One of the biggest challenges of working with roaming profiles and folder redirection is setting permissions on the shared objects. I recently migrated a Server 2003 domain controller to Server 2008 R2. In spite of following the Microsoft migration guide, Migrate Server Roles to Windows Server 2008 R2, users were unable to access their roaming data after the migration. What should the permissions be, and how do I fix them?
First I should mention that I consider roaming profiles and folder redirection to be two sides of the same coin. I set up folder redirection to reduce logon delay when using roaming profiles (as recommended here). So I want to check/reset permissions on both.
Tracking Down Correct Permissions
The article Using Folder Redirection talks about new features in Server 2008 R2 but does not address security. So we are left with the Server 2003 documentation. Here are two key TechNet articles listing required permissions:
If you compare the permissions, you’ll see that they are almost identical. Some additional considerations before presenting my combined settings:
- I do want Administrators to have Full control of roaming profiles and shared folders. I’ve added that permission to the parent folders, and I’ve set the following group policy to Enabled: Computer Configuration\Administrative Templates\System\User Profiles\Add the Administrator security group to the roaming user profile share.
- Based on the Recommendations for Using Offline Files article, I also set the following group policy to Enabled: Computer Configuration\Administrative Templates\Network\Offline Files\Synchronize all offline files before logging off.
- Roaming profiles have their own caching mechanism so Offline File Caching must be disabled on the share. Folder redirection does not do its own caching, so Offline File Caching should be allowed or even forced (“autocaching”).
With that background, here’s how I set up my two server shares:
Share Setup
This must be configured manually.
| Roaming Profile | Folder Redirection | |
| Share Name | \\SERVER01\UserProfiles | \\SERVER01\UserDocs |
| Share Permissions | Everyone – Full Control | Everyone – Full Control |
| Share Caching | No files or programs from the shared folders are available offline | All files and programs that users open from the shared folder are automatically available offline. Optimize for performance is checked. |
NTFS Permissions – Parent Folder
This must be configured manually.
| Roaming Profile | Folder Redirection | |
| CREATOR OWNER | Full Control, Subfolders and files only | Full Control, This folder, subfolders and files. (*) |
| Administrators | Full control, This folder, subfolders and files | Full control, This folder, subfolders and files |
| Domain Users (or any group you choose) | List Folder/Read Data, Create Folders/Append Data – This folder only | List Folder/Read Data, Create Folders/Append Data – This folder only |
| SYSTEM | Full control, This folder, subfolders and files | Full control, This folder, subfolders and files |
(*) Although documented to include This folder, when I set that permission, for some reason the system changes it to Subfolders and files only, the same as for the roaming profile.
NTFS Permissions – User Folders
These permissions are set automatically when the system creates a profile. We’ll look at resetting them in script below. All permissions apply to This folder, subfolders and files.
| Roaming Profile | Folder Redirection | |
| %UserName% | Owner of folder, Full control | Owner of folder, Full control |
| SYSTEM | Full control | Full control |
| Administrators | Full control | Full control |
Resetting Permissions
If you run into permission issues, first make sure your parent folder permissions are correct as defined above.
If you need to reset permissions on a user folder, you will first need to take ownership of the entire folder, then reset permissions, then assign ownership back to the user. While it is possible to do this in the GUI, if you need to do it for lots of users, you’ll want to develop a script. Starting from Richard Teachout’s article, I came up with the following approach. Notes:
- You can use the built-in utility takeown to assign ownership to Administrators. However in order to assign ownership back to end users, you’ll need to download and install subinacl.
- For permission assignment, you can use the built-in cacls utility. Although Mr. Teachout recommended the /G parameter to grant permissions, I had better luck with the /P parameter to replace permissions. This hopefully takes care of the odd permission on some profiles where the user has full access to the top folder only.Using /G on that kind of folder generates errorlevel 13 and the message "The data is invalid".
