Wednesday, March 11, 2020

Fix Permissions on redirected folders and give Domain Admins full control of redirected folders

Run the script below to fix folder permissions on redirected folders. Make sure your top level folder has the correct permissions before running this!

Correct top level folder permissions:

https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection


Script for fixing permissions:


$mainDir = "Path to Top Level Folder"
write-output $mainDir
$dirs = gci "$mainDir" |? {$_.psiscontainer}
foreach ($dir in $dirs){
write-output $dir.fullname
takeown.exe /F $($dir.fullname) /R /D Y |out-null
icacls.exe $($dir.fullname) /reset /T /C /L /Q
icacls.exe $($dir.fullname) /grant ($($dir.basename) + ':(OI)(CI)F') /C /L /Q
icacls.exe $($dir.fullname) /setowner $($dir.basename) /T /C /L /Q
}

___________________________________________________________________________________


Run the script below to give the Domain Admin group full control of redirected folders. You will need PSExec from PSTools to run this. Download that here - https://docs.microsoft.com/en-us/sysinternals/downloads/pstools

Command to run from c:\pstools - .\psexec -s -i powershell -noexit C:\pstools\FixPermissions.ps1

Save script below as FixPermissions.ps1 in the c:\pstools folder on the server. Change the starting Dir and Principal variables to match your environment! Copy all the files from the PSExec download into the c:\pstools folder.

#FixPermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write

$StartingDir= "D:\ServerFolders\Folder Redirection"

$Principal="contoso\domain admins"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
#display filename and old permissions
write-Host -foregroundcolor Yellow $file.FullName
#uncomment if you want to see old permissions
#CACLS $file.FullName

#ADD new permission with CACLS
CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
Write-Host -foregroundcolor Green "New Permissions"
CACLS $file.FullName
}
}


Posted by at No comments:
Subscribe to: Comments (Atom)