Add permissions to folder redirection my documents

Hi Guys

I have a group policy that redirect "My documents" and Desktop folder to the server for about 40 PC's on one location and this scenario repeat very often for other domains that I manage.
As  you know the My documents folder and Desktop has permission assign only to the user that own the folder and no Domain admins has access to.
My problem is that I'm using a Cloud Backup software like Livedrive to backup data on the server including the users personal folders. Livedrive service run under the administrator account but since the administrator does not have acess to the My Documents folder nothing get backup on those folders. My work around is to take ownership of each folder and add domain admin under security then give the ownership back to the user.
If is just a few users is not big deal but when you have 40 users and you multiply by 2 folders each there is a lot's of permission to be assign manually.
I was wondering if there is a command script that can be run eider as a logon script that will assign the domain admin rights to those folders and subfolder without taking the user out of the permission list.
Thank you
Who is Participating?
infedonetworkConnect With a Mentor Author Commented:
OK, I think I got it.
I build a script as following that I set on GP as log on script and now when the user log on I get assign full permission to all sub-folders under that user folder.

icacls "\\server\users\%username%" /grant briggsnursery\administrator:(OI)(CI)f /t /q

I just test it with one user account.
Will see Monday how it goes for everyone.
DonNetwork AdministratorCommented:
You need to clear the Grant user exclusive rights to my documents box.

Enabling the administrator to have access to redirected folders
Sainyam AggarwalSr. IT Support EngineerCommented:
If you still have doubt you can walk through with this article.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

infedonetworkAuthor Commented:
This does not work because under the users folder you have as follow:
\\server\users\john Up to here domain admin has access but when you go to \desktop or \favorites or \my Documents only the user and system has access so no matter what permission I try to modify at the user folder level it will not propagate up to the Desktop or My documents level. I will just get an access denied.
infedonetworkAuthor Commented:
I also forgot to mention that when I looked at the security and advance tab of the users folder all I see is what's bellow and I do not have the option of :Allow inheritable permissions from parent to propagate to this object " If I take the check mark of the Include inheritable Permissions....." and chose remove then I will get access denied when it comes to applying to the desktop and my documents folder

DonNetwork AdministratorCommented:
Each folder has the setting to "Grant user exclusive rights.."  ...uncheck that box

DonConnect With a Mentor Network AdministratorCommented:
You can use the script here to alter/repair the permissions on the root folder here
infedonetworkAuthor Commented:
Not sure if I properly explain my goal.
I have a server running windows 2011 SBS and it has a folder called shared\users
The GPO redirect all desktops and My Documents under the users folder.
As an Example I have for Tom \\server\shared\users\tom\desktop and My Documents.
Everyone has read list and execute and Domain admins full control up to the Tom folder.
At the Desktop and My documents only Tom and system has full rights.
To be able to backup the desktop and my documents on the cloud the user under what the livedrive run needs access to those two folders.
What I did until now is properties of the Desktop folder, Security, Advanced, Owner then  take ownership of the folder. Then add Domain admin and Tom with full control then make Tom the owner. I have to do the same for the My Documents and Favorite Folders.
So 3 Folders times 40 users or more is at less 120 Folders to modify one by one.
The goal is to assign permission to the Domain admins with one script for everyone.
What  you all suggest I believe it still require to go to each folder or log on as the users and go to the properties of each folder.
I already took the grant the Exclusive permission to the user from the GPO but I still have Tom and system and If try to remove the propagation at the root folder \\server\users it will not applied to any of the My documents folder because the administrator has not permission to make any changes to those folders.
Only way I see is to take ownership of the users folder and all sub folder then add the domain admin but I will not have Tom in there so I will be back to gound zero were I have to go to each folder and add each user to their own folder and make them back owners.
DonNetwork AdministratorCommented:
Did you not read the article I posted at all ?

The script

" Sets full access for the user and administrators on the specified redirected folder root "

When you try to remove propagation on the root, select "Copy"

These may help you as well

Especially this one

Reset Roaming Profile and Folder Redirection Permissions
infedonetworkAuthor Commented:
The script will work if I find out the SID for each user and enter it each time I run the script.
This will not save much time. Please correct me if I'm wrong.
:: User SID
if "%~2"=="" (
    echo Please specify the user SID as the second parameter!
    exit /b 1
set UserSid=%~2
set UserSid=%UserSid:"=%
if not exist "%~dp0\SetACL.exe" (
    echo SetACL not found!
    exit /b 1

The goal is to give domain admin permission to folders that they do not have.
One way I can think about is to write a script that will run at the logon script so when the user logon it will run the script under his name since his the only one that has full control to the folder and add domain admin group to his own folder.
I will do some research on this type of scrip.
I also read the other articles but I do not want to change the folder redirection location just for that and the second article with the enable administrator group acess to the roaming profile from the GPO will be the perfect solution if I will use roaming profiles but unfortunately I don't and I don't think that will work for folder redirection.
infedonetworkAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for infedonetwork's comment #a39735133

for the following reason:

The only solution that work for all users at the same time
DonNetwork AdministratorCommented:
I at the minimum led you in the right direction and to icacls, credit is deserved there.
infedonetworkAuthor Commented:
I add  your answer as a partial solution but that did not help with the goal of assigning administrator full access to the users Documents with one single script for all users at the same time. But your script will get the same results if there is a way  to extract each user SID in form of a variable. Without that I need to enter it one by one and that not fix my problem of assigning permission to multiple folders at once or without having to manipulate each folder or script individually.
Thank you all for your help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.