Add permissions to folder redirection my documents

Posted on 2013-12-16
Last Modified: 2014-01-04
Hi Guys

I have a group policy that redirect "My documents" and Desktop folder to the server for about 40 PC's on one location and this scenario repeat very often for other domains that I manage.
As  you know the My documents folder and Desktop has permission assign only to the user that own the folder and no Domain admins has access to.
My problem is that I'm using a Cloud Backup software like Livedrive to backup data on the server including the users personal folders. Livedrive service run under the administrator account but since the administrator does not have acess to the My Documents folder nothing get backup on those folders. My work around is to take ownership of each folder and add domain admin under security then give the ownership back to the user.
If is just a few users is not big deal but when you have 40 users and you multiply by 2 folders each there is a lot's of permission to be assign manually.
I was wondering if there is a command script that can be run eider as a logon script that will assign the domain admin rights to those folders and subfolder without taking the user out of the permission list.
Thank you
Question by:infedonetwork
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
LVL 47

Expert Comment

by:Donald Stewart
ID: 39724791
You need to clear the Grant user exclusive rights to my documents box.

Enabling the administrator to have access to redirected folders

Expert Comment

by:Sainyam Aggarwal
ID: 39725601
If you still have doubt you can walk through with this article.

Author Comment

ID: 39725957
This does not work because under the users folder you have as follow:
\\server\users\john Up to here domain admin has access but when you go to \desktop or \favorites or \my Documents only the user and system has access so no matter what permission I try to modify at the user folder level it will not propagate up to the Desktop or My documents level. I will just get an access denied.
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.


Author Comment

ID: 39725988
I also forgot to mention that when I looked at the security and advance tab of the users folder all I see is what's bellow and I do not have the option of :Allow inheritable permissions from parent to propagate to this object " If I take the check mark of the Include inheritable Permissions....." and chose remove then I will get access denied when it comes to applying to the desktop and my documents folder

LVL 47

Expert Comment

by:Donald Stewart
ID: 39726848
Each folder has the setting to "Grant user exclusive rights.."  ...uncheck that box

LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 500 total points
ID: 39726858
You can use the script here to alter/repair the permissions on the root folder here

Author Comment

ID: 39728278
Not sure if I properly explain my goal.
I have a server running windows 2011 SBS and it has a folder called shared\users
The GPO redirect all desktops and My Documents under the users folder.
As an Example I have for Tom \\server\shared\users\tom\desktop and My Documents.
Everyone has read list and execute and Domain admins full control up to the Tom folder.
At the Desktop and My documents only Tom and system has full rights.
To be able to backup the desktop and my documents on the cloud the user under what the livedrive run needs access to those two folders.
What I did until now is properties of the Desktop folder, Security, Advanced, Owner then  take ownership of the folder. Then add Domain admin and Tom with full control then make Tom the owner. I have to do the same for the My Documents and Favorite Folders.
So 3 Folders times 40 users or more is at less 120 Folders to modify one by one.
The goal is to assign permission to the Domain admins with one script for everyone.
What  you all suggest I believe it still require to go to each folder or log on as the users and go to the properties of each folder.
I already took the grant the Exclusive permission to the user from the GPO but I still have Tom and system and If try to remove the propagation at the root folder \\server\users it will not applied to any of the My documents folder because the administrator has not permission to make any changes to those folders.
Only way I see is to take ownership of the users folder and all sub folder then add the domain admin but I will not have Tom in there so I will be back to gound zero were I have to go to each folder and add each user to their own folder and make them back owners.
LVL 47

Expert Comment

by:Donald Stewart
ID: 39729352
Did you not read the article I posted at all ?

The script

" Sets full access for the user and administrators on the specified redirected folder root "

When you try to remove propagation on the root, select "Copy"

These may help you as well

Especially this one

Reset Roaming Profile and Folder Redirection Permissions

Author Comment

ID: 39735033
The script will work if I find out the SID for each user and enter it each time I run the script.
This will not save much time. Please correct me if I'm wrong.
:: User SID
if "%~2"=="" (
    echo Please specify the user SID as the second parameter!
    exit /b 1
set UserSid=%~2
set UserSid=%UserSid:"=%
if not exist "%~dp0\SetACL.exe" (
    echo SetACL not found!
    exit /b 1

The goal is to give domain admin permission to folders that they do not have.
One way I can think about is to write a script that will run at the logon script so when the user logon it will run the script under his name since his the only one that has full control to the folder and add domain admin group to his own folder.
I will do some research on this type of scrip.
I also read the other articles but I do not want to change the folder redirection location just for that and the second article with the enable administrator group acess to the roaming profile from the GPO will be the perfect solution if I will use roaming profiles but unfortunately I don't and I don't think that will work for folder redirection.

Accepted Solution

infedonetwork earned 0 total points
ID: 39735133
OK, I think I got it.
I build a script as following that I set on GP as log on script and now when the user log on I get assign full permission to all sub-folders under that user folder.

icacls "\\server\users\%username%" /grant briggsnursery\administrator:(OI)(CI)f /t /q

I just test it with one user account.
Will see Monday how it goes for everyone.

Author Comment

ID: 39746157
I've requested that this question be closed as follows:

Accepted answer: 0 points for infedonetwork's comment #a39735133

for the following reason:

The only solution that work for all users at the same time
LVL 47

Expert Comment

by:Donald Stewart
ID: 39746158
I at the minimum led you in the right direction and to icacls, credit is deserved there.

Author Closing Comment

ID: 39755821
I add  your answer as a partial solution but that did not help with the goal of assigning administrator full access to the users Documents with one single script for all users at the same time. But your script will get the same results if there is a way  to extract each user SID in form of a variable. Without that I need to enter it one by one and that not fix my problem of assigning permission to multiple folders at once or without having to manipulate each folder or script individually.
Thank you all for your help.

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question