Thursday, January 19, 2012

Recovering from 'Exclusive Access' rights when redirecting documents

One very useful, yet much hated, option when redirecting user documents is to "Grant user exclusive rights" to their redirected folders. If your users store sensitive or private information that not even administrators should be able to see in their folders, it's a great way to automate the process of users creating their own folders with locked down permissions upon initial logon. What happens when you NEED access to all those folders for a specific group, or for the admins? The Microsoft recommendation is to go through each folder and seize ownership, then re-apply the correct permissions... a tedious process to say the least. Well, there is a scripted way to do it that works much better (taken from http://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/):

First, you'll want to make sure that the offending GPO is turned off. It's an option under the folder redirection GPO (User configuration / Policies / Windows Settings / Folder Redirection) that needs to be unchecked, otherwise any new users will be set up with exclusive rights still.

Next, you'll need PSExec from SysInternals (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) and PowerShell installed on the server hosting the shares. Log on to your file server as the LOCAL (not domain!) Administrator. Now, create the following powershell script, and be sure to edit the $StartingDir attirbute to point to the parent folder that contains all the users' folders:



#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write

$StartingDir= "C:\Users"

$Principal="Administrators"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
#display filename and old permissions
write-Host -foregroundcolor Yellow $file.FullName
#uncomment if you want to see old permissions
#CACLS $file.FullName

#ADD new permission with CACLS
CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
Write-Host -foregroundcolor Green "New Permissions"
CACLS $file.FullName
}
}


Save that .ps1 file to the C: drive or somewhere convenient, then open the command prompt as an administrator (right click, run as), and execute the following command:



psexec -s -i powershell -noexit "& 'C:\ChangePermissions.ps1'"


This will execute the powershell script as the local 'SYSTEM' account, which still has access to the 'exclusive' user directories, thus allowing you to modify permissions without having to seize control! Now that the LOCAL 'Administrators' group has permission to the folders, you can browse to the folders and modify permissions as you see fit. My recommendation would be to set the permissions you want on the parent folder, then just check the box for 'allow permissions to be inherited from the parent folder' so you do not have to manually add domain admins to each user folder.