Script to remove USERS permissions from User Profile folders

Posted on 2012-03-16
Last Modified: 2012-06-08
Hi Experts,

Hope you can help. We have a bunch of user profiles where the permissions are wrong (located at: \\Server\FLDREDIR\username)

The problem is our current Permissions looks like this

for Jane.Doe's profile: (\\server\FLDREDIR\Jane.Doe\)
Administrators - Full     (This Folder, subfolder, and files)
SYSTEM - Full     (This Folder, subfolder, and files)
Jane.Doe - Full     (This Folder Only)
CREATOR OWNER - Special      (Subfolders and files only) (basically full)
Users - Read & execute     (This Folder, subfolder, and files)  <---problem
Users - Special      (This Folder, subfolder, and files)  (basically create/write/modify) <--- problem

We need to REMOVE the "Users" group from this as it is causing ALL users to be able to access/modify everyone else's profile. I've already set the permissions at the root level, but now I need to go and clean out everyone's profile.

I've seen scripts to set permissions on folders and files, but is there a way to REMOVE the USERS group altogether? Is there an easy way to do this?

Any info you can provide is appreciated. Thanks!! =)
Question by:ThinkPaper
  • 2
LVL 11

Accepted Solution

X_layer earned 500 total points
ID: 37731072
I would look at Xcalcs for this problem. First you could revoke all permissions of group Users:
xcacls \\Server\FLDREDIR\*.* /t /e /c /r BUILTIN\Users /y

Open in new window

Then you can set read acces on \\Server\FLDREDIR directory for BUILTIN\Users:
xcacls \\Server\FLDREDIR\*.* /e /c /g BUILTIN\Users:R /y

Open in new window

Test this first and read the link above.
LVL 16

Author Closing Comment

ID: 37742926
Thanks for the info. It's going to take some time to test this out. I've had previous issues with CACLS and XCACLS, especially concerning user profiles. I've had instances where it would report a sucess on changing ownership and permissions, but then when I check, it will set the permissions ok on some folders, but not others.

Expert Comment

by:Adam Ray
ID: 38060755
For posterity, here is a way I came up with to "reset" the permissions for all user folders. This works even when you (Administrator) does not have access to the folders (like with the default setting for folder redirection GPO.)

FYI, XCACLS was known to have issues. The new ICACLS has the increased functionality without the bugs, according to MS anyway.

Script to reset user folder permissions.
Uses: icacls.exe and takeown.exe
Tested on Server 2008 R2 X64
For all folders in base folder:
1. Recursively resets owner to Administrators
2. Reset folder to inherit permissions and apply to subfolders/files, clearing any existing perms
3. Add user (based on folder name) with full control and apply to subfolders/files
4. Recursivley reset owener to user (based on folder name)

$mainDir = "E:\Users\FolderRedirections"
write-output $mainDir
$dirs = gci "$mainDir" |? {$_.psiscontainer}
foreach ($dir in $dirs){
  write-output $dir.fullname
  takeown.exe /F $($dir.fullname) /R /D Y |out-null
  icacls.exe $($dir.fullname) /reset /T /C /L /Q
  icacls.exe $($dir.fullname) /grant ($($dir.basename) + ":F") /T /C /L /Q
  icacls.exe $($dir.fullname) /setowner $($dir.basename) /T /C /L /Q

Open in new window


Expert Comment

by:Adam Ray
ID: 38063264
There was a bug in my script above, the following line needs to be changed:
icacls.exe $($dir.fullname) /grant ($($dir.basename) + ':(OI)(CI)F') /C /L /Q

Open in new window


Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you see single cell contains number and text, and you have to get any date out of it seems like cracking our heads.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question