Script to remove USERS permissions from User Profile folders

Posted on 2012-03-16
Last Modified: 2012-06-08
Hi Experts,

Hope you can help. We have a bunch of user profiles where the permissions are wrong (located at: \\Server\FLDREDIR\username)

The problem is our current Permissions looks like this

for Jane.Doe's profile: (\\server\FLDREDIR\Jane.Doe\)
Administrators - Full     (This Folder, subfolder, and files)
SYSTEM - Full     (This Folder, subfolder, and files)
Jane.Doe - Full     (This Folder Only)
CREATOR OWNER - Special      (Subfolders and files only) (basically full)
Users - Read & execute     (This Folder, subfolder, and files)  <---problem
Users - Special      (This Folder, subfolder, and files)  (basically create/write/modify) <--- problem

We need to REMOVE the "Users" group from this as it is causing ALL users to be able to access/modify everyone else's profile. I've already set the permissions at the root level, but now I need to go and clean out everyone's profile.

I've seen scripts to set permissions on folders and files, but is there a way to REMOVE the USERS group altogether? Is there an easy way to do this?

Any info you can provide is appreciated. Thanks!! =)
Question by:ThinkPaper
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 11

Accepted Solution

X_layer earned 500 total points
ID: 37731072
I would look at Xcalcs for this problem. First you could revoke all permissions of group Users:
xcacls \\Server\FLDREDIR\*.* /t /e /c /r BUILTIN\Users /y

Open in new window

Then you can set read acces on \\Server\FLDREDIR directory for BUILTIN\Users:
xcacls \\Server\FLDREDIR\*.* /e /c /g BUILTIN\Users:R /y

Open in new window

Test this first and read the link above.
LVL 16

Author Closing Comment

ID: 37742926
Thanks for the info. It's going to take some time to test this out. I've had previous issues with CACLS and XCACLS, especially concerning user profiles. I've had instances where it would report a sucess on changing ownership and permissions, but then when I check, it will set the permissions ok on some folders, but not others.

Expert Comment

by:Adam Ray
ID: 38060755
For posterity, here is a way I came up with to "reset" the permissions for all user folders. This works even when you (Administrator) does not have access to the folders (like with the default setting for folder redirection GPO.)

FYI, XCACLS was known to have issues. The new ICACLS has the increased functionality without the bugs, according to MS anyway.

Script to reset user folder permissions.
Uses: icacls.exe and takeown.exe
Tested on Server 2008 R2 X64
For all folders in base folder:
1. Recursively resets owner to Administrators
2. Reset folder to inherit permissions and apply to subfolders/files, clearing any existing perms
3. Add user (based on folder name) with full control and apply to subfolders/files
4. Recursivley reset owener to user (based on folder name)

$mainDir = "E:\Users\FolderRedirections"
write-output $mainDir
$dirs = gci "$mainDir" |? {$_.psiscontainer}
foreach ($dir in $dirs){
  write-output $dir.fullname
  takeown.exe /F $($dir.fullname) /R /D Y |out-null
  icacls.exe $($dir.fullname) /reset /T /C /L /Q
  icacls.exe $($dir.fullname) /grant ($($dir.basename) + ":F") /T /C /L /Q
  icacls.exe $($dir.fullname) /setowner $($dir.basename) /T /C /L /Q

Open in new window


Expert Comment

by:Adam Ray
ID: 38063264
There was a bug in my script above, the following line needs to be changed:
icacls.exe $($dir.fullname) /grant ($($dir.basename) + ':(OI)(CI)F') /C /L /Q

Open in new window


Featured Post

Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
When asking a question in a forum or creating documentation, screenshots are vital tools that can convey a lot more information and save you and your reader a lot of time
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question