Script to remove USERS permissions from User Profile folders

Posted on 2012-03-16
Medium Priority
Last Modified: 2012-06-08
Hi Experts,

Hope you can help. We have a bunch of user profiles where the permissions are wrong (located at: \\Server\FLDREDIR\username)

The problem is our current Permissions looks like this

for Jane.Doe's profile: (\\server\FLDREDIR\Jane.Doe\)
Administrators - Full     (This Folder, subfolder, and files)
SYSTEM - Full     (This Folder, subfolder, and files)
Jane.Doe - Full     (This Folder Only)
CREATOR OWNER - Special      (Subfolders and files only) (basically full)
Users - Read & execute     (This Folder, subfolder, and files)  <---problem
Users - Special      (This Folder, subfolder, and files)  (basically create/write/modify) <--- problem

We need to REMOVE the "Users" group from this as it is causing ALL users to be able to access/modify everyone else's profile. I've already set the permissions at the root level, but now I need to go and clean out everyone's profile.

I've seen scripts to set permissions on folders and files, but is there a way to REMOVE the USERS group altogether? Is there an easy way to do this?

Any info you can provide is appreciated. Thanks!! =)
Question by:ThinkPaper
  • 2
LVL 11

Accepted Solution

X_layer earned 1500 total points
ID: 37731072
I would look at Xcalcs for this problem. First you could revoke all permissions of group Users:
xcacls \\Server\FLDREDIR\*.* /t /e /c /r BUILTIN\Users /y

Open in new window

Then you can set read acces on \\Server\FLDREDIR directory for BUILTIN\Users:
xcacls \\Server\FLDREDIR\*.* /e /c /g BUILTIN\Users:R /y

Open in new window

Test this first and read the link above.
LVL 16

Author Closing Comment

ID: 37742926
Thanks for the info. It's going to take some time to test this out. I've had previous issues with CACLS and XCACLS, especially concerning user profiles. I've had instances where it would report a sucess on changing ownership and permissions, but then when I check, it will set the permissions ok on some folders, but not others.

Expert Comment

by:Adam Ray
ID: 38060755
For posterity, here is a way I came up with to "reset" the permissions for all user folders. This works even when you (Administrator) does not have access to the folders (like with the default setting for folder redirection GPO.)

FYI, XCACLS was known to have issues. The new ICACLS has the increased functionality without the bugs, according to MS anyway.

Script to reset user folder permissions.
Uses: icacls.exe and takeown.exe
Tested on Server 2008 R2 X64
For all folders in base folder:
1. Recursively resets owner to Administrators
2. Reset folder to inherit permissions and apply to subfolders/files, clearing any existing perms
3. Add user (based on folder name) with full control and apply to subfolders/files
4. Recursivley reset owener to user (based on folder name)

$mainDir = "E:\Users\FolderRedirections"
write-output $mainDir
$dirs = gci "$mainDir" |? {$_.psiscontainer}
foreach ($dir in $dirs){
  write-output $dir.fullname
  takeown.exe /F $($dir.fullname) /R /D Y |out-null
  icacls.exe $($dir.fullname) /reset /T /C /L /Q
  icacls.exe $($dir.fullname) /grant ($($dir.basename) + ":F") /T /C /L /Q
  icacls.exe $($dir.fullname) /setowner $($dir.basename) /T /C /L /Q

Open in new window


Expert Comment

by:Adam Ray
ID: 38063264
There was a bug in my script above, the following line needs to be changed:
icacls.exe $($dir.fullname) /grant ($($dir.basename) + ':(OI)(CI)F') /C /L /Q

Open in new window


Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Take advantage of one of the most useful technologies available - virtualization!
What is Archiving? Archiving in Exchange Online (called In-Place Archiving) provides users with additional mailbox storage space.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

584 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question