TS profiles


We have a lot of ts profiles that the administrator does not have access to. So I used a simple script to take ownership of the folder, and give full access to the user, administrator and system.

When a user tries to log on, they get an error message saying it can't load user profile. A server copy with wrong permissions exists. Either the user or the administrative group must be owner.

I've tried with administrative group and administrator as owner, but still the same message. When I set the user as owner, the message disappears.

My problem is that I can't set user to owner through the batch script. Is there any command line for this? I only seem to be able to set the current logged on user or the administrative group as owner through the command line. Doing this manually is a major job....

Windows 2008 servers
Who is Participating?

here is a kix script.  you need to download kix32.exe from www.kixtart.org
save it as script.kix (notepad is fine to use for this)

if you are on Windows 2003 download the hotfix below for icacls.exe


usage:  kix32 script.kix

in the script at the top set your root folder name and your domain name

First.  Take ownership of your root folder.  That will probably erase all permissions except for your account.
Setup Inheritance for subfolders and objects and apply. This will keep your admin account (or domain admins group for example) having full control via inheritance.
then run the script.  It will add the username (that matches the folder name:  example:  D:\share\john  to user account john) having full control, and then set john as the owner

good luck.


$ScanFolder = "e:\newfolder"
$DomainName = "compass"
$DomObj = getobject("WinNT://@LDomain")
$DomObj.filter = "user",""
for each $user in $DomObj
  If $user.AccountDisabled = "0"
    $username = $user.name
    $userhome = TranslateName (3, "", 3, "@LDomain\$username", 1)
    $userinfo = GetObject("LDAP://" + $userhome[0])
    if $userinfo.mail <> ""    
        $TempUser = $userinfo.sAMAccountName
       $UserFolder = $ScanFolder + "\" + $TempUser
        $FullName = $DomainName + "\" + $TempUser
       if Exist($UserFolder) = 1
           ? "Process folder: " + $UserFolder
               RUN ('ICACLS $UserFolder /grant $FullName:(CI)f /T')
            ? "Process Ownership :" + $FullName
               RUN ('ICACLS $UserFolder /setowner $FullName /T')

; TranslateName function authored by Howard A. Bullock - copied from some website
Function TranslateName ($InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType)
    Dim $InitType, $BindName, $LookupNameType, $LookupName, $ReturnNameType
    Dim $NameTranslate, $ReturnName, $Error, $ErrorText
    $Error = 0
    $ErrorText = ""
    $ReturnName = ""
    $NameTranslate = CREATEOBJECT ("NameTranslate")
    $Error = @error
    $ErrorText = @serror
    if $Error = 0
        $NameTranslate.Init ($InitType, $BindName)
        $Error = @error
        $ErrorText = @serror
        if $Error = 0
            $NameTranslate.Set ($LookupNameType, $LookupName)
            $Error = @error
            $ErrorText = @serror
            if $Error = 0
                $ReturnName = $NameTranslate.Get($ReturnNameType)
                $Error = @error
                $ErrorText = @serror
    $TranslateName = $ReturnName, $Error, $ErrorText
Try this command line tool in your batch script.

Are the base folders using something like %UserName%.  If yes, then that makes scripting easier.

In the folder redirection policy, on the Settings tab, remove the check box for  'Grant user exclusive rights...'

In the very top folder add your administrator or group to the permissions.  Then check if they inherate /  propagate down to the subfolders.
If you can access the sub folder == the user folders then it should be good.

I can help with a script if your folder names === user names
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

jjuglandAuthor Commented:
Base folders is %username% yes.

I will download the program and try it.

Is there a way to script makeing a user the owner?

This is what I do today:

FOR /F "eol= tokens=1,* delims=/" %%i IN (dirlist.txt) DO echo %%i>>log.txt && takeown /A /F h:\ts\%%i /R /D Y >>log.txt 2>&1

This only makes the administrative group the owner, and then when a user log on to the terminal server, an error message appears stating that it can't load user profile. either administrative o user must be the owner. So even though administrator is the owner, it won't work. It only works when the user is the owner....

jjuglandAuthor Commented:
It looks like subinacl will be able to do the thing I want. Haven't tried it, but:

subinacl /file C:\demofile.doc /setowner=MYDOMAIN\BillG looks promesing

I just need to modify it to take the foldername from the file, and make the user with the same username as folder the owner on the folder and subfolder.

Can anyone of you write that line? You probably make the correct line much faster than me..
these are roaming profiles?  or only redirected Folder like My Documents?

For the roaming profile you can set a GPO policy to ignore the Owner requirement.

Computer Configuration / Administrative Templates / System / User Profiles
Do Not check for ownership of roaming profile folders

one last thing, I only process user accounts that have an email address in AD

to stop that requirement remove the line

  if $userinfo.mail <> ""    

and also remove one of the correspondig endif  lines near the 'next'
jjuglandAuthor Commented:
Yes they are roaming. I'm one step closer with the subinacl.

subinacl /subdirec h:\ts\jmm /setowner=jjuc\jmm

It changes the owner of the folder jmm, but then it stalls. It doesn't change any owner on the subfolders.

If I do: subinacl /subdirec h:\ts\jmm\subdir /setowner=jjuc\jmm it will change the owner on that folder, but not any subdirs.

Any ideas to why
jjuglandAuthor Commented:
Tnx for the script. I'll take a look at it :)
jjuglandAuthor Commented:
Chakko: tnx. Now I am able to do what I wanted.

One line in your scripts is exactly what I needed. I didn't know that icalcs hat the setowner options.

I tried that one, and everything worked like a charm.

Big tnx
if you use my script it will search AD for a username to match the FolderName and process it.  It searches or processes all active/enabled accounts.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.