Overview

Roaming profiles are great for mobile users and VDI users, but managing the profile folders can present extra challenges.  By default, newly created profile folders gives access to the local system and the user.  You can add Administrator access using group policy [Link] but it does not have the ability to add other security prinicpals such as Help Desk users.

The sample script below does the following:

  • Goes through each subfolder (top level only) and assigns permissions to a specific security prinicpal
  • Security Principal, access level, and profile location are all configurable

Script Limitations

  • Runs in a single pass (must schedule this manually)
  • Not designed for adding multiple security principals or multiple locations
  • Script must be ran in the context of a security principal that has permissions, so it is best used in conjunction with KB222043

This script can be enhanced or modified to suit other purposes.

DISCLAIMER: This sample script is provided AS-IS with no warranties and confers no rights.

Sample PowerShell Code

#SCRIPT SAMPLE TITLE - Automate roaming profile folder permissions
#AUTHOR - Joji Oshima - Microsoft Corporation
#VERSION - 1.0
#RoamingProfile.ps1

############################################################
# Configuration Section
############################################################
# The possible values for Rights are:
############################################################
# ListDirectory, ReadData, WriteData
# CreateFiles, CreateDirectories, AppendData
# ReadExtendedAttributes, WriteExtendedAttributes, Traverse
# ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes
# WriteAttributes, Write, Delete
# ReadPermissions, Read, ReadAndExecute
# Modify, ChangePermissions, TakeOwnership
# Synchronize, FullControl
############################################################

$ProfileFolder = "\\server1\profiles"
$Principal  = "contoso\helpdesk"
$Right   = "FullControl"

############################################################
# Main Program
############################################################
cls
Write-Host "`n WARNING: This script sample is provided AS-IS with no warranties and confers no rights." -ForegroundColor Yellow
Write-Host " This script sample is NOT intended for production use." -ForegroundColor Yellow
Write-Host " There is NO error handling and is not ready for mission-critical work." -ForegroundColor Yellow
Write-Host "`n This script sample will add defined ACLs for a security principal to the first level folders only"
Write-Host " It is designed to give permissions to each roaming profile folder for non-administatros (like help desk users)`n"

$permission = $Principal,$Right,"ContainerInherit,ObjectInherit","None","Allow"
$rule = new-object System.Security.AccessControl.FileSystemAccessRule($permission)

foreach ($folder in $(Get-ChildItem $ProfileFolder | where {$_.psIsContainer -eq $true}))
{
 Write-Host " Changing ACLs for: $folder" -ForegroundColor Green
 $acl=get-acl $folder.FullName
 #Add this access rule to the ACL
 $acl.SetAccessRule($rule)
 #Write the changes to the object
 set-acl $folder.Fullname $acl
}

Write-Host "`n Done!`n" -ForegroundColor Yellow

################################################################

Acknowledgements & Links

This script was based off Don Jone's blog post "Automate changes to Permissions".

Automate changes to Permissions
http://technet.microsoft.com/en-us/magazine/2008.02.powershell.aspx

Security Considerations when Configuring Roaming User Profiles
http://technet.microsoft.com/en-us/library/cc737633(v=WS.10).aspx 

Roaming Profile Folders Do Not Allow Administrative Access
http://support.microsoft.com/kb/222043

Reference Link
http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemaccessrule%28v=vs.110%29.aspx

See Also