[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1330
  • Last Modified:

Powershell Script to Change Permissions No Longer Working

A while back I was setting Folder Redirection on a Server 2008 RTM Domain Controller using Group Policy.  Initially I configured the setting so that it would "Grant Users Exclusive Rights..", well it turns out that I needed Administrator account to have access as well.  I Googled and found a PowerShell script I could use at this website:

http://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/

It worked up until recently.  Here's the script I was using:

#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write

$StartingDir= "D:\Shared\Users"

$Principal="Administrator"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
#display filename and old permissions
write-Host -foregroundcolor Yellow $file.FullName
#uncomment if you want to see old permissions
#CACLS $file.FullName

#ADD new permission with CACLS
CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
Write-Host -foregroundcolor Green "New Permissions"
CACLS $file.FullName
}
}

Open in new window



This script is supposed to bypass the need to take ownership of all these folders by using the System account from what I understand.  But now when I run the script I get this error on some select folders:

Get-ChildItem : Access to the path 'D:\Shared\Users\shawn.newman\Contacts' is denied.
At C:\PsTools\Changepermissions.ps1:22 char:34
+ foreach ($file in $(Get-ChildItem <<<<  $StartingDir -recurse)) {
    + CategoryInfo          : PermissionDenied: (D:\Shared\Users\shawn.newman\Contacts:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
 
Get-ChildItem : Access to the path 'D:\Shared\Users\shawn.newman\Desktop' is denied.
At C:\PsTools\Changepermissions.ps1:22 char:34
+ foreach ($file in $(Get-ChildItem <<<<  $StartingDir -recurse)) {
    + CategoryInfo          : PermissionDenied: (D:\Shared\Users\shawn.newman\Desktop:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
 
Get-ChildItem : Access to the path 'D:\Shared\Users\shawn.newman\Documents' is denied.
At C:\PsTools\Changepermissions.ps1:22 char:34
+ foreach ($file in $(Get-ChildItem <<<<  $StartingDir -recurse)) {
    + CategoryInfo          : PermissionDenied: (D:\Shared\Users\shawn.newman\Documents:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

Open in new window


This is only happening on a couple of new user accounts recently set up.  Anyone able to tell me what I'm doing wrong?
0
RyanHartwick
Asked:
RyanHartwick
  • 8
  • 3
  • 2
  • +3
1 Solution
 
MisterTwelveCommented:
Hi

Do you run the script with admin credentials? you need admin rights to change permissions on file system.
0
 
RyanHartwickAuthor Commented:
I do run it with admin rights.
0
 
ThinkPaperCommented:
When you run this, did you verify the user was completely logged off? What happens when u try to manually access or take ownership of the file? We needto figure if there is something corrupt with ther profile itself.. I'm thinking the script is not the issue, but maybe the folder.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
RyanHartwickAuthor Commented:
I don't run into any problems if I try to take ownership manually.  I will verify the user is logged off tonight and get back to you.
0
 
RyanHartwickAuthor Commented:
User is logged off and I'm still running into the issue.  I also confirmed that we have run this script while other users are logged in without issue.  Seems to be just a problem with these two new users.
0
 
RyanHartwickAuthor Commented:
Any suggestions on what I should do next?
0
 
QlemoC++ DeveloperCommented:
The script is not using anything like a "System" account. How do you start it, which user is it running under? I suppose it is not the respective user (and hence owner of the folder)?
If you do not have appropriate access privileges for the folders, and unless being the owner, you can't set permissions. Taking ownership temporarily has to be performed then. I suppose you won't get the error message for files and folders whenever they are already set. As soon as the Admin permissions are removed, the script will fail.

Further, I don't think you need to make it more complicated than it is. The script looks clumsy, as cacls is able to commit the change to all subfolders - no need to do the get-childitem stuff hence. A simple
  cacls /C /T /E /P Administrator:F
should do the same.
0
 
RyanHartwickAuthor Commented:
I start the script by right clicking it and selecting "Run" as Administrator.

We first ran this script after we made a group policy for folder redirection that granted "Exclusive Rights" to the users.  We then wanted a script to insert the Administrator account into the ACL and I found the one listed in my original post on Google.  The first time I ran it, it worked beautifully.  So I'm at a loss as to why the script could appear to edit ACL entries without having ownership before.  In fact, most of the user folders have the Administrator added to the ACL without changing the ownership as I still see the user listed as the owner.

I would prefer not to have to take ownership of all the user folders unless necessary.
0
 
Chris DentPowerShell DeveloperCommented:
The original was impersonating SYSTEM, using -s in PSExec. Are you still using PSExec?

Chris
0
 
QlemoC++ DeveloperCommented:
Does that make any difference?
0
 
Chris DentPowerShell DeveloperCommented:
Yeah, users (including administrators) can't add themselves to ACLs without having some existing access. Whether that's explicit in the ACL, or implicit via ownership. SYSTEM on the other hand has a lot of extra rights and may still be able to make the change.

I figure it's worth a poke :) It's the only way I can see the script ever working without taking ownership first.

Chris
0
 
RyanHartwickAuthor Commented:
Thanks Chris,

I was missing the PSExec thing, you were right!
0
 
QlemoC++ DeveloperCommented:
I hinted in http:#a37058139 that you are not using SYSTEM anywhere ...
0
 
RyanHartwickAuthor Commented:
Sorry Qlemo, it was really Chris pointed to the PSExec utility that helped me get this solved.
0
 
Adam RayCommented:
I've accomplished something similar in a way that doesn't require PsExec.  I use PSExec all the time, but I wanted to run this as a scheduled task, so it was easier to do without it.

Note, my script has slightly different behavoir so be sure to inspect it before running. And be sure to have sensible permissions on the mainDir.  E.G. only allow Domain Users to list this folder, but not applied onto subfolders.

<#
Script to reset user folder permissions.
Uses: icacls.exe and takeown.exe
Tested on Server 2008 R2 X64
For all folders in base folder:
1. Recursively resets owner to Administrators
2. Reset folder to inherit permissions and apply to subfolders/files, clearing any existing perms
3. Add user (based on folder name) with full control and apply to subfolders/files
4. Recursivley reset owener to user (based on folder name)
#>

$mainDir = "E:\Users\FolderRedirections"
write-output $mainDir
$dirs = gci "$mainDir" |? {$_.psiscontainer}
foreach ($dir in $dirs){
  write-output $dir.fullname
  takeown.exe /F $($dir.fullname) /R /D Y |out-null
  icacls.exe $($dir.fullname) /reset /T /C /L /Q
  icacls.exe $($dir.fullname) /grant ($($dir.basename) + ":F") /T /C /L /Q
  icacls.exe $($dir.fullname) /setowner $($dir.basename) /T /C /L /Q
}

Open in new window

0
 
RyanHartwickAuthor Commented:
Thanks for adding the comment, I'll have to try this out.
0
 
Adam RayCommented:
There was a bug in my script above, the following line needs to be changed:
icacls.exe $($dir.fullname) /grant ($($dir.basename) + ':(OI)(CI)F') /C /L /Q

Open in new window

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now