Fix Broken Folder Redirection Policies?

All replies

• 

  

  0

  Sign in to vote

  Hello,

  Can a new Folder Redirection GPO pointing to new shares be setup in a way that will migrate the bad folders into a new folder structure with the correct permissions or copy their redirected data back locally and then up to the new share?

  You could run a logon-script for every user which changes the permissions
  on the redirected folder (you could use xcacls or icacls and so on).

  If you want the Administrators as owner of the folders/files you can use takeown
  before you change the permissions.

  The other way is, like you already said create a new share with the correct permissions.

  You can create a GPO which applies only for a test user.
  (choose a user with wrong permissions).
  
  If this works, you can set up the policy for all users.

  ---

  MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

  Saturday, March 10, 2012 11:33 PM
• 

  

  0

  Sign in to vote

  Login script sound easiest, but I don't understand how it would work because the users were only given Modify permission to their redirected folders when they are supposed to have had full control and also be owner.  How would a login script change their permissions to full control and set them as owner?  

  I don't want Administrators to be owners of the folders since Microsoft says the user must be owner of their own folder, but I need Administrators to have full control of the folders so they can manage the folders without them having to take ownership of each folder each time.  There is a new GPO to give administrators access to newly created redirected  folders, but it is not retroactive to old folders.

  I had the idea of creating new folders in a new share, but I'm not sure that would work if the Documents were already redirected to the server manually since the user would no longer have the documents folder with their data on their local disk to redirect.  It would need to be able to redirect from one share on the server to another.

  Sunday, March 11, 2012 12:00 AM
• 

  

  1

  Sign in to vote

  How would a login script change their permissions to full control and set them as owner? 

  OK, I thought they are already owners.
  In this case, the script would not work.

  There may be a third solution, create a new folder on the file server.
  Copy all the redirected folders with robocopy in backup mode.
  Do not copy the NTFS permissions.

  "C:\Program Files\Windows Resource Kits\Tools\robocopy.exe" "D:\oldshare" "D:\newshare" /E /COPY:DATU /ZB /R:0

  Allow Everyone full control on the new share (the share name has to be the same) and on D:\newshare folder.

  Now you need the loginscript:

  takown /F \\server\share\%username% /R
  cmd /c CACLS \\server\share\%username%\*.* /T /G  "domain\%username%":F
  cmd /c CACLS \\server\share\%username%\*.* /T /E /G  "domain\Domain Admins":F

  I could not test the script so far.
  If it is not working, you can easily switch back to the old share.

  
  

  ---

  MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

  
  

  • Edited by Matthias Wolf Sunday, March 11, 2012 11:07 AM
  • Proposed as answer by Arthur_LiMicrosoft contingent staff Tuesday, March 13, 2012 7:39 AM

  Sunday, March 11, 2012 11:03 AM
• 

  

  0

  Sign in to vote

  I don't kown if the following script is suitable for your needs.

  This is useful to reset the permission, assuming that the folders inside \\server\share  corresponding to usernames 

  @echo off
  :: Reset Home folder Permissions 
  :: RHP.cmd      +need admin rights to run correctly+ 
  :: change the permission based on the folder name adding  full control  to system and administrator too
  :: By gastone Canali
  setlocal
  set filename=%~n0
  title=%filename%
  set logfile="c:\admin\log\_%filename%.txt"
  set append2LOG=^>^> %logfile% 2^>^&1
  
  call :SET_HOME_PERMISSION "\\server\share"
  call :SET_HOME_PERMISSION "D:\users"
  
  
  goto :END
  
  :SET_HOME_PERMISSION
  pushD %1 || goto :ERR
  for /f "tokens=*" %%F in ('dir /b /a:d') do (
    net user "%%F" && (
          REM take ownership, to be able to change user folder permission
          takeown /F    "%%F\*.*"   /R /A /D y %append2LOG%
          REM FolderName is a Username then set user permission to Full  "%%F:F"
          REM user, administrator and system have Fulloontrol
          echo y|cacls  "%%F"  /c /T   /e  /g administrators:f system:f "%%F:F" %append2LOG%
    )||(
          REM take ownership, to be able to change user folder permission
          takeown /F    "%%F\*.*"   /R /A /D s %append2LOG%
          REM FolderName is NOT a Username only administrator and system have Fulloontrol
          echo y|cacls  "%%F"  /c /T   /e  /g administrators:F system:F %append2LOG% 
    )
  )  
  goto :EOF
  :ERR
  echo error: folder not found
  :END
  popd

  
  

  ---

  Gastone Canali >http://www.armadillo.it

  Se alcuni post rispondono al tuo quesito (non necessariamente i miei), ricorda di contrassegnarli come risposta e non dimenticare di contrassegnare anche i post utili . GRAZIE!

