RyanHartwick
asked on
Powershell Script to Change Permissions No Longer Working
A while back I was setting Folder Redirection on a Server 2008 RTM Domain Controller using Group Policy. Initially I configured the setting so that it would "Grant Users Exclusive Rights..", well it turns out that I needed Administrator account to have access as well. I Googled and found a PowerShell script I could use at this website:
http://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/
It worked up until recently. Here's the script I was using:
This script is supposed to bypass the need to take ownership of all these folders by using the System account from what I understand. But now when I run the script I get this error on some select folders:
This is only happening on a couple of new user accounts recently set up. Anyone able to tell me what I'm doing wrong?
http://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/
It worked up until recently. Here's the script I was using:
#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write
$StartingDir= "D:\Shared\Users"
$Principal="Administrator"
$Permission="F"
$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"
if ($Verify -eq "Y") {
foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
#display filename and old permissions
write-Host -foregroundcolor Yellow $file.FullName
#uncomment if you want to see old permissions
#CACLS $file.FullName
#ADD new permission with CACLS
CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL
#display new permissions
Write-Host -foregroundcolor Green "New Permissions"
CACLS $file.FullName
}
}This script is supposed to bypass the need to take ownership of all these folders by using the System account from what I understand. But now when I run the script I get this error on some select folders:
Get-ChildItem : Access to the path 'D:\Shared\Users\shawn.newman\Contacts' is denied.
At C:\PsTools\Changepermissions.ps1:22 char:34
+ foreach ($file in $(Get-ChildItem <<<< $StartingDir -recurse)) {
+ CategoryInfo : PermissionDenied: (D:\Shared\Users\shawn.newman\Contacts:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
Get-ChildItem : Access to the path 'D:\Shared\Users\shawn.newman\Desktop' is denied.
At C:\PsTools\Changepermissions.ps1:22 char:34
+ foreach ($file in $(Get-ChildItem <<<< $StartingDir -recurse)) {
+ CategoryInfo : PermissionDenied: (D:\Shared\Users\shawn.newman\Desktop:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
Get-ChildItem : Access to the path 'D:\Shared\Users\shawn.newman\Documents' is denied.
At C:\PsTools\Changepermissions.ps1:22 char:34
+ foreach ($file in $(Get-ChildItem <<<< $StartingDir -recurse)) {
+ CategoryInfo : PermissionDenied: (D:\Shared\Users\shawn.newman\Documents:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommandThis is only happening on a couple of new user accounts recently set up. Anyone able to tell me what I'm doing wrong?
ASKER
I do run it with admin rights.
When you run this, did you verify the user was completely logged off? What happens when u try to manually access or take ownership of the file? We needto figure if there is something corrupt with ther profile itself.. I'm thinking the script is not the issue, but maybe the folder.
ASKER
I don't run into any problems if I try to take ownership manually. I will verify the user is logged off tonight and get back to you.
ASKER
User is logged off and I'm still running into the issue. I also confirmed that we have run this script while other users are logged in without issue. Seems to be just a problem with these two new users.
ASKER
Any suggestions on what I should do next?
The script is not using anything like a "System" account. How do you start it, which user is it running under? I suppose it is not the respective user (and hence owner of the folder)?
If you do not have appropriate access privileges for the folders, and unless being the owner, you can't set permissions. Taking ownership temporarily has to be performed then. I suppose you won't get the error message for files and folders whenever they are already set. As soon as the Admin permissions are removed, the script will fail.
Further, I don't think you need to make it more complicated than it is. The script looks clumsy, as cacls is able to commit the change to all subfolders - no need to do the get-childitem stuff hence. A simple
cacls /C /T /E /P Administrator:F
should do the same.
If you do not have appropriate access privileges for the folders, and unless being the owner, you can't set permissions. Taking ownership temporarily has to be performed then. I suppose you won't get the error message for files and folders whenever they are already set. As soon as the Admin permissions are removed, the script will fail.
Further, I don't think you need to make it more complicated than it is. The script looks clumsy, as cacls is able to commit the change to all subfolders - no need to do the get-childitem stuff hence. A simple
cacls /C /T /E /P Administrator:F
should do the same.
ASKER
I start the script by right clicking it and selecting "Run" as Administrator.
We first ran this script after we made a group policy for folder redirection that granted "Exclusive Rights" to the users. We then wanted a script to insert the Administrator account into the ACL and I found the one listed in my original post on Google. The first time I ran it, it worked beautifully. So I'm at a loss as to why the script could appear to edit ACL entries without having ownership before. In fact, most of the user folders have the Administrator added to the ACL without changing the ownership as I still see the user listed as the owner.
I would prefer not to have to take ownership of all the user folders unless necessary.
We first ran this script after we made a group policy for folder redirection that granted "Exclusive Rights" to the users. We then wanted a script to insert the Administrator account into the ACL and I found the one listed in my original post on Google. The first time I ran it, it worked beautifully. So I'm at a loss as to why the script could appear to edit ACL entries without having ownership before. In fact, most of the user folders have the Administrator added to the ACL without changing the ownership as I still see the user listed as the owner.
I would prefer not to have to take ownership of all the user folders unless necessary.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Does that make any difference?
Yeah, users (including administrators) can't add themselves to ACLs without having some existing access. Whether that's explicit in the ACL, or implicit via ownership. SYSTEM on the other hand has a lot of extra rights and may still be able to make the change.
I figure it's worth a poke :) It's the only way I can see the script ever working without taking ownership first.
Chris
I figure it's worth a poke :) It's the only way I can see the script ever working without taking ownership first.
Chris
ASKER
Thanks Chris,
I was missing the PSExec thing, you were right!
I was missing the PSExec thing, you were right!
I hinted in http:#a37058139 that you are not using SYSTEM anywhere ...
ASKER
Sorry Qlemo, it was really Chris pointed to the PSExec utility that helped me get this solved.
I've accomplished something similar in a way that doesn't require PsExec. I use PSExec all the time, but I wanted to run this as a scheduled task, so it was easier to do without it.
Note, my script has slightly different behavoir so be sure to inspect it before running. And be sure to have sensible permissions on the mainDir. E.G. only allow Domain Users to list this folder, but not applied onto subfolders.
Note, my script has slightly different behavoir so be sure to inspect it before running. And be sure to have sensible permissions on the mainDir. E.G. only allow Domain Users to list this folder, but not applied onto subfolders.
<#
Script to reset user folder permissions.
Uses: icacls.exe and takeown.exe
Tested on Server 2008 R2 X64
For all folders in base folder:
1. Recursively resets owner to Administrators
2. Reset folder to inherit permissions and apply to subfolders/files, clearing any existing perms
3. Add user (based on folder name) with full control and apply to subfolders/files
4. Recursivley reset owener to user (based on folder name)
#>
$mainDir = "E:\Users\FolderRedirections"
write-output $mainDir
$dirs = gci "$mainDir" |? {$_.psiscontainer}
foreach ($dir in $dirs){
write-output $dir.fullname
takeown.exe /F $($dir.fullname) /R /D Y |out-null
icacls.exe $($dir.fullname) /reset /T /C /L /Q
icacls.exe $($dir.fullname) /grant ($($dir.basename) + ":F") /T /C /L /Q
icacls.exe $($dir.fullname) /setowner $($dir.basename) /T /C /L /Q
}ASKER
Thanks for adding the comment, I'll have to try this out.
There was a bug in my script above, the following line needs to be changed:
icacls.exe $($dir.fullname) /grant ($($dir.basename) + ':(OI)(CI)F') /C /L /Q
Do you run the script with admin credentials? you need admin rights to change permissions on file system.