Add permissions to folder redirection my documents

Posted on 2013-12-16
Last Modified: 2014-01-04
Hi Guys

I have a group policy that redirect "My documents" and Desktop folder to the server for about 40 PC's on one location and this scenario repeat very often for other domains that I manage.
As  you know the My documents folder and Desktop has permission assign only to the user that own the folder and no Domain admins has access to.
My problem is that I'm using a Cloud Backup software like Livedrive to backup data on the server including the users personal folders. Livedrive service run under the administrator account but since the administrator does not have acess to the My Documents folder nothing get backup on those folders. My work around is to take ownership of each folder and add domain admin under security then give the ownership back to the user.
If is just a few users is not big deal but when you have 40 users and you multiply by 2 folders each there is a lot's of permission to be assign manually.
I was wondering if there is a command script that can be run eider as a logon script that will assign the domain admin rights to those folders and subfolder without taking the user out of the permission list.
Thank you
Question by:infedonetwork
  • 7
  • 5
LVL 47

Expert Comment

ID: 39724791
You need to clear the Grant user exclusive rights to my documents box.

Enabling the administrator to have access to redirected folders

Expert Comment

by:Sainyam Aggarwal
ID: 39725601
If you still have doubt you can walk through with this article.

Author Comment

ID: 39725957
This does not work because under the users folder you have as follow:
\\server\users\john Up to here domain admin has access but when you go to \desktop or \favorites or \my Documents only the user and system has access so no matter what permission I try to modify at the user folder level it will not propagate up to the Desktop or My documents level. I will just get an access denied.

Author Comment

ID: 39725988
I also forgot to mention that when I looked at the security and advance tab of the users folder all I see is what's bellow and I do not have the option of :Allow inheritable permissions from parent to propagate to this object " If I take the check mark of the Include inheritable Permissions....." and chose remove then I will get access denied when it comes to applying to the desktop and my documents folder

LVL 47

Expert Comment

ID: 39726848
Each folder has the setting to "Grant user exclusive rights.."  ...uncheck that box

LVL 47

Assisted Solution

dstewartjr earned 500 total points
ID: 39726858
You can use the script here to alter/repair the permissions on the root folder here
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.


Author Comment

ID: 39728278
Not sure if I properly explain my goal.
I have a server running windows 2011 SBS and it has a folder called shared\users
The GPO redirect all desktops and My Documents under the users folder.
As an Example I have for Tom \\server\shared\users\tom\desktop and My Documents.
Everyone has read list and execute and Domain admins full control up to the Tom folder.
At the Desktop and My documents only Tom and system has full rights.
To be able to backup the desktop and my documents on the cloud the user under what the livedrive run needs access to those two folders.
What I did until now is properties of the Desktop folder, Security, Advanced, Owner then  take ownership of the folder. Then add Domain admin and Tom with full control then make Tom the owner. I have to do the same for the My Documents and Favorite Folders.
So 3 Folders times 40 users or more is at less 120 Folders to modify one by one.
The goal is to assign permission to the Domain admins with one script for everyone.
What  you all suggest I believe it still require to go to each folder or log on as the users and go to the properties of each folder.
I already took the grant the Exclusive permission to the user from the GPO but I still have Tom and system and If try to remove the propagation at the root folder \\server\users it will not applied to any of the My documents folder because the administrator has not permission to make any changes to those folders.
Only way I see is to take ownership of the users folder and all sub folder then add the domain admin but I will not have Tom in there so I will be back to gound zero were I have to go to each folder and add each user to their own folder and make them back owners.
LVL 47

Expert Comment

ID: 39729352
Did you not read the article I posted at all ?

The script

" Sets full access for the user and administrators on the specified redirected folder root "

When you try to remove propagation on the root, select "Copy"

These may help you as well

Especially this one

Reset Roaming Profile and Folder Redirection Permissions

Author Comment

ID: 39735033
The script will work if I find out the SID for each user and enter it each time I run the script.
This will not save much time. Please correct me if I'm wrong.
:: User SID
if "%~2"=="" (
    echo Please specify the user SID as the second parameter!
    exit /b 1
set UserSid=%~2
set UserSid=%UserSid:"=%
if not exist "%~dp0\SetACL.exe" (
    echo SetACL not found!
    exit /b 1

The goal is to give domain admin permission to folders that they do not have.
One way I can think about is to write a script that will run at the logon script so when the user logon it will run the script under his name since his the only one that has full control to the folder and add domain admin group to his own folder.
I will do some research on this type of scrip.
I also read the other articles but I do not want to change the folder redirection location just for that and the second article with the enable administrator group acess to the roaming profile from the GPO will be the perfect solution if I will use roaming profiles but unfortunately I don't and I don't think that will work for folder redirection.

Accepted Solution

infedonetwork earned 0 total points
ID: 39735133
OK, I think I got it.
I build a script as following that I set on GP as log on script and now when the user log on I get assign full permission to all sub-folders under that user folder.

icacls "\\server\users\%username%" /grant briggsnursery\administrator:(OI)(CI)f /t /q

I just test it with one user account.
Will see Monday how it goes for everyone.

Author Comment

ID: 39746157
I've requested that this question be closed as follows:

Accepted answer: 0 points for infedonetwork's comment #a39735133

for the following reason:

The only solution that work for all users at the same time
LVL 47

Expert Comment

ID: 39746158
I at the minimum led you in the right direction and to icacls, credit is deserved there.

Author Closing Comment

ID: 39755821
I add  your answer as a partial solution but that did not help with the goal of assigning administrator full access to the users Documents with one single script for all users at the same time. But your script will get the same results if there is a way  to extract each user SID in form of a variable. Without that I need to enter it one by one and that not fix my problem of assigning permission to multiple folders at once or without having to manipulate each folder or script individually.
Thank you all for your help.

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now