My environment has the following physical folder structure:
D:\RoamingProfiles
D:\RoamingProfiles\UserDocs
D:\RoamingProfiles\UserDocs\User01
D:\RoamingProfiles\UserDocs\User01
D:\RoamingProfiles\UserProfiles
D:\RoamingProfiles\UserProfiles\User01
D:\RoamingProfiles\UserProfiles\User01.V2 – used by new Windows 7 profile folder redirection
D:\RoamingProfiles\UserProfiles\User02
D:\RoamingProfiles\UserProfiles\User02.V2
The Script
Based on that structure, I created my script in the D:\RoamingProfiles folder, and assumed it would be run with a single parameter, the %UserName%. Here are the basic commands. As always, use at your own risk!
REM Recursively assign ownership to Administrators. Answer prompts with "Y".
takeown /R /A /F UserDocs\%1 /D Y
REM Grant Full permissions on folder and subfolders to Administrators, SYSTEM, and the user
cacls UserDocs\%1 /T /E /P "Administrators":F
cacls UserDocs\%1 /T /E /P SYSTEM:F
cacls UserDocs\%1 /T /E /P %1:F
REM Set owner back to UserName
subinacl.exe /noverbose /subdirectories UserDocs\%1\*.* /setowner=%1
That handles UserDocs\%1 . Additional script sections work on UserProfiles\%1 and UserProfiles\%1.V2.
The script will generate a lot of output. If you want to review it later, you can create a LogFiles folder and append
>> LogFiles\%1.txt
to each line. You may want to add some %errorlevel% checking as well. Once you’ve got it working for one user, you can write a top-level script to call it for each user.
Just one minor thing.. I think for folder redirection you do not need to enable autocache on the server share….redirected folders are automatically marked for offline files usage from the client desktop..
Offline Files and folder redirection
Interesting. But it doesn’t hurt, right? I figure if I can “force” redirected files to be available offline, that’s a good thing. Also it’s the only way to check the “Optimize” box, which I believe caches executables on the client.
Did a little more research on this. The options are explained in Recommendations for Using Offline Files cited in the blog post. Yes, “the default behavior is to cache all redirected folders automatically” unless you override that default with group policy. However their examples also show that all offline folders can be set to use autocaching. So making that setting explicit should not be an issue.
Question on this, I did an exercise very similar to this recently to try and fix increased permissions for some users. It didn’t go to plan and ever since we’ve had ongoing issues (couple users a day) being unable to access their profile.
If a user was logged on would this impact the ability for the permissions to take affect? We’ve disabled caching on desktops.
Thanks
Gary, I could see how changing roaming profile permissions of a logged-on user might not take effect. For one, the files may be locked and the permissions not changed. If you set up a little batch file to reset one user’s permissions, then run that on the problematic user when they are NOT logged on, does it solve their issue?
Pingback: IT Musings » Blog Archive » Reset Users Homefolder Permissions
Hi,
Can’t seem to get the %1 variable to work…
Any help greatly appceiated.
%1 is just the first parameter on the command line. So if the script is called “ResetPerm.bat”, I run it as “ResetPerm User01”.
Hi Mark,
I don’t understand – might you be able to explain or send me a draft full script?
Thanks,
Hi, I’ve run this script and can get it to set user1 as owner on all the items in the user1 directory, however it does not set the owner on the D:RoamingProfilesUserDocsUser01 folder itself (just all the items inside).
Does Roaming profiles not need the user to own the root of the folder as well?
@W – I see you and Ben are from the same company. Looks like Ben has gotten past that issue.
@Ben – Interesting. You’re right, when I check the folders, the top level for each user is still owned by Administrators. Seems to be working okay, but checking the “NTFS Permissions – User Folders” table in the article above, it looks like the top folder should technically be owned by the user as well. Maybe subinacl with the /subdirectories switch _only_ works on subdirectories. Probably you could call it again without that switch to do the top-level directory, but I haven’t tested that. If you figure it out, post back to let us know!
