Reset Roaming Profile and Folder Redirection Permissions

One of the biggest challenges of working with roaming profiles and folder redirection is setting permissions on the shared objects. I recently migrated a Server 2003 domain controller to Server 2008 R2. In spite of following the Microsoft migration guide, Migrate Server Roles to Windows Server 2008 R2, users were unable to access their roaming data after the migration. What should the permissions be, and how do I fix them?

First I should mention that I consider roaming profiles and folder redirection to be two sides of the same coin. I set up folder redirection to reduce logon delay when using roaming profiles (as recommended here). So I want to check/reset permissions on both.

Tracking Down Correct Permissions

The article Using Folder Redirection talks about new features in Server 2008 R2 but does not address security. So we are left with the Server 2003 documentation. Here are two key TechNet articles listing required permissions:

If you compare the permissions, you’ll see that they are almost identical. Some additional considerations before presenting my combined settings:

  • I do want Administrators to have Full control of roaming profiles and shared folders. I’ve added that permission to the parent folders, and I’ve set the following group policy to Enabled: Computer Configuration\Administrative Templates\System\User Profiles\Add the Administrator security group to the roaming user profile share.
  • Based on the Recommendations for Using Offline Files article, I also set the following group policy to Enabled:  Computer Configuration\Administrative Templates\Network\Offline Files\Synchronize all offline files before logging off.
  • Roaming profiles have their own caching mechanism so Offline File Caching must be disabled on the share. Folder redirection does not do its own caching, so Offline File Caching should be allowed or even forced (“autocaching”).

With that background, here’s how I set up my two server shares:

Share Setup

This must be configured manually.

  Roaming Profile Folder Redirection
Share Name \\SERVER01\UserProfiles \\SERVER01\UserDocs
Share Permissions Everyone – Full Control Everyone – Full Control
Share Caching No files or programs from the shared folders are available offline All files and programs that users open from the shared folder are automatically available offline. Optimize for performance is checked.

NTFS Permissions – Parent Folder

This must be configured manually.

  Roaming Profile Folder Redirection
CREATOR OWNER Full Control, Subfolders and files only Full Control, This folder, subfolders and files. (*)
Administrators Full control, This folder, subfolders and files Full control, This folder, subfolders and files
Domain Users (or any group you choose) List Folder/Read Data, Create Folders/Append Data – This folder only List Folder/Read Data, Create Folders/Append Data – This folder only
SYSTEM Full control, This folder, subfolders and files Full control, This folder, subfolders and files

(*) Although documented to include This folder, when I set that permission, for some reason the system changes it to Subfolders and files only, the same as for the roaming profile.

NTFS Permissions – User Folders

These permissions are set automatically when the system creates a profile. We’ll look at resetting them in script below. All permissions apply to This folder, subfolders and files.

  Roaming Profile Folder Redirection
%UserName% Owner of folder, Full control Owner of folder, Full control
SYSTEM Full control Full control
Administrators Full control Full control

Resetting Permissions

If you run into permission issues, first make sure your parent folder permissions are correct as defined above.

If you need to reset permissions on a user folder, you will first need to take ownership of the entire folder, then reset permissions, then assign ownership back to the user. While it is possible to do this in the GUI, if you need to do it for lots of users, you’ll want to develop a script. Starting from Richard Teachout’s article, I came up with the following approach. Notes:

  • You can use the built-in utility takeown to assign ownership to Administrators. However in order to assign ownership back to end users, you’ll need to download and install subinacl.
  • For permission assignment, you can use the built-in cacls utility. Although Mr. Teachout recommended the /G parameter to grant permissions, I had better luck with the /P parameter to replace permissions. This hopefully takes care of the odd permission on some profiles where the user has full access to the top folder only.Using /G on that kind of folder generates errorlevel 13 and the message "The data is invalid".

