Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Script to remove USERS permissions from User Profile folders

Posted on 2012-03-16
Medium Priority
Last Modified: 2012-06-08
Hi Experts,

Hope you can help. We have a bunch of user profiles where the permissions are wrong (located at: \\Server\FLDREDIR\username)

The problem is our current Permissions looks like this

for Jane.Doe's profile: (\\server\FLDREDIR\Jane.Doe\)
Administrators - Full     (This Folder, subfolder, and files)
SYSTEM - Full     (This Folder, subfolder, and files)
Jane.Doe - Full     (This Folder Only)
CREATOR OWNER - Special      (Subfolders and files only) (basically full)
Users - Read & execute     (This Folder, subfolder, and files)  <---problem
Users - Special      (This Folder, subfolder, and files)  (basically create/write/modify) <--- problem

We need to REMOVE the "Users" group from this as it is causing ALL users to be able to access/modify everyone else's profile. I've already set the permissions at the root level, but now I need to go and clean out everyone's profile.

I've seen scripts to set permissions on folders and files, but is there a way to REMOVE the USERS group altogether? Is there an easy way to do this?

Any info you can provide is appreciated. Thanks!! =)
Question by:ThinkPaper
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 11

Accepted Solution

X_layer earned 1500 total points
ID: 37731072
I would look at Xcalcs for this problem. First you could revoke all permissions of group Users:
xcacls \\Server\FLDREDIR\*.* /t /e /c /r BUILTIN\Users /y

Open in new window

Then you can set read acces on \\Server\FLDREDIR directory for BUILTIN\Users:
xcacls \\Server\FLDREDIR\*.* /e /c /g BUILTIN\Users:R /y

Open in new window

Test this first and read the link above.
LVL 16

Author Closing Comment

ID: 37742926
Thanks for the info. It's going to take some time to test this out. I've had previous issues with CACLS and XCACLS, especially concerning user profiles. I've had instances where it would report a sucess on changing ownership and permissions, but then when I check, it will set the permissions ok on some folders, but not others.

Expert Comment

by:Adam Ray
ID: 38060755
For posterity, here is a way I came up with to "reset" the permissions for all user folders. This works even when you (Administrator) does not have access to the folders (like with the default setting for folder redirection GPO.)

FYI, XCACLS was known to have issues. The new ICACLS has the increased functionality without the bugs, according to MS anyway.

Script to reset user folder permissions.
Uses: icacls.exe and takeown.exe
Tested on Server 2008 R2 X64
For all folders in base folder:
1. Recursively resets owner to Administrators
2. Reset folder to inherit permissions and apply to subfolders/files, clearing any existing perms
3. Add user (based on folder name) with full control and apply to subfolders/files
4. Recursivley reset owener to user (based on folder name)

$mainDir = "E:\Users\FolderRedirections"
write-output $mainDir
$dirs = gci "$mainDir" |? {$_.psiscontainer}
foreach ($dir in $dirs){
  write-output $dir.fullname
  takeown.exe /F $($dir.fullname) /R /D Y |out-null
  icacls.exe $($dir.fullname) /reset /T /C /L /Q
  icacls.exe $($dir.fullname) /grant ($($dir.basename) + ":F") /T /C /L /Q
  icacls.exe $($dir.fullname) /setowner $($dir.basename) /T /C /L /Q

Open in new window


Expert Comment

by:Adam Ray
ID: 38063264
There was a bug in my script above, the following line needs to be changed:
icacls.exe $($dir.fullname) /grant ($($dir.basename) + ':(OI)(CI)F') /C /L /Q

Open in new window


Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article helps those who get the 0xc004d307 error when trying to rearm (reset the license) Office 2013 in a Virtual Desktop Infrastructure (VDI) and/or those trying to prep the master image for Microsoft Key Management (KMS) activation. (i.e.- C…
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question