Mark,
Thank you for this wonderful article! I’m having one issue after going through everything. When new users are created the permissions on their redirected folders look entirely different than the ones modified by the script. This is preventing any new users from having a folder created at the root of there redirected profile by a login script. Since these are new users, shouldn’t Windows set the permissions properly? I’m confused!
Thanks,
Mike
Mike K, you should not need any kind of script for new users. I tried to copy the appropriate Parent Folder permissions into the table above, but you might want to reference the original Microsoft articles cited under “Tracking Down…” above. Once the parent folders are set correctly, subfolders for new users should be created automatically without any scripting (I think the CREATOR OWNER permission is the key here–the user becomes the Owner with Full Control). The script is only used to fix issues e.g. after a server migration.
I understand what you are saying but my problem is that a new user will be the owner of the redirected folder with full control for “This Folder Only.”
When I dig down deeper into the profile (Desktop, Start Menu, Etc…) Administrators have full control of everything(No other Permission Entries), the user for the Redirected Folder is shown as the owner on the Owner tab, but Creator Owner or the username doesn’t show up on the Permissions Tab. Thus preventing the actual user from doing anything with their profile.
If I change Creator Owners Permissions to Subfolders and files only to the new users profile, all is well. But I’m not sure why Creator Owner isn’t propagating to the child objects.
And yes, parent folder to all the user profiles does have Creator Owner set to Full Control – Subfolder and files only.
Strange. Have you set the group policy “Computer ConfigurationAdministrative TemplatesSystemUser ProfilesAdd the Administrator security group to the roaming user profile share” to Enabled? If not, I wonder if somehow it is propagating the Administrators permission down INSTEAD OF the users’ permissions. In other words, enabling that group policy setting and adding Administrators to the Parent folder probably need to be done together.
That policy setting is Enabled.
I posted a question on Experts Exchange linking to this page. I hope you don’t mind.
Sounds good. Let us know how you resolve it.
Will do.
I took a different approach. I created a login script where users give permissions to System and Domain Admins. It was working Ok but I have session icacls.exe and run32.dll gets hung occasionally for the user
As the users have ownership they will be able to assign permissions to Domain Admins and system.
This post helped me a lot–best post on this topic I’ve seen. Script was very useful.
Hi,
Very interesting ! though I have an issue with the .V2 folder where for some users it was created under the username as part of the XP ( “username.V2” ) profile and for some other users a “username.V2” folder was created at the same level (see above example). I would like to standarized on the later. I tried to move the user profile to a brand new folder on another server ( I change the value in the profil tab of the user in the AD and reboooted), but it kept recreating the same way. I then checked the registry of that user and corrected a CentralProfile key and rebooted. The new value was not saved and the folder was recreated the same way (username.V2). I disconnect the network cable, restart the computer, open the user session, change the CentralProfile key in the registry, rebooted and relogon and the value was not saved in the registry …. Any Ideas ???
Sorry Paul, I haven’t seen the .V2 as a subfolder. Any pattern in which users it happens on? Maybe users with periods in their User.Names? Not that that should matter, but it sounds like something is confusing the algorithm that creates the V2 folder.
Thanks Mark for your ptompt response,
No nothing special. I do not think it was related to the username. Anyhow, I am more interested to find a way to set all the users the same way ( “username.V2” ) which does not seem to be simple to do !!!
if I understand correctly, when the a windows 7 station open for the first time using a certain username that has is profile set to \serveruserprofileusername in the profil tab in the AD, it will copy back to \serveruserprofileusername.V2 at logoff and then, from now on will use \serveruserprofileusername.V2 has the profile folder. right? So my question is where is that info saved in the registry of the user? or is it in the AD? the CentralProfile key seemed to be the solution but it does not seem to work properly …
I’m afraid I’m out of the details now. I’ve never heard of the CentralProfile key so don’t know what it does. IIRC you will have both profile folders; the folder with the .V2 suffix is only for new (version 2) stuff. Besides AD, there are path settings in the Group Policy Object that you use to turn on roaming profiles. Maybe you have an anomaly in there. I blogged about the group policy stuff (https://www.mcbsys.com/blog/2009/12/group-policy-in-a-mixed-windows-xp-windows-7-environment/) though that post may not correspond 100% with this one since it was almost a year earlier.
thank for your help. I will do a follow up.
