• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 743
  • Last Modified:

TS profiles

Hello

We have a lot of ts profiles that the administrator does not have access to. So I used a simple script to take ownership of the folder, and give full access to the user, administrator and system.

When a user tries to log on, they get an error message saying it can't load user profile. A server copy with wrong permissions exists. Either the user or the administrative group must be owner.

I've tried with administrative group and administrator as owner, but still the same message. When I set the user as owner, the message disappears.

My problem is that I can't set user to owner through the batch script. Is there any command line for this? I only seem to be able to set the current logged on user or the administrative group as owner through the command line. Doing this manually is a major job....

Windows 2008 servers
0
jjugland
Asked:
jjugland
  • 5
  • 5
2 Solutions
 
AJS2011NZCommented:
Try this command line tool in your batch script.

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23510
0
 
chakkoCommented:
Are the base folders using something like %UserName%.  If yes, then that makes scripting easier.

In the folder redirection policy, on the Settings tab, remove the check box for  'Grant user exclusive rights...'

In the very top folder add your administrator or group to the permissions.  Then check if they inherate /  propagate down to the subfolders.
If you can access the sub folder == the user folders then it should be good.

I can help with a script if your folder names === user names
0
 
jjuglandAuthor Commented:
Base folders is %username% yes.

I will download the program and try it.

Is there a way to script makeing a user the owner?

This is what I do today:

FOR /F "eol= tokens=1,* delims=/" %%i IN (dirlist.txt) DO echo %%i>>log.txt && takeown /A /F h:\ts\%%i /R /D Y >>log.txt 2>&1

This only makes the administrative group the owner, and then when a user log on to the terminal server, an error message appears stating that it can't load user profile. either administrative o user must be the owner. So even though administrator is the owner, it won't work. It only works when the user is the owner....

0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
jjuglandAuthor Commented:
It looks like subinacl will be able to do the thing I want. Haven't tried it, but:

subinacl /file C:\demofile.doc /setowner=MYDOMAIN\BillG looks promesing

I just need to modify it to take the foldername from the file, and make the user with the same username as folder the owner on the folder and subfolder.

Can anyone of you write that line? You probably make the correct line much faster than me..
0
 
chakkoCommented:
these are roaming profiles?  or only redirected Folder like My Documents?

For the roaming profile you can set a GPO policy to ignore the Owner requirement.

Computer Configuration / Administrative Templates / System / User Profiles
Do Not check for ownership of roaming profile folders

0
 
chakkoCommented:

here is a kix script.  you need to download kix32.exe from www.kixtart.org
save it as script.kix (notepad is fine to use for this)

if you are on Windows 2003 download the hotfix below for icacls.exe


http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=947870&kbln=en-us

usage:  kix32 script.kix

in the script at the top set your root folder name and your domain name

First.  Take ownership of your root folder.  That will probably erase all permissions except for your account.
Setup Inheritance for subfolders and objects and apply. This will keep your admin account (or domain admins group for example) having full control via inheritance.
then run the script.  It will add the username (that matches the folder name:  example:  D:\share\john  to user account john) having full control, and then set john as the owner

good luck.

;---begin

$ScanFolder = "e:\newfolder"
$DomainName = "compass"
$DomObj = getobject("WinNT://@LDomain")
$DomObj.filter = "user",""
for each $user in $DomObj
  If $user.AccountDisabled = "0"
    $username = $user.name
 
    $userhome = TranslateName (3, "", 3, "@LDomain\$username", 1)
    $userinfo = GetObject("LDAP://" + $userhome[0])
    if $userinfo.mail <> ""    
        $TempUser = $userinfo.sAMAccountName
       $UserFolder = $ScanFolder + "\" + $TempUser
        $FullName = $DomainName + "\" + $TempUser
       if Exist($UserFolder) = 1
           ? "Process folder: " + $UserFolder
               RUN ('ICACLS $UserFolder /grant $FullName:(CI)f /T')
            ? "Process Ownership :" + $FullName
               RUN ('ICACLS $UserFolder /setowner $FullName /T')
      endif
    endif
   endif
next
 


; TranslateName function authored by Howard A. Bullock - copied from some website
Function TranslateName ($InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType)
    Dim $InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType
    Dim $NameTranslate, $ReturnName, $Error, $ErrorText
    $Error = 0
    $ErrorText = ""
    $ReturnName = ""
    $NameTranslate = CREATEOBJECT ("NameTranslate")
    $Error = @error
    $ErrorText = @serror
    if $Error = 0
        $NameTranslate.Init ($InitType, $BindName)
        $Error = @error
        $ErrorText = @serror
        if $Error = 0
            $NameTranslate.Set ($LookupNameType, $LookupName)
            $Error = @error
            $ErrorText = @serror
            if $Error = 0
                $ReturnName = $NameTranslate.Get($ReturnNameType)
                $Error = @error
                $ErrorText = @serror
            endif
        endif
    endif
    $TranslateName = $ReturnName, $Error, $ErrorText
Endfunction
0
 
chakkoCommented:
one last thing, I only process user accounts that have an email address in AD

to stop that requirement remove the line

  if $userinfo.mail <> ""    

and also remove one of the correspondig endif  lines near the 'next'
0
 
jjuglandAuthor Commented:
Yes they are roaming. I'm one step closer with the subinacl.

subinacl /subdirec h:\ts\jmm /setowner=jjuc\jmm

It changes the owner of the folder jmm, but then it stalls. It doesn't change any owner on the subfolders.

If I do: subinacl /subdirec h:\ts\jmm\subdir /setowner=jjuc\jmm it will change the owner on that folder, but not any subdirs.

Any ideas to why
0
 
jjuglandAuthor Commented:
Tnx for the script. I'll take a look at it :)
0
 
jjuglandAuthor Commented:
Chakko: tnx. Now I am able to do what I wanted.

One line in your scripts is exactly what I needed. I didn't know that icalcs hat the setowner options.

I tried that one, and everything worked like a charm.

Big tnx
0
 
chakkoCommented:
if you use my script it will search AD for a username to match the FolderName and process it.  It searches or processes all active/enabled accounts.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now