Reset Roaming Profile and Folder Redirection Permissions

Mark Berry October 6, 2010

One of the biggest challenges of working with roaming profiles and folder redirection is setting permissions on the shared objects. I recently migrated a Server 2003 domain controller to Server 2008 R2. In spite of following the Microsoft migration guide, Migrate Server Roles to Windows Server 2008 R2, users were unable to access their roaming data after the migration. What should the permissions be, and how do I fix them?

First I should mention that I consider roaming profiles and folder redirection to be two sides of the same coin. I set up folder redirection to reduce logon delay when using roaming profiles (as recommended here). So I want to check/reset permissions on both.

Tracking Down Correct Permissions

The article Using Folder Redirection talks about new features in Server 2008 R2 but does not address security. So we are left with the Server 2003 documentation. Here are two key TechNet articles listing required permissions:

If you compare the permissions, you’ll see that they are almost identical. Some additional considerations before presenting my combined settings:

  • I do want Administrators to have Full control of roaming profiles and shared folders. I’ve added that permission to the parent folders, and I’ve set the following group policy to Enabled: Computer Configuration\Administrative Templates\System\User Profiles\Add the Administrator security group to the roaming user profile share.
  • Based on the Recommendations for Using Offline Files article, I also set the following group policy to Enabled:  Computer Configuration\Administrative Templates\Network\Offline Files\Synchronize all offline files before logging off.
  • Roaming profiles have their own caching mechanism so Offline File Caching must be disabled on the share. Folder redirection does not do its own caching, so Offline File Caching should be allowed or even forced (“autocaching”).

With that background, here’s how I set up my two server shares:

Share Setup

This must be configured manually.

  Roaming Profile Folder Redirection
Share Name \\SERVER01\UserProfiles \\SERVER01\UserDocs
Share Permissions Everyone – Full Control Everyone – Full Control
Share Caching No files or programs from the shared folders are available offline All files and programs that users open from the shared folder are automatically available offline. Optimize for performance is checked.

NTFS Permissions – Parent Folder

This must be configured manually.

  Roaming Profile Folder Redirection
CREATOR OWNER Full Control, Subfolders and files only Full Control, This folder, subfolders and files. (*)
Administrators Full control, This folder, subfolders and files Full control, This folder, subfolders and files
Domain Users (or any group you choose) List Folder/Read Data, Create Folders/Append Data – This folder only List Folder/Read Data, Create Folders/Append Data – This folder only
SYSTEM Full control, This folder, subfolders and files Full control, This folder, subfolders and files

(*) Although documented to include This folder, when I set that permission, for some reason the system changes it to Subfolders and files only, the same as for the roaming profile.

NTFS Permissions – User Folders

These permissions are set automatically when the system creates a profile. We’ll look at resetting them in script below. All permissions apply to This folder, subfolders and files.

  Roaming Profile Folder Redirection
%UserName% Owner of folder, Full control Owner of folder, Full control
SYSTEM Full control Full control
Administrators Full control Full control

Resetting Permissions

If you run into permission issues, first make sure your parent folder permissions are correct as defined above.

If you need to reset permissions on a user folder, you will first need to take ownership of the entire folder, then reset permissions, then assign ownership back to the user. While it is possible to do this in the GUI, if you need to do it for lots of users, you’ll want to develop a script. Starting from Richard Teachout’s article, I came up with the following approach. Notes:

  • You can use the built-in utility takeown to assign ownership to Administrators. However in order to assign ownership back to end users, you’ll need to download and install subinacl.
  • For permission assignment, you can use the built-in cacls utility. Although Mr. Teachout recommended the /G parameter to grant permissions, I had better luck with the /P parameter to replace permissions. This hopefully takes care of the odd permission on some profiles where the user has full access to the top folder only.Using /G on that kind of folder generates errorlevel 13 and the message "The data is invalid".

My environment has the following physical folder structure:

D:\RoamingProfiles

D:\RoamingProfiles\UserDocs
D:\RoamingProfiles\UserDocs\User01
D:\RoamingProfiles\UserDocs\User01

D:\RoamingProfiles\UserProfiles
D:\RoamingProfiles\UserProfiles\User01
D:\RoamingProfiles\UserProfiles\User01.V2 – used by new Windows 7 profile folder redirection
D:\RoamingProfiles\UserProfiles\User02
D:\RoamingProfiles\UserProfiles\User02.V2

The Script

Based on that structure, I created my script in the D:\RoamingProfiles folder, and assumed it would be run with a single parameter, the %UserName%. Here are the basic commands. As always, use at your own risk!

REM Recursively assign ownership to Administrators.  Answer prompts with "Y".
takeown /R /A /F UserDocs\%1 /D Y
REM Grant Full permissions on folder and subfolders to Administrators, SYSTEM, and the user
cacls UserDocs\%1 /T /E /P "Administrators":F
cacls UserDocs\%1 /T /E /P SYSTEM:F
cacls UserDocs\%1 /T /E /P %1:F
REM Set owner back to UserName
subinacl.exe /noverbose /subdirectories UserDocs\%1\*.* /setowner=%1

That handles UserDocs\%1 . Additional script sections work on UserProfiles\%1 and UserProfiles\%1.V2.

The script will generate a lot of output. If you want to review it later, you can create a LogFiles folder and append

>> LogFiles\%1.txt

to each line. You may want to add some %errorlevel% checking as well. Once you’ve got it working for one user, you can write a top-level script to call it for each user.



53 Comments

  1. Mark Berry   |  May 02, 2013 at 6:27 pm

    Sahalu, the last line of the script does just that, assign ownership back to the user:

    REM Set owner back to UserName
    subinacl.exe /noverbose /subdirectories UserDocs%1*.* /setowner=%1

    Not sure if that is possible via the GUI.

  2. Sahalu Saidu   |  May 02, 2013 at 8:31 pm

    Thanks Mark! That was fast, really appreciate it. I mean’t by the way in the above post.

  3. Roaming profile permissions and versions « rakhesh.com   |  February 19, 2015 at 5:40 am

    […] roaming profile add the Administrator group to its ACLs. Best to create a PowerShell script or a batch file and automate the whole […]

Leave a Reply





*