roaming profile permissions

This topic contains 3 replies, has 4 voices, and was last updated by Profile photo of Niv Stav Niv Stav 3 years, 1 month ago.

  • Author
    Posts
  • #13879
    Profile photo of Jesse
    Jesse
    Participant

    Last year I started a new job at a company that was overwhelmed with IT and not enough staff to handle it for several years. I have slowly been able to assist in getting everyone up to speed and many issues resolved. Right now I am looking at the roaming profiles and I see the pretty much everyone has full permissions to everyone else's profile. This is obviously a security issue and I want to resolve it without taking 15 hours of manually changing the permissions and ownership of each folder.

    I found the following link with the security recommendations for roaming profiles
    http://technet.microsoft.com/en-us/library/cc757013(WS.10).aspx

    and I found this link on how to set permissions for a specified group for those profiles.
    http://social.technet.microsoft.com/wiki/contents/articles/12460.powershell-automate-roaming-profile-folder-permissions.aspx
    It works great for assigning domain admins permissions but I need to do more:

    1. Assign ownership of each folder to the user it belongs to, I do not know how to take ownership via powershell, and if I did how could I change the ownership using a wildcard that would put that user as the owner. As I understand scripting, using a wildcard like %username% would assign the permissions of the user running the script, not the user who needs ownership.

    2. Assign full permissions for the user of the profile

    3. Basically it needs to assign the permissions as it is described in the technet article listed above.

    Any help and suggestions would be greatly appreciated.

  • #13888
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Yeah, unfortunately PowerShell remains sucky for file permissions. Set-Acl works, but basically gets down to .NET Framework programming. And no, you can't use wildcards ;). But you could certainly save time by looking at the folder name in order to look up the user's SID in Active Directory, and then applying that as the owner/permission/whatever. The help for Set-Acl has some good examples.

  • #13909
    Profile photo of Niv Stav
    Niv Stav
    Participant

    There's a really nice module for managing Security and Audit settings:
    http://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85

    Been using it for a while and I feel it offers much better granularity and control than subinacl,t he builtin ACL related cmdlets or 3rd party tools like SetAcl.

  • #13885
    Profile photo of Tore Groneng
    Tore Groneng
    Participant

    hi,

    In the good old days, we used a resourcekit tool called subinacl.exe. That might be the a solution, unless you want to embark on a P/Invoke snippet in powershell. See this thread from the scriptingguy for more information:

    how-can-i-use-windows-powershell-to-determine-the-owner-of-a-file

    Cheers

You must be logged in to reply to this topic.