checks

• Change one variable at a time and export the current configuration before making changes.
• Validate the Horizon sign-in chain by segment: client, Connection Server, domain authentication, desktop agent, display protocol, and user profile.
• Clipboard, drag-and-drop, and client-drive redirection are separate channels; validate direction, exceptions, and the actual data path independently.

Common mistakes to avoid

• Adding VM CPU or memory without checking the network and authentication path.
• Changing master-image permissions without a snapshot and rollback point.
• Treating separate redirection channels as a single control.