roaming profile permissions

This topic contains 3 replies, has 4 voices, and was last updated by  Niv Stav 4 years, 4 months ago.

  • Author
  • #13879


    Last year I started a new job at a company that was overwhelmed with IT and not enough staff to handle it for several years. I have slowly been able to assist in getting everyone up to speed and many issues resolved. Right now I am looking at the roaming profiles and I see the pretty much everyone has full permissions to everyone else's profile. This is obviously a security issue and I want to resolve it without taking 15 hours of manually changing the permissions and ownership of each folder.

    I found the following link with the security recommendations for roaming profiles

    and I found this link on how to set permissions for a specified group for those profiles.
    It works great for assigning domain admins permissions but I need to do more:

    1. Assign ownership of each folder to the user it belongs to, I do not know how to take ownership via powershell, and if I did how could I change the ownership using a wildcard that would put that user as the owner. As I understand scripting, using a wildcard like %username% would assign the permissions of the user running the script, not the user who needs ownership.

    2. Assign full permissions for the user of the profile

    3. Basically it needs to assign the permissions as it is described in the technet article listed above.

    Any help and suggestions would be greatly appreciated.

  • #13888

    Don Jones

    Yeah, unfortunately PowerShell remains sucky for file permissions. Set-Acl works, but basically gets down to .NET Framework programming. And no, you can't use wildcards ;). But you could certainly save time by looking at the folder name in order to look up the user's SID in Active Directory, and then applying that as the owner/permission/whatever. The help for Set-Acl has some good examples.

  • #13909

    Niv Stav

    There's a really nice module for managing Security and Audit settings:

    Been using it for a while and I feel it offers much better granularity and control than subinacl,t he builtin ACL related cmdlets or 3rd party tools like SetAcl.

  • #13885

    Tore Groneng


    In the good old days, we used a resourcekit tool called subinacl.exe. That might be the a solution, unless you want to embark on a P/Invoke snippet in powershell. See this thread from the scriptingguy for more information:



You must be logged in to reply to this topic.