My environment has the following physical folder structure:

D:\RoamingProfiles

D:\RoamingProfiles\UserDocs
D:\RoamingProfiles\UserDocs\User01
D:\RoamingProfiles\UserDocs\User01

D:\RoamingProfiles\UserProfiles
D:\RoamingProfiles\UserProfiles\User01
D:\RoamingProfiles\UserProfiles\User01.V2 – used by new Windows 7 profile folder redirection
D:\RoamingProfiles\UserProfiles\User02
D:\RoamingProfiles\UserProfiles\User02.V2

The Script

Based on that structure, I created my script in the D:\RoamingProfiles folder, and assumed it would be run with a single parameter, the %UserName%. Here are the basic commands. As always, use at your own risk!

REM Recursively assign ownership to Administrators.  Answer prompts with "Y".
takeown /R /A /F UserDocs\%1 /D Y
REM Grant Full permissions on folder and subfolders to Administrators, SYSTEM, and the user
cacls UserDocs\%1 /T /E /P "Administrators":F
cacls UserDocs\%1 /T /E /P SYSTEM:F
cacls UserDocs\%1 /T /E /P %1:F
REM Set owner back to UserName
subinacl.exe /noverbose /subdirectories UserDocs\%1\*.* /setowner=%1

That handles UserDocs\%1 . Additional script sections work on UserProfiles\%1 and UserProfiles\%1.V2.

The script will generate a lot of output. If you want to review it later, you can create a LogFiles folder and append

>> LogFiles\%1.txt

to each line. You may want to add some %errorlevel% checking as well. Once you’ve got it working for one user, you can write a top-level script to call it for each user.

54 thoughts on “Reset Roaming Profile and Folder Redirection Permissions

  1. Giri

    Just one minor thing.. I think for folder redirection you do not need to enable autocache on the server share….redirected folders are automatically marked for offline files usage from the client desktop..
    Offline Files and folder redirection

  2. Mark Berry Post author

    Interesting. But it doesn’t hurt, right? I figure if I can “force” redirected files to be available offline, that’s a good thing. Also it’s the only way to check the “Optimize” box, which I believe caches executables on the client.

  3. Mark Berry Post author

    Did a little more research on this. The options are explained in Recommendations for Using Offline Files cited in the blog post. Yes, “the default behavior is to cache all redirected folders automatically” unless you override that default with group policy. However their examples also show that all offline folders can be set to use autocaching. So making that setting explicit should not be an issue.

  4. Gary

    Question on this, I did an exercise very similar to this recently to try and fix increased permissions for some users. It didn’t go to plan and ever since we’ve had ongoing issues (couple users a day) being unable to access their profile.

    If a user was logged on would this impact the ability for the permissions to take affect? We’ve disabled caching on desktops.

    Thanks

  5. Mark Berry Post author

    Gary, I could see how changing roaming profile permissions of a logged-on user might not take effect. For one, the files may be locked and the permissions not changed. If you set up a little batch file to reset one user’s permissions, then run that on the problematic user when they are NOT logged on, does it solve their issue?

  6. Pingback: IT Musings » Blog Archive » Reset Users Homefolder Permissions

  7. W

    Hi,

    Can’t seem to get the %1 variable to work…

    Any help greatly appceiated.

  8. Mark Berry Post author

    %1 is just the first parameter on the command line. So if the script is called “ResetPerm.bat”, I run it as “ResetPerm User01”.

  9. W

    Hi Mark,

    I don’t understand – might you be able to explain or send me a draft full script?

    Thanks,

  10. Ben

    Hi, I’ve run this script and can get it to set user1 as owner on all the items in the user1 directory, however it does not set the owner on the D:RoamingProfilesUserDocsUser01 folder itself (just all the items inside).

    Does Roaming profiles not need the user to own the root of the folder as well?

  11. Mark Berry Post author

    @W – I see you and Ben are from the same company. Looks like Ben has gotten past that issue.

    @Ben – Interesting. You’re right, when I check the folders, the top level for each user is still owned by Administrators. Seems to be working okay, but checking the “NTFS Permissions – User Folders” table in the article above, it looks like the top folder should technically be owned by the user as well. Maybe subinacl with the /subdirectories switch _only_ works on subdirectories. Probably you could call it again without that switch to do the top-level directory, but I haven’t tested that. If you figure it out, post back to let us know!