Mark, Paul’s issue may be the “” in the profile location.
If a profile location is entered as \SVRNAMESHARE%username%profile this will result in the username.V2 behavior. If however, the location is entered correctly without the ending “” the profiles will generate as normal. The .V2 extension is for Vista and above. Users logging into both XP and win7 machines will have 2 locations. This is due largely to the changes in what folders can be redirected, especially within %appdata%.
Regards.
You are right Stephen. Thank you.
Awesome document! That summary table is exactly what I was looking for!
Here’s an update for Windows 2008 R2 using ICACLS instead of SUBINACL.
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/bb54e51e-4a3a-40d7-8007-69df53520535
Thanks Ray. Nice if you don’t have to download an extra executable to accomplish the same thing!
By the way, I found out that icacls does not work with Windows2003 unless you run a certain patch on the server …
very usefull. i got confused by microsoft recommendation to give permissions to LOCAL SYSTEM. I couldn’t add ‘local system’ but could ‘system’. your article left no doubts for me
thanks
When i use this script, only administrators is added to the folder and “builitin” is added as the owner.. when i run it the last command subinacl.exe doesnt know what to do with %1. (>subinacl.exe /noverbose /subdirectories Userhome\*.* /setowner= ) setowner is blank after the =. Not sure why the %1 isnt taking the name of the folder as the username, as the username is the correct folder name in AD. Running 2003 server domain level.
Ryan, sounds like there is some issue or confusion about handling the %1, which should substitute the first variable passed to the command line.
Try creating a test.bat batch file with two lines:
@echo off
echo UserName=%1
Then run the test.bat file as:
test.bat MyUser
Does it echo the supplied variable?
Response is:
UserName=myusername
So i assume yes. But how does that answer why the permissions are not changing, only the owner seems to have changed (although the owner shows as “builtin”). No errors occur.
REM Recursively assign ownership to Administrators. Answer prompts with “Y”.
takeown /R /A /F Userhome%1 /D Y
REM Grant Full permissions on folder and subfolders to Administrators, SYSTEM, and the user
cacls Userhome%1 /T /E /P “Administrators”:F
cacls Userhome%1 /T /E /P “SYSTEM”:F
cacls Userhome%1 /T /E /P “%1”:F
REM Set owner back to UserName
subinacl.exe /noverbose /subdirectories Userhome%1*.* /setowner=%1
pause
Result is:
D:>REM Recursively assign ownership to Administrators. Answer prompts with “Y”
.
D:>takeown /R /A /F Userhome /D Y
SUCCESS: The file (or folder): “D:Userhome” now owned by the administrators group.
SUCCESS: The file (or folder): “D:Userhomepkaffenb” now owned by the administrators group.
SUCCESS: The file (or folder): “D:Userhomewfessler” now owned by the administrators group.
SUCCESS: The file (or folder): “D:UserhomepkaffenbNew Text Document.txt” now owned by the administrators group.
SUCCESS: The file (or folder): “D:Userhomewfesslerpk.txt” now owned by the administrators group.
D:>REM Grant Full permissions on folder and subfolders to Administrators, SYSTEM, and the user
D:>cacls Userhome /T /E /P “Administrators”:F
D:>cacls Userhome /T /E /P “SYSTEM”:F
D:>cacls Userhome /T /E /P “”:F
D:>REM Set owner back to UserName
D:>subinacl.exe /noverbose /subdirectories Userhome\*.* /setowner=
Elapsed Time: 00 00:00:00
Done: 4, Modified 4, Failed 0, Syntax errors 0
Last Done : D:Userhomewfesslerpk.txt
So it looks like it working but when i go to permissions on each folder system is not there and administrators is not there either (removed for testing and put myself as admin)
Thoughts?
