HALP! I've inherited a permissions nightmare for redirected folders/home directories
Solution 1:
With thanks to JScott for referring me to the System.Security.Principal... class or method or whatever it is, some PowerShell to replace the ACLs on a bunch of subfolders with those that are appropriate for user home directories:
$Root = "Path to the root folder that holds all the user home directories"
$Paths = Get-ChildItem $Root | Select-Object -Property Name,FullName
$DAAR = New-Object system.security.accesscontrol.filesystemaccessrule("MyDomain\Domain Admins","FullControl","ContainerInherit, ObjectInherit","None","Allow")
#Domain Admin Access Rule.
$SysAR = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","ContainerInherit, ObjectInherit","None","Allow")
#SYSTEM Access Rule.
foreach ($Folder in $Paths)
{
Write-Host "Generating ACL for $($folder.FullName) ... "
#For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output.
$ACL = New-Object System.Security.AccessControl.DirectorySecurity
#Creates a blank ACL object to add access rules into, also blanks out the ACL for each iteration of the loop.
$objUser = New-Object System.Security.Principal.NTAccount("MyDomain\"+$folder.name)
#Creating the right type of User Object to feed into our ACL, and populating it with the user whose folder we're currently on.
$UserAR = New-Object system.security.accesscontrol.filesystemaccessrule( $objuser ,"FullControl","ContainerInherit, ObjectInherit","None","Allow")
#Access Rule for the user whose folder we're dealing with during this iteration.
$acl.SetOwner($objUser)
$acl.SetAccessRuleProtection($true, $false)
#Change the inheritance/propagation settings of the folder we're dealing with
$acl.SetAccessRule($UserAR)
$acl.SetAccessRule($DAAR)
$acl.SetAccessRule($SysAR)
Write-Host "Changing ACL on $($folder.FullName) to:"
$acl | fl
#For error handling purposes - not all folders will map to a user of the exact same name, this makes them easier to handle when viewing the output.
Set-Acl -Path $Folder.Fullname -ACLObject $acl
}
Solution 2:
The previous answer won't work IF the home folders/redirected folders were set up with "Grant the user exclusive rights". This is because when this option is selected which is not recommended, only SYSTEM and THE USER have rights to the folder. You then cannot change the perms (even as admin) without taking ownership of the folder.
This IS a method to work-around this WITHOUT taking ownership. It is a two-step process.
Create a powershell script that runs ICACLS to modify the perms on the folders & subfolders.
run PSexec to kickoff Powershell script.
taken and modified from: https://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/
1 Create/copy/steal powershell script (requires PS 3.0 or better)
#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write
$StartingDir= "c:\shares\users" ##Path to root of users home dirs
$Principal="domain\username" #or "administrators"
$Permission="F"
$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"
if ($Verify -eq "Y") {
foreach ($FOLDER in $(Get-ChildItem -path $StartingDir -directory -recurse)) {
$temp = $Folder.fullname
CACLS `"$temp`" /E /P `"${Principal}`":${Permission} >$NULL
#write-host $Folder.FullName
}
}
- run PSEXEC, it operates as the SYSTEM account and therefore can change the perms on the folder that only SYSTEM and the user have access to. Install and run PSexec. https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
From Command Line:
psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1'"