  12. Mike K

    Mark,

    Thank you for this wonderful article! I’m having one issue after going through everything. When new users are created the permissions on their redirected folders look entirely different than the ones modified by the script. This is preventing any new users from having a folder created at the root of there redirected profile by a login script. Since these are new users, shouldn’t Windows set the permissions properly? I’m confused!

    Thanks,
    Mike

  13. Mark Berry Post author

    Mike K, you should not need any kind of script for new users. I tried to copy the appropriate Parent Folder permissions into the table above, but you might want to reference the original Microsoft articles cited under “Tracking Down…” above. Once the parent folders are set correctly, subfolders for new users should be created automatically without any scripting (I think the CREATOR OWNER permission is the key here–the user becomes the Owner with Full Control). The script is only used to fix issues e.g. after a server migration.

  14. Mike K

    I understand what you are saying but my problem is that a new user will be the owner of the redirected folder with full control for “This Folder Only.”
    When I dig down deeper into the profile (Desktop, Start Menu, Etc…) Administrators have full control of everything(No other Permission Entries), the user for the Redirected Folder is shown as the owner on the Owner tab, but Creator Owner or the username doesn’t show up on the Permissions Tab. Thus preventing the actual user from doing anything with their profile.
    If I change Creator Owners Permissions to Subfolders and files only to the new users profile, all is well. But I’m not sure why Creator Owner isn’t propagating to the child objects.
    And yes, parent folder to all the user profiles does have Creator Owner set to Full Control – Subfolder and files only.

  15. Mark Berry Post author

    Strange. Have you set the group policy “Computer ConfigurationAdministrative TemplatesSystemUser ProfilesAdd the Administrator security group to the roaming user profile share” to Enabled? If not, I wonder if somehow it is propagating the Administrators permission down INSTEAD OF the users’ permissions. In other words, enabling that group policy setting and adding Administrators to the Parent folder probably need to be done together.

  16. Mike K

    I posted a question on Experts Exchange linking to this page. I hope you don’t mind.

  17. Madhu

    I took a different approach. I created a login script where users give permissions to System and Domain Admins. It was working Ok but I have session icacls.exe and run32.dll gets hung occasionally for the user

    As the users have ownership they will be able to assign permissions to Domain Admins and system.

  18. scotru

    This post helped me a lot–best post on this topic I’ve seen. Script was very useful.

  19. Paul N.

    Hi,

    Very interesting ! though I have an issue with the .V2 folder where for some users it was created under the username as part of the XP ( “username.V2” ) profile and for some other users a “username.V2” folder was created at the same level (see above example). I would like to standarized on the later. I tried to move the user profile to a brand new folder on another server ( I change the value in the profil tab of the user in the AD and reboooted), but it kept recreating the same way. I then checked the registry of that user and corrected a CentralProfile key and rebooted. The new value was not saved and the folder was recreated the same way (username.V2). I disconnect the network cable, restart the computer, open the user session, change the CentralProfile key in the registry, rebooted and relogon and the value was not saved in the registry …. Any Ideas ???

  20. Mark Berry Post author

    Sorry Paul, I haven’t seen the .V2 as a subfolder. Any pattern in which users it happens on? Maybe users with periods in their User.Names? Not that that should matter, but it sounds like something is confusing the algorithm that creates the V2 folder.

  21. Paul N.

    Thanks Mark for your ptompt response,

    No nothing special. I do not think it was related to the username. Anyhow, I am more interested to find a way to set all the users the same way ( “username.V2” ) which does not seem to be simple to do !!!

    if I understand correctly, when the a windows 7 station open for the first time using a certain username that has is profile set to \serveruserprofileusername in the profil tab in the AD, it will copy back to \serveruserprofileusername.V2 at logoff and then, from now on will use \serveruserprofileusername.V2 has the profile folder. right? So my question is where is that info saved in the registry of the user? or is it in the AD? the CentralProfile key seemed to be the solution but it does not seem to work properly …

  22. Mark Berry Post author

    I’m afraid I’m out of the details now. I’ve never heard of the CentralProfile key so don’t know what it does. IIRC you will have both profile folders; the folder with the .V2 suffix is only for new (version 2) stuff. Besides AD, there are path settings in the Group Policy Object that you use to turn on roaming profiles. Maybe you have an anomaly in there. I blogged about the group policy stuff (https://www.mcbsys.com/blog/2009/12/group-policy-in-a-mixed-windows-xp-windows-7-environment/) though that post may not correspond 100% with this one since it was almost a year earlier.

