Fixing redirected My Docs permissions, using Powershell
2008 July 30 – 4:38 pmFor many of our customers we redirect a user’s My Documents to a directory of the same name, on a Windows share. For example, the user ‘JMcMuffin’ may have their My Docs redirected to “\\FILESERVER\Home\JMcMuffin\My Documents”, which are stored in a local path of D:\Data\Users\JMcMuffin, on FILESERVER. Obviously you can switch \\FILESERVER\Home for a DFS share, etc.
In some instances you might have a significant number and for whatever reason the permissions may have been altered, and the Group Policy defaults don’t quite suit your requirements. Or maybe you’re transfering these files to a new server, in a different domain. I can’t image you want to do the whole thing by hand.
In days of old we’d sort this with a batch script and it would be ok, but might take a while to run. Powershell has changed things though. The script we’ve popped together (below) runs lightning quick in comparison, and we thought someone else might also find it useful.
Just save it in a ps1 file, and invoke it from powershell, providing your directory path that you want to “fix”.
To use our example from above, you’d call the script on FILESERVER, from powershell:
PS C:\Users\Karl> C:\path\to\scripts\fix-perms.ps1 “D:\Data\Users”
The script would then go over each directory and try and add that user to the ACL with Modify rights - i.e. the JcMcMuffin user to the D:\Data\Users\JMcMuffin directory.
In our scenario we required ourselves, another group, SYSTEM and each user to have access only - So we pushed the common permissions from the parent, and then ran the script to add the individual users.
# Fix-Perms
# Iterates over all child directories, and adds the user, with the same name as the directory, to the ACL with modify rights
# Usage:
# Fix-Perms “C:\Path\To\Directory”
# Or, for the current directory
# Fix-Perms “.”# our parameters, throw a warning if we get none
param (
[string] $dirpath = $(throw “Please specify the full path to the directory!”)
)# get list of all child directories, in the current directory
$directories = dir $dirpath | where {$_.PsIsContainer}# iterate over the directories
foreach ($dir in $directories)
{
# echo out what the full directory is that we’re working on now
write-host Working on $dir.fullname using $dir.name# setup the inheritance and propagation as we want it
$inheritance = [system.security.accesscontrol.InheritanceFlags]“ContainerInherit, ObjectInherit”
$propagation = [system.security.accesscontrol.PropagationFlags]“None”# get the existing ACLs for the directory
$acl = get-acl $dir.fullname# add our user (with the same name as the directory) to have modify perms
$aclrule = new-object System.Security.AccessControl.FileSystemAccessRule($dir.name, “Modify”, $inheritance, $propagation, “Allow”)# check if given user is Valid, this will barf if not
$sid = $aclrule.IdentityReference.Translate([System.Security.Principal.securityidentifier])# add the ACL to the ACL rules
$acl.AddAccessRule($aclrule)# set the acls
set-acl -aclobject $acl -path $dir.fullname
}
3 Responses to “Fixing redirected My Docs permissions, using Powershell”
Hey, love your script. We had an issue where we ran chkdsk on our user share volume and it messed some of the permissions up. We now have the hotfix from here: http://support.microsoft.com/default.aspx?scid=kb;EN-US;831374
I was wondering, in testing this, it looks like your script will do the job, however, after resetting the permisisons at the home folder level, they don’t propergate down to the current files unless we go in and check the box to Replace All Existing Inhertitable Permissions on all desendeants with inhertiable permissons from this oject.
Do you know of a way to do this with Powershell as part of your script? Any help would be great!
By Jason Carter on Aug 12, 2008
Do you know of a way to after resetting the home folders themselfs to go in and applys those permissions to all child objects? Pretty much the same as going in the advanced security tab and checking the box to “Replace All Existing Permissions on all Descendants with Inhertiable Permissions from this Object. Maybe even as part of the script? I can’t find a way to even work with this checkbox/property in Powershell.
By Jason Carter on Aug 12, 2008
Hi Jason,
The bit you’re interested in is the $propagation variable. What you probably want is to alter it to something like this:
$propagation = [system.security.accesscontrol.PropagationFlags]“InheritOnly”
That should propagate all the way down for you then
If you’re wondering what else you can set the propagation flags to, you can take a look at the following technet doc 
http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.propagationflags.aspx
By Karl on Aug 26, 2008