Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Add permissions to folder redirection my documents

Posted on 2013-12-16
Medium Priority
Last Modified: 2014-01-04
Hi Guys

I have a group policy that redirect "My documents" and Desktop folder to the server for about 40 PC's on one location and this scenario repeat very often for other domains that I manage.
As  you know the My documents folder and Desktop has permission assign only to the user that own the folder and no Domain admins has access to.
My problem is that I'm using a Cloud Backup software like Livedrive to backup data on the server including the users personal folders. Livedrive service run under the administrator account but since the administrator does not have acess to the My Documents folder nothing get backup on those folders. My work around is to take ownership of each folder and add domain admin under security then give the ownership back to the user.
If is just a few users is not big deal but when you have 40 users and you multiply by 2 folders each there is a lot's of permission to be assign manually.
I was wondering if there is a command script that can be run eider as a logon script that will assign the domain admin rights to those folders and subfolder without taking the user out of the permission list.
Thank you
Question by:infedonetwork
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
LVL 47

Expert Comment

by:Donald Stewart
ID: 39724791
You need to clear the Grant user exclusive rights to my documents box.

Enabling the administrator to have access to redirected folders


Expert Comment

by:Sainyam Aggarwal
ID: 39725601
If you still have doubt you can walk through with this article.


Author Comment

ID: 39725957
This does not work because under the users folder you have as follow:
\\server\users\john Up to here domain admin has access but when you go to \desktop or \favorites or \my Documents only the user and system has access so no matter what permission I try to modify at the user folder level it will not propagate up to the Desktop or My documents level. I will just get an access denied.
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.


Author Comment

ID: 39725988
I also forgot to mention that when I looked at the security and advance tab of the users folder all I see is what's bellow and I do not have the option of :Allow inheritable permissions from parent to propagate to this object " If I take the check mark of the Include inheritable Permissions....." and chose remove then I will get access denied when it comes to applying to the desktop and my documents folder

LVL 47

Expert Comment

by:Donald Stewart
ID: 39726848
Each folder has the setting to "Grant user exclusive rights.."  ...uncheck that box

LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 2000 total points
ID: 39726858
You can use the script here to alter/repair the permissions on the root folder here


Author Comment

ID: 39728278
Not sure if I properly explain my goal.
I have a server running windows 2011 SBS and it has a folder called shared\users
The GPO redirect all desktops and My Documents under the users folder.
As an Example I have for Tom \\server\shared\users\tom\desktop and My Documents.
Everyone has read list and execute and Domain admins full control up to the Tom folder.
At the Desktop and My documents only Tom and system has full rights.
To be able to backup the desktop and my documents on the cloud the user under what the livedrive run needs access to those two folders.
What I did until now is properties of the Desktop folder, Security, Advanced, Owner then  take ownership of the folder. Then add Domain admin and Tom with full control then make Tom the owner. I have to do the same for the My Documents and Favorite Folders.
So 3 Folders times 40 users or more is at less 120 Folders to modify one by one.
The goal is to assign permission to the Domain admins with one script for everyone.
What  you all suggest I believe it still require to go to each folder or log on as the users and go to the properties of each folder.
I already took the grant the Exclusive permission to the user from the GPO but I still have Tom and system and If try to remove the propagation at the root folder \\server\users it will not applied to any of the My documents folder because the administrator has not permission to make any changes to those folders.
Only way I see is to take ownership of the users folder and all sub folder then add the domain admin but I will not have Tom in there so I will be back to gound zero were I have to go to each folder and add each user to their own folder and make them back owners.
LVL 47

Expert Comment

by:Donald Stewart
ID: 39729352
Did you not read the article I posted at all ?

The script

" Sets full access for the user and administrators on the specified redirected folder root "

When you try to remove propagation on the root, select "Copy"

These may help you as well


Especially this one

Reset Roaming Profile and Folder Redirection Permissions

Author Comment

ID: 39735033
The script will work if I find out the SID for each user and enter it each time I run the script.
This will not save much time. Please correct me if I'm wrong.
:: User SID
if "%~2"=="" (
    echo Please specify the user SID as the second parameter!
    exit /b 1
set UserSid=%~2
set UserSid=%UserSid:"=%
if not exist "%~dp0\SetACL.exe" (
    echo SetACL not found!
    exit /b 1

The goal is to give domain admin permission to folders that they do not have.
One way I can think about is to write a script that will run at the logon script so when the user logon it will run the script under his name since his the only one that has full control to the folder and add domain admin group to his own folder.
I will do some research on this type of scrip.
I also read the other articles but I do not want to change the folder redirection location just for that and the second article with the enable administrator group acess to the roaming profile from the GPO will be the perfect solution if I will use roaming profiles but unfortunately I don't and I don't think that will work for folder redirection.

Accepted Solution

infedonetwork earned 0 total points
ID: 39735133
OK, I think I got it.
I build a script as following that I set on GP as log on script and now when the user log on I get assign full permission to all sub-folders under that user folder.

icacls "\\server\users\%username%" /grant briggsnursery\administrator:(OI)(CI)f /t /q

I just test it with one user account.
Will see Monday how it goes for everyone.

Author Comment

ID: 39746157
I've requested that this question be closed as follows:

Accepted answer: 0 points for infedonetwork's comment #a39735133

for the following reason:

The only solution that work for all users at the same time
LVL 47

Expert Comment

by:Donald Stewart
ID: 39746158
I at the minimum led you in the right direction and to icacls, credit is deserved there.

Author Closing Comment

ID: 39755821
I add  your answer as a partial solution but that did not help with the goal of assigning administrator full access to the users Documents with one single script for all users at the same time. But your script will get the same results if there is a way  to extract each user SID in form of a variable. Without that I need to enter it one by one and that not fix my problem of assigning permission to multiple folders at once or without having to manipulate each folder or script individually.
Thank you all for your help.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question