How can I use the cacls command to add the "administrators" group to all roaming profiles stored on the server so I can access them?

Posted on 2007-10-10
Last Modified: 2010-05-18
In Windows Server 2003, how can I use the cacls command to add the "administrators" group to all roaming profiles stored on the server so I can access them?

I want to do this to avoid having to change permissions individually on each profile.
Question by:BannerCountySchool
    LVL 38

    Accepted Solution

    If necessary, take ownership of the folder containing all of the roaming profiles.  Then go to the command line, cd to that folder, and run the following:
    cacls *.* /T /E /C /G yourdomain\administrators:f

    It's possible to do this all at once using SUBINACL from the 2003 Resource Kit.

    Author Comment


         That's a good suggestion, but if I do that won't my users be unable to login as they will no longer own their individual profiles?  

    Let me know.

    LVL 38

    Expert Comment

    No.  They don't need to have ownership of the folders.  Their NTFS permissions should be unaffected as long as you use the /E switch with CACLS.  This causes it to edit ACLs instead of overwriting the existing permissions.

    Author Comment

         In the little research I've done, the CACLS command with the switches you've suggested won't change permissions.  Cool.  However, when I take ownership of those file folders all of the existing permissions will be erased (this happens every time I take ownership of an individual file folder; I assume it will happen when I take ownership of the parent folder).   Thus, my users won't be able to login because they will not be listed in the permissions.

    CACLS is the solution, if I can get it to run.

    Thanks much for your input.


    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now