Unless this is Windows 2000, you should be using ICACLS instead of CACLS and SUBINACL. See links and comments above. CACLS is known to cause permission corruption, certainly after Windows 2008 and in some 2003 instances.
Ryan, it looks like you are running the script without a parameter? So %1 resolves to an empty string and the script runs at the top level instead of on a user folder. If you save the script to FixPerm.bat, then you must run it as “FixPerm MyUserName”.
Ray, this is the first I have heard CACLS being “known to cause permission corruption.” Do you have a reference on that? I’ve been using it without apparent issues on Server 2008 R2.
Mark, I have had several experiences where CACLS (and maybe XCACLS) corrupts the sort order of the ACLs and inheritance in folder structures. End result is permissions that are not as expected, and you do not see correct permission flow in GUIs. Did see some Technet articles about three years ago which pointed to using ICACLS (could not find them in a quick search – but plenty of articles around the edges).
@Mark, so how would this be used to change multiple different folders.. I have a folder Userhome (system created by roaming profiles, under that). So i need to change all with 1 script or i’ll be working an entire week on changing and rechanging security.. thoughts?
I did test with it singular. So i would have to put in each username in the new bat file? Nothing where it will just go to the next folder until none are left? Thank you for all the help thus far!
Ryan, call the script something like FixPermOneUser.bat. Test it and make sure it works for one user.
Then write another script, FixPermAllUsers.bat. In that script, call the first script for each user:
call FixPermOneUser.bat MyUser1
call FixPermOneUser.bat MyUser2
call FixPermOneUser.bat MyUser3
…
New script created with:
call Fix.bat rreeber
call Fix.bat pkaffenb
call Fix.bat wfessler
pause
Results:
D:>call Fix.bat rreeber
D:>REM Recursively assign ownership to Administrators. Answer prompts with “Y”
.
D:>takeown /R /A /F Userhomerreeber /D Y
SUCCESS: The file (or folder): “D:Userhomerreeber” now owned by the administra
tors group.
SUCCESS: The file (or folder): “D:UserhomerreeberPK.txt” now owned by the adm
inistrators group.
SUCCESS: The file (or folder): “D:Userhomerreeberpk2.txt” now owned by the ad
ministrators group.
SUCCESS: The file (or folder): “D:Userhomerreeberpk3.txt” now owned by the ad
ministrators group.
D:>REM Grant Full permissions on folder and subfolders to Administrators, SYSTE
M, and the user
D:>cacls Userhomerreeber /t /e /p Administrators:F
processed dir: D:Userhomerreeber
processed file: D:UserhomerreeberPK.txt
processed file: D:Userhomerreeberpk2.txt
processed file: D:Userhomerreeberpk3.txt
D:>cacls Userhomerreeber /t /e /p SYSTEM:F
processed dir: D:Userhomerreeber
processed file: D:UserhomerreeberPK.txt
processed file: D:Userhomerreeberpk2.txt
processed file: D:Userhomerreeberpk3.txt
D:>cacls Userhomerreeber /t /e /p rreeber:F
processed dir: D:Userhomerreeber
processed file: D:UserhomerreeberPK.txt
processed file: D:Userhomerreeberpk2.txt
processed file: D:Userhomerreeberpk3.txt
D:>REM Set owner back to UserName
D:>subinacl.exe /noverbose /subdirectories Userhomerreeber *.* /setowner=rreeb
er
Elapsed Time: 00 00:00:00
Done: 1, Modified 1, Failed 0, Syntax errors 0
Last Done : D:Userhomerreeber
D:>pause
Press any key to continue . . .
I have 2 scripts:
fix.bat with the original (works on individual users)
fixall.bat with the new code. and am referencing back to fix.bat with call command. Only does first user.