  23. Stephen Ashworth

    Mark, Paul’s issue may be the “” in the profile location.

    If a profile location is entered as \SVRNAMESHARE%username%profile this will result in the username.V2 behavior. If however, the location is entered correctly without the ending “” the profiles will generate as normal. The .V2 extension is for Vista and above. Users logging into both XP and win7 machines will have 2 locations. This is due largely to the changes in what folders can be redirected, especially within %appdata%.

    Regards.

  24. Mark Berry Post author

    Thanks Ray. Nice if you don’t have to download an extra executable to accomplish the same thing!

  25. Paul N.

    By the way, I found out that icacls does not work with Windows2003 unless you run a certain patch on the server …

  26. Jaroslaw

    very usefull. i got confused by microsoft recommendation to give permissions to LOCAL SYSTEM. I couldn’t add ‘local system’ but could ‘system’. your article left no doubts for me

    thanks

  27. Ryan

    When i use this script, only administrators is added to the folder and “builitin” is added as the owner.. when i run it the last command subinacl.exe doesnt know what to do with %1. (>subinacl.exe /noverbose /subdirectories Userhome\*.* /setowner= ) setowner is blank after the =. Not sure why the %1 isnt taking the name of the folder as the username, as the username is the correct folder name in AD. Running 2003 server domain level.

  28. Mark Berry Post author

    Ryan, sounds like there is some issue or confusion about handling the %1, which should substitute the first variable passed to the command line.

    Try creating a test.bat batch file with two lines:

    @echo off
    echo UserName=%1

    Then run the test.bat file as:

    test.bat MyUser

    Does it echo the supplied variable?

  29. Ryan

    Response is:
    UserName=myusername

    So i assume yes. But how does that answer why the permissions are not changing, only the owner seems to have changed (although the owner shows as “builtin”). No errors occur.

    REM Recursively assign ownership to Administrators. Answer prompts with “Y”.
    takeown /R /A /F Userhome%1 /D Y
    REM Grant Full permissions on folder and subfolders to Administrators, SYSTEM, and the user
    cacls Userhome%1 /T /E /P “Administrators”:F
    cacls Userhome%1 /T /E /P “SYSTEM”:F
    cacls Userhome%1 /T /E /P “%1”:F
    REM Set owner back to UserName
    subinacl.exe /noverbose /subdirectories Userhome%1*.* /setowner=%1
    pause

    Result is:
    D:>REM Recursively assign ownership to Administrators. Answer prompts with “Y”
    .

    D:>takeown /R /A /F Userhome /D Y

    SUCCESS: The file (or folder): “D:Userhome” now owned by the administrators group.

    SUCCESS: The file (or folder): “D:Userhomepkaffenb” now owned by the administrators group.

    SUCCESS: The file (or folder): “D:Userhomewfessler” now owned by the administrators group.

    SUCCESS: The file (or folder): “D:UserhomepkaffenbNew Text Document.txt” now owned by the administrators group.

    SUCCESS: The file (or folder): “D:Userhomewfesslerpk.txt” now owned by the administrators group.

    D:>REM Grant Full permissions on folder and subfolders to Administrators, SYSTEM, and the user

    D:>cacls Userhome /T /E /P “Administrators”:F

    D:>cacls Userhome /T /E /P “SYSTEM”:F

    D:>cacls Userhome /T /E /P “”:F

    D:>REM Set owner back to UserName

    D:>subinacl.exe /noverbose /subdirectories Userhome\*.* /setowner=

    Elapsed Time: 00 00:00:00
    Done: 4, Modified 4, Failed 0, Syntax errors 0
    Last Done : D:Userhomewfesslerpk.txt

    So it looks like it working but when i go to permissions on each folder system is not there and administrators is not there either (removed for testing and put myself as admin)

    Thoughts?

