Script to remove USERS permissions from User Profile folders

Hi Experts,

Hope you can help. We have a bunch of user profiles where the permissions are wrong (located at: \\Server\FLDREDIR\username)

The problem is our current Permissions looks like this

for Jane.Doe's profile: (\\server\FLDREDIR\Jane.Doe\)
Administrators - Full     (This Folder, subfolder, and files)
SYSTEM - Full     (This Folder, subfolder, and files)
Jane.Doe - Full     (This Folder Only)
CREATOR OWNER - Special      (Subfolders and files only) (basically full)
Users - Read & execute     (This Folder, subfolder, and files)  <---problem
Users - Special      (This Folder, subfolder, and files)  (basically create/write/modify) <--- problem

We need to REMOVE the "Users" group from this as it is causing ALL users to be able to access/modify everyone else's profile. I've already set the permissions at the root level, but now I need to go and clean out everyone's profile.

I've seen scripts to set permissions on folders and files, but is there a way to REMOVE the USERS group altogether? Is there an easy way to do this?

Any info you can provide is appreciated. Thanks!! =)
LVL 16
ThinkPaperIT ConsultantAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

X_layerConnect With a Mentor Commented:
I would look at Xcalcs for this problem. First you could revoke all permissions of group Users:
xcacls \\Server\FLDREDIR\*.* /t /e /c /r BUILTIN\Users /y

Open in new window

Then you can set read acces on \\Server\FLDREDIR directory for BUILTIN\Users:
xcacls \\Server\FLDREDIR\*.* /e /c /g BUILTIN\Users:R /y

Open in new window

Test this first and read the link above.
ThinkPaperIT ConsultantAuthor Commented:
Thanks for the info. It's going to take some time to test this out. I've had previous issues with CACLS and XCACLS, especially concerning user profiles. I've had instances where it would report a sucess on changing ownership and permissions, but then when I check, it will set the permissions ok on some folders, but not others.
Adam RayCommented:
For posterity, here is a way I came up with to "reset" the permissions for all user folders. This works even when you (Administrator) does not have access to the folders (like with the default setting for folder redirection GPO.)

FYI, XCACLS was known to have issues. The new ICACLS has the increased functionality without the bugs, according to MS anyway.

Script to reset user folder permissions.
Uses: icacls.exe and takeown.exe
Tested on Server 2008 R2 X64
For all folders in base folder:
1. Recursively resets owner to Administrators
2. Reset folder to inherit permissions and apply to subfolders/files, clearing any existing perms
3. Add user (based on folder name) with full control and apply to subfolders/files
4. Recursivley reset owener to user (based on folder name)

$mainDir = "E:\Users\FolderRedirections"
write-output $mainDir
$dirs = gci "$mainDir" |? {$_.psiscontainer}
foreach ($dir in $dirs){
  write-output $dir.fullname
  takeown.exe /F $($dir.fullname) /R /D Y |out-null
  icacls.exe $($dir.fullname) /reset /T /C /L /Q
  icacls.exe $($dir.fullname) /grant ($($dir.basename) + ":F") /T /C /L /Q
  icacls.exe $($dir.fullname) /setowner $($dir.basename) /T /C /L /Q

Open in new window

Adam RayCommented:
There was a bug in my script above, the following line needs to be changed:
icacls.exe $($dir.fullname) /grant ($($dir.basename) + ':(OI)(CI)F') /C /L /Q

Open in new window

All Courses

From novice to tech pro — start learning today.