HAHAHA nevermind! my bad! I had a pause command in there! wow! eyes are tired!
cls @echo off md _LogFiles setlocal enableextensions enabledelayedexpansion set str= for /d %%i in (*) do (echo %%i set str=%%i set fld=%%i set str=!str:~0,-3! echo.!str! rem take admin ownership takeown /R /A /F !fld! /D O > _Logfiles!fld!.txt rem set heritance yes icacls !fld!*.* /T /C /inheritance:e /Q >> _Logfiles!fld!.txt rem set owner users icacls !fld! /setowner !str! /T /C /Q >> _Logfiles!fld!.txt rem set owner user full right icacls !fld! /grant:r "!str!":"(OI)(CI)F" /T /C /Q >> _Logfiles!fld!.txt ) endlocalI had this issue when we had a GPO turned on for folder redirection setting exclusive access to the user. (Stripped out Admin access) This is what i used to fix. Just added to GPO User logon script. (I’m not a scripting guy so prob looks messy.) Last line also solves problem of redirected user documents displaying as “documents” instead of “username”.
SET LOGFILE=”\Server01Roaming$NTFS_Perm_Owner_Fix.log”
ECHO …………………………………………………………………………………………………………………….. >> %logfile%
ECHO %Date% %Time% # # # STARTED Fixing NTFS Permissions on Redirected Roaming Dir for %USERNAME% # # # >> %logfile%
ECHO %Date% %Time% # # # /R recursively /A give ownership to Administrators on /F Filename /D answer “Y” to prompts # # # >> %logfile%
takeown /R /A /F \Server01Roaming$%USERNAME% /D Y >> %logfile%
ECHO %Date% %Time% # # # On Directory/File /T and all Subdirectories/Files /C continue on errors /grant Grant (M) Modify access for logged in user # # # >> %logfile%
icacls \Server01Roaming$%USERNAME% /T /C /grant %USERNAME%:(M) >> %logfile%
ECHO %Date% %Time% # # # On Directory/Files in logged in user directory /T and all Subdirectories/Files /C continue on errors /inheritance:e Enable inheritance # # # >> %logfile%
icacls \Server01Roaming$%USERNAME%*.* /T /C /inheritance:e >> %logfile%
ECHO %Date% %Time% # # # On Directory/Files /setowner as logged in user /T and all Subdirectories/Files /C continue on errors # # # >> %logfile%
icacls \Server01Roaming$%USERNAME% /setowner %USERNAME% /T /C >> %logfile%
ECHO %Date% %Time% # # # Deny read access to Admins for the ntuser.dat so MyDocuments list as correct user rather than “documents” # # # >> %logfile%
icacls \Server01Profiles$%USERNAME%.v2ntuser.dat /deny Administrators:(R) >> %logfile%
ECHO %Date% %Time% # # # COMPLETED Fixing NTFS Permissions on Redirected Roaming Dir for %USERNAME% # # # >> %logfile%
Or without any logging
takeown /R /A /F \Server01Roaming$%USERNAME% /D Y >> %logfile%
icacls \Server01Roaming$%USERNAME% /T /C /grant %USERNAME%:(M)
icacls \Server01Roaming$%USERNAME%*.* /T /C /inheritance:e
icacls \Server01Roaming$%USERNAME% /setowner %USERNAME% /T /C
icacls \Server01Profiles$%USERNAME%.v2ntuser.dat /deny Administrators:(R)
Hi Mark,
Question. How do I restore default ownership (owner only access rights) to a redirected user folder? I temporarily took ownership as the admin, but now want to restore default (sole) ownership to the owner of the redirected folders on the network. Just in case you are wondering why I took ownership in the first place, I was trying to make sure the redirection took place correctly. Since I am not the owner I had to take ownership in order to browse the folder and its content. Or do you recommend a better way to do that in the future without taking ownership?
By the Mark, great blog to bookmark as reference material. Just discovered it through Google search.
Thanks