How to restore Administrators’ access to redirected My Documents folders

If you followed Microsoft’s Best practices for Folder Redirection, you accepted the default settings and allowed the system to create the folders.

The problem is that by default, the Grant the user exclusive rights to My Documents check box is selected, with the following consequence (quote from the Technet library article about folder redirection):

If you select this check box, the user and the local system have full control over the folder, and no one else, not even the administrator, has any rights to it. If you clear this check box, no changes are made to the permissions on the folder. Whatever permissions are in effect by default remain in effect.

This means that if you already have a bunch of existing redirected My Documents folders set up that way and that you need to access them, you are out of luck. The only documented way to regain access to the folders is to take ownership of each individual folder and manually edit the permissions to give the Administrators group full control. I found a better way.

Note that if you are just setting up folder redirection and want to make sure that administrators will have access to the folders, follow the steps listed in the following article: Enabling the administrator to have access to redirected folders. For everybody else, read on.

The trick is to realize that the local system account has full control over the folder and that PsExec allows you to run commands using that account (using the -s switch). So, if the command in question happens to be a PowerShell script that gives full control to a group you belong to, the problem is solved!

Here is what you need to do:

1. Download and install PsExec and PowerShell. PowerShell needs to be installed on the computer (probably a server) hosting the redirected folders.

2. Edit the $StartingDir and $Principal variables in the following script to match your environment. $StartingDir should be the path to the shared folder that contains all you users redirected My Documents folders, $Principal is the name of the local user or local group that should be granted the permission. It has to be a local account because the script will be run using the local system account, which doesn’t know about domain accounts. We’ll add domain users and/or groups later (step 4).

#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write

$StartingDir= "C:\Users"

$Principal="Administrators"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
#display filename and old permissions
write-Host -foregroundcolor Yellow $file.FullName
#uncomment if you want to see old permissions
#CACLS $file.FullName

#ADD new permission with CACLS
CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
Write-Host -foregroundcolor Green "New Permissions"
CACLS $file.FullName
}
}

Note: This script is a simplified version of Don Jones’ script found here: http://technet.microsoft.com/en-us/magazine/2008.02.powershell.aspx. Check it out for more options.

3. Now, we need to run the above script using PsExec using the local system account. Note that the command line shown will run PsExec on the current computer and that the -noexit switch will prevent PowerShell from closing when the script terminates, so you get a chance to read the output.

Here is what you need to type at the command prompt (changing the paths and file names to match your environment):

>psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1'"

The -i switch will make the PowerShell window visible on the Desktop. If you use Remote Desktop to connect to your server, make sure that you connect to the console or you won’t see any output.

4. Now that the local Administrators group has full control on all files and folders (and I am assuming that you are a member of the local Administrator group), you can run the script again as yourself  (remove the -s switch) to give domain users and groups full control, using the domain\user or domain\group format for the $Principal variable.

5. Done!

About these ads

17 responses to “How to restore Administrators’ access to redirected My Documents folders

  1. oh thx its nice information

  2. thanks man! exactly what i needed!

  3. I tried your script on a sbs 2008 server and I get the “Access is denied” message when running it on the redirect folder
    Do you have any idea how to make this work on a sbs 2008 64bit server?

  4. @Gerhard

    (Think im necro’ing this and if so Im sorry)

    I think that in SBS 2008, if you use the SBS console to enable redirection the system will create the folders with already set ACL for the redirection folder. I’m labbing with this myself, but I think one solution (which im testing tomorrow) is to not use the SBS console but instead make your own Group Policy object for redirection.

    Then use the script here BEFORE you start redirection. So that you as admin will have full access to the folder and all child objects.

    After that apply your GPO.

  5. I just succeeded with setting user rights on a SBS2008 with this script.
    You need to use Domain Administrators group, not the local Administrators to get it to work (since a SBS2008 is a Domaincontroller no local accounts exists).
    Pretty sure this will work on any language SBS since I did it on a Swedish one;
    “Domain Administrators”-group is named “Domänadministratörer” on a Swedish SBS2008 and it worked as a charm anyway, despite the “ö”.

    Just type the row;
    $Principal=”Administrators”

    as this;
    $Principal=”DOMAINNAME\Domainadministrators”
    and your set!

    Cheers and thanks for the script!

    /Per Dahlström, Partnerdata, Karlstad, Sweden

  6. I have been struggling with this issue, but I think I solved it. I posted my findings, method and script here:
    http://community.spiceworks.com/topic/79169?page=2#entry-664957

  7. thanks for sharing,

    I got this error PsExec could not start powershell

  8. This works great…I made the rookie mistake on my first SBS 2011 deployment…some notes:

    1. Set up permissions per M$ document first next time…but if you didn’t
    2. Edit the SBS GPO for folder redirection to uncheck the per user rights restriction. You can still use the SBS console to assign folder redirection going forward, just don’t run the main wizard – do it per user as all that does is add the user to the group that the GPO applies.
    3. Run the script as advised to add administrators to all exisiting without damaging current perms.
    3a. You can use just “administrators” as it assumes “DOMAIN\administrators”
    3b. You can’t connect to console from a RDP in SBS 2011, but shell output works fine.
    4. Now go back and follow the M$ document so all future users will be secured properly.

  9. My solution to this problem took a slightly different approach. Some may find it helpful… just be sure to have sensible permissions on the mainDir (e.g. Domain Users should only be able to list contents and read permisions (on that folder only)

    $mainDir = “E:\Users\FolderRedirections”
    write-output $mainDir
    $dirs = gci “$mainDir” |? {$_.psiscontainer}
    foreach ($dir in $dirs){
    write-output $dir.fullname
    takeown.exe /F $($dir.fullname) /R /D Y |out-null
    icacls.exe $($dir.fullname) /reset /T /C /L /Q
    icacls.exe $($dir.fullname) /grant ($($dir.basename) + “:F”) /T /C /L /Q
    icacls.exe $($dir.fullname) /setowner $($dir.basename) /T /C /L /Q
    }

    • the comments were stripped out…

      Script to reset user folder permissions.
      Uses: icacls.exe and takeown.exe
      Tested on Server 2008 R2 X64
      For all folders in base folder:
      1. Recursively resets owner to Administrators
      2. Reset folder to inherit permissions and apply to subfolders/files, clearing any existing perms
      3. Add user (based on folder name) with full control and apply to subfolders/files
      4. Recursivley reset owener to user (based on folder name)

    • There was a bug in my script above, the following line needs to be changed:

      icacls.exe $($dir.fullname) /grant ($($dir.basename) + ‘:(OI)(CI)F’) /C /L /Q

  10. Edit the script to include the -force switch to include hidden folders
    foreach ($file in $(Get-ChildItem -force $StartingDir -recurse)) {

    HTH

    Ray

  11. Can anyone advise exactly what the permissions will be before and after this script is run i.e. owner, full control access etc ?

  12. awesome post!! thanks.

  13. Just to verify on SBS 2011 I left the administrators as is. (it added rights as domain\administrators). I also added the -force option like Ray Pinkerton suggested too.

    thanks again all esp. OP

  14. Thanks for posting this script, saved me a heap of time after someone messed with our redirected folder permissions!

  15. Can anyone confirm this works with Server 2012 R2 Essentials?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s