Getting access to the My Documents redirected folders

When you use redirected folders in SBS (or in any Windows server) by default (unless you check the box) it’s limited to only the user having access to the folder.  So if you are the admin you are prompted with a “I’m sorry, Hal, I won’t let you do this”. Now you can click through the prompt or take ownership of the folders but you might want to do this like Gerhard wanted to do.


 Using this blog post as a guide  –


How to restore Administrators’ access to redirected My Documents folders « My PKB:
http://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/

The first thing you do is to download the PsExec from the PSTools.  You don’t have to download Powershell as it’s already on the box.


http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx


Copy the script below and change two things:


$StartingDir= “E:\Users\shares


The location of the redirected shares

$Principal=”INSERT_DOMAIN_NAME\INSERT_ADMIN_SBS


The name and domain of the Domain admin account you want to give rights to.


Now save the file as permissions.ps1 (that’s a number 1 not a L by the way)


So download the PsExec and extract it on the box.  Then here’s the trick you have to remember.  Right mouse click on the command line icon and “run as administrator”



Now type in the command window to run the script



psexec -s -i powershell -noexit “& ‘C:\Path\To\ChangePermissions.ps1′”


And then the permissions/ownership will be changed.



And now you won’t get the “I’m sorry I won’t let you do that” when clicking on the folders.


Proactively you can change the group policy setting to not be as restrictive.



Right mouse click and edit



Under the SBS folder redirect policy (drill down under User Configuration, then Policies, then Windows Settings, the Folder Redirection



And then uncheck the “Grant the user exclusive rights to the Desktop”



 


The permission script is below:


====copy from here ====


#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write

$StartingDir= "E:\Users\shares"

$Principal="INSERT_DOMAIN_NAME\INSERT_ADMIN_SBS"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
#display filename and old permissions
write-Host -foregroundcolor Yellow $file.FullName
#uncomment if you want to see old permissions
#CACLS $file.FullName

#ADD new permission with CACLS
CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
Write-Host -foregroundcolor Green "New Permissions"
CACLS $file.FullName
}
}



===== to here======

6 Thoughts on “Getting access to the My Documents redirected folders

  1. The “Grant the user exclusive rights to …” (and the behavour of “Active Directory Users and Computers” and even the old “User Manager for Domains” when it comes to creating legacy home directories) has perplexed me. Why would *any* administrator want their permission hierarchy to get mangled up, automatically, by the OS? Further, having a world-writable directory where users’ redirected folders will be created “automatically” seems like a gigantic security risk to me.

    I’ve always unticked the “Grant the user exclusive rights to …” boxes, and pre-created the user’s redirected folders during the account provisioning process, adding the user to the permissions on each folder. I do the same thing w/ roaming user profile folders, too. (Though, with roaming user profile folders, be sure and enable the Group Policy option “Do not check for user ownership of Roaming Profile Folders” to counteract that silly functionality that Microsoft slipped into W2K SP4 and WXP SP1.)

  2. Gerhard on March 2, 2010 at 3:30 pm said:

    Looks good…I will try next time I run in to this problem again

  3. Gerhard on March 2, 2010 at 4:57 pm said:

    btw…once “Grant the user exclusive rights to the Desktop” is enabled on the GPO disabling it will not get the admin access. I tired it again. Unless restarting the server would make a difference

  4. bradley on March 2, 2010 at 5:03 pm said:

    First off do a gpforce /all, then this takes into affect for new redirects not existing, you still need to do this script.

  5. Gerhard on March 2, 2010 at 6:17 pm said:

    Ok. Will try the script again

  6. Chris Hughes on March 3, 2010 at 12:38 am said:

    Expanding on what Evan said. The ultimate solution is for MS to modify the Group Policy on the redirected folders to the specific user and the SBS admin account.

    Otherwise clearing the “Grant user exclusive rights..” check box is a security problem. Every user on the domain can then browse to the directory and get access.

    This PS script is a great tool though, even if you need to run each time a new user is added to the server.

Post Navigation