  30. Ray Cockshell

    Unless this is Windows 2000, you should be using ICACLS instead of CACLS and SUBINACL. See links and comments above. CACLS is known to cause permission corruption, certainly after Windows 2008 and in some 2003 instances.

  31. Mark Berry Post author

    Ryan, it looks like you are running the script without a parameter? So %1 resolves to an empty string and the script runs at the top level instead of on a user folder. If you save the script to FixPerm.bat, then you must run it as “FixPerm MyUserName”.

  32. Mark Berry Post author

    Ray, this is the first I have heard CACLS being “known to cause permission corruption.” Do you have a reference on that? I’ve been using it without apparent issues on Server 2008 R2.

  33. Ray Cockshell

    Mark, I have had several experiences where CACLS (and maybe XCACLS) corrupts the sort order of the ACLs and inheritance in folder structures. End result is permissions that are not as expected, and you do not see correct permission flow in GUIs. Did see some Technet articles about three years ago which pointed to using ICACLS (could not find them in a quick search – but plenty of articles around the edges).

  34. Ryan

    @Mark, so how would this be used to change multiple different folders.. I have a folder Userhome (system created by roaming profiles, under that). So i need to change all with 1 script or i’ll be working an entire week on changing and rechanging security.. thoughts?

  35. Ryan

    I did test with it singular. So i would have to put in each username in the new bat file? Nothing where it will just go to the next folder until none are left? Thank you for all the help thus far!

  36. Mark Berry Post author

    Ryan, call the script something like FixPermOneUser.bat. Test it and make sure it works for one user.

    Then write another script, FixPermAllUsers.bat. In that script, call the first script for each user:

    call FixPermOneUser.bat MyUser1
    call FixPermOneUser.bat MyUser2
    call FixPermOneUser.bat MyUser3

  37. Ryan

    New script created with:
    call Fix.bat rreeber
    call Fix.bat pkaffenb
    call Fix.bat wfessler
    pause

    Results:
    D:>call Fix.bat rreeber

    D:>REM Recursively assign ownership to Administrators. Answer prompts with “Y”
    .

    D:>takeown /R /A /F Userhomerreeber /D Y

    SUCCESS: The file (or folder): “D:Userhomerreeber” now owned by the administra
    tors group.

    SUCCESS: The file (or folder): “D:UserhomerreeberPK.txt” now owned by the adm
    inistrators group.

    SUCCESS: The file (or folder): “D:Userhomerreeberpk2.txt” now owned by the ad
    ministrators group.

    SUCCESS: The file (or folder): “D:Userhomerreeberpk3.txt” now owned by the ad
    ministrators group.

    D:>REM Grant Full permissions on folder and subfolders to Administrators, SYSTE
    M, and the user

    D:>cacls Userhomerreeber /t /e /p Administrators:F
    processed dir: D:Userhomerreeber
    processed file: D:UserhomerreeberPK.txt
    processed file: D:Userhomerreeberpk2.txt
    processed file: D:Userhomerreeberpk3.txt

    D:>cacls Userhomerreeber /t /e /p SYSTEM:F
    processed dir: D:Userhomerreeber
    processed file: D:UserhomerreeberPK.txt
    processed file: D:Userhomerreeberpk2.txt
    processed file: D:Userhomerreeberpk3.txt

    D:>cacls Userhomerreeber /t /e /p rreeber:F
    processed dir: D:Userhomerreeber
    processed file: D:UserhomerreeberPK.txt
    processed file: D:Userhomerreeberpk2.txt
    processed file: D:Userhomerreeberpk3.txt

    D:>REM Set owner back to UserName

    D:>subinacl.exe /noverbose /subdirectories Userhomerreeber *.* /setowner=rreeb
    er

    Elapsed Time: 00 00:00:00
    Done: 1, Modified 1, Failed 0, Syntax errors 0
    Last Done : D:Userhomerreeber

    D:>pause
    Press any key to continue . . .

  38. Ryan

    I have 2 scripts:
    fix.bat with the original (works on individual users)
    fixall.bat with the new code. and am referencing back to fix.bat with call command. Only does first user.

  39. Ryan

    HAHAHA nevermind! my bad! I had a pause command in there! wow! eyes are tired!