  
  
  

  • Edited by GastoneCanali Sunday, March 11, 2012 2:14 PM

  Sunday, March 11, 2012 2:12 PM
• 

  

  0

  Sign in to vote

  I'll try one of both of those suggestions during the week.  

  A possible issue I see is permission changes or file copying failing because the users will have files in use and locked.  Most users are logged into their computers 24/7.  They lock their screen and go home with files and apps open.  They don't want to have to open 10 different apps and files when they start work in the morning.  They only log out when forced to due to a software installations or updates or because the system or applications start freezing up or running out of memory because they went too many days without a restart.

  Will these work even if the user has some of the files in their redirected folders open?

  Sunday, March 11, 2012 10:47 PM
• 

  

  0

  Sign in to vote

  There should be no problem with copying the open files.
  You can use robocopy to create a logfile for each file that fails.

  Before you switch to the new share, you can run robocopy again (it will only copy the differentials).

  Of course if the user did not save the file or has done unsaved changes, these changes will be lost.

  ---

  MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

  Sunday, March 11, 2012 11:26 PM
• 

  

  0

  Sign in to vote

  I just tried Gastone's script as a test on a VM and I had 3 problems.  The major issue was that it tried to change permissions on everything in it's path instead of only the specified path coded in the script.  I had to move the bat file into the the profiles directory and run it from there to keep it from going through the entire C drive.  It changed permissions on everything that didn't fail with access denied errors.   Glad it was only a test server,

  Another issue was that I didn't understand what" D:\users" was referring to in the script.  Is it supposed the local path of to the shared folders?  Does it need to run both on the share and the local path?  As a guess, I substituted the reference to d:\users with c:\profiles on my system since that is the folder containing the redirected documents folders.

  The smallest issue was that it errored out at the end saying "popd" is not recognized as a command. 

  Monday, March 12, 2012 12:00 AM
• 

  

  0

  Sign in to vote

  call :SET_HOME_PERMISSION "\\server\share"
  call :SET_HOME_PERMISSION "D:\users"
  
  The lines above are only two examples, one with a UNC path an the other with a local path...you need only one.

  If you user share in the server is on ex. D:\users    you can use only the line
   call :SET_HOME_PERMISSION "D:\users" 
  

  I have seen a problem in the line (take own ):

  takeown /F    "%%F\*.*"   /R /A /D s %append2LOG%
  the correct one is (Yes in italian is Si)
  takeown /F    "%%F\*.*"   /R /A /D Y %append2LOG%
  

  @echo off
  :: Reset Home folder Permissions 
  :: RHP.cmd      +need admin rights to run correctly+ 
  :: change the permission based on the folder name adding  full control  to system and administrator too
  :: By gastone Canali
  setlocal
  set filename=%~n0
  title=%filename%
  set logfile="c:\admin\log\_%filename%.txt"
  set append2LOG=^>^> %logfile% 2^>^&1
  
  call :SET_HOME_PERMISSION "\\server\share"
  
  
  goto :END
  
  :SET_HOME_PERMISSION
  pushD %1 || goto :ERR
  for /f "tokens=*" %%F in ('dir /b /a:d') do (
    net user "%%F" && (
          REM take ownership, to be able to change user folder permission
          takeown /F    "%%F\*.*"   /R /A /D Y %append2LOG%
          REM FolderName is a Username then set user permission to Full  "%%F:F"
          REM user, administrator and system have Fulloontrol
          echo y|cacls  "%%F"  /c /T   /e  /g administrators:f system:f "%%F:F" %append2LOG%
    )||(
          REM take ownership, to be able to change user folder permission
          takeown /F    "%%F\*.*"   /R /A /D Y %append2LOG%
          REM FolderName is NOT a Username only administrator and system have Fulloontrol
          echo y|cacls  "%%F"  /c /T   /e  /g administrators:F system:F %append2LOG% 
    )
  )  
  goto :EOF
  :ERR
  echo error: folder not found
  :END
  popd

  
  

  ---

  Gastone Canali >http://www.armadillo.it

  Se alcuni post rispondono al tuo quesito (non necessariamente i miei), ricorda di contrassegnarli come risposta e non dimenticare di contrassegnare anche i post utili . GRAZIE!

  • Marked as answer by Arthur_LiMicrosoft contingent staff Sunday, March 18, 2012 3:19 PM

  Monday, March 12, 2012 7:14 AM