  40. vinc
    cls
    @echo off
    md _LogFiles
    setlocal enableextensions enabledelayedexpansion
    set str=
    for /d %%i in (*) do (echo %%i
    	set str=%%i
    	set fld=%%i
    	set str=!str:~0,-3!
        echo.!str!
    	
    	rem take admin ownership
    	takeown /R /A /F !fld! /D O > _Logfiles!fld!.txt
    
    	rem set heritance yes
    	icacls !fld!*.* /T /C /inheritance:e /Q >> _Logfiles!fld!.txt
    
    	rem set owner users
    	icacls !fld! /setowner !str! /T /C /Q >> _Logfiles!fld!.txt
    
    	rem set owner user full right
    	icacls !fld! /grant:r "!str!":"(OI)(CI)F" /T /C /Q >> _Logfiles!fld!.txt
    )
    endlocal
  41. Aaron Paul

    I had this issue when we had a GPO turned on for folder redirection setting exclusive access to the user. (Stripped out Admin access) This is what i used to fix. Just added to GPO User logon script. (I’m not a scripting guy so prob looks messy.) Last line also solves problem of redirected user documents displaying as “documents” instead of “username”.

    SET LOGFILE=”\Server01Roaming$NTFS_Perm_Owner_Fix.log”

    ECHO …………………………………………………………………………………………………………………….. >> %logfile%

    ECHO %Date% %Time% # # # STARTED Fixing NTFS Permissions on Redirected Roaming Dir for %USERNAME% # # # >> %logfile%

    ECHO %Date% %Time% # # # /R recursively /A give ownership to Administrators on /F Filename /D answer “Y” to prompts # # # >> %logfile%
    takeown /R /A /F \Server01Roaming$%USERNAME% /D Y >> %logfile%

    ECHO %Date% %Time% # # # On Directory/File /T and all Subdirectories/Files /C continue on errors /grant Grant (M) Modify access for logged in user # # # >> %logfile%
    icacls \Server01Roaming$%USERNAME% /T /C /grant %USERNAME%:(M) >> %logfile%

    ECHO %Date% %Time% # # # On Directory/Files in logged in user directory /T and all Subdirectories/Files /C continue on errors /inheritance:e Enable inheritance # # # >> %logfile%
    icacls \Server01Roaming$%USERNAME%*.* /T /C /inheritance:e >> %logfile%

    ECHO %Date% %Time% # # # On Directory/Files /setowner as logged in user /T and all Subdirectories/Files /C continue on errors # # # >> %logfile%
    icacls \Server01Roaming$%USERNAME% /setowner %USERNAME% /T /C >> %logfile%

    ECHO %Date% %Time% # # # Deny read access to Admins for the ntuser.dat so MyDocuments list as correct user rather than “documents” # # # >> %logfile%
    icacls \Server01Profiles$%USERNAME%.v2ntuser.dat /deny Administrators:(R) >> %logfile%

    ECHO %Date% %Time% # # # COMPLETED Fixing NTFS Permissions on Redirected Roaming Dir for %USERNAME% # # # >> %logfile%

  42. Aaron Paul

    Or without any logging

    takeown /R /A /F \Server01Roaming$%USERNAME% /D Y >> %logfile%

    icacls \Server01Roaming$%USERNAME% /T /C /grant %USERNAME%:(M)

    icacls \Server01Roaming$%USERNAME%*.* /T /C /inheritance:e

    icacls \Server01Roaming$%USERNAME% /setowner %USERNAME% /T /C

    icacls \Server01Profiles$%USERNAME%.v2ntuser.dat /deny Administrators:(R)

  43. Sahalu Saidu

    Hi Mark,

    Question. How do I restore default ownership (owner only access rights) to a redirected user folder? I temporarily took ownership as the admin, but now want to restore default (sole) ownership to the owner of the redirected folders on the network. Just in case you are wondering why I took ownership in the first place, I was trying to make sure the redirection took place correctly. Since I am not the owner I had to take ownership in order to browse the folder and its content. Or do you recommend a better way to do that in the future without taking ownership?

    By the Mark, great blog to bookmark as reference material. Just discovered it through Google search.

    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.