https://mypkb.wordpress.com/2008/12/29/ ... ts-folder/How to restore Administrators’ access to redirected My Documents folders
Posted on December 29, 2008 | 25 Comments
If you followed Microsoft’s Best practices for Folder Redirection, you accepted the default settings and allowed the system to create the folders.
The problem is that by default, the Grant the user exclusive rights to My Documents check box is selected, with the following consequence (quote from the Technet library article about folder redirection):
If you select this check box, the user and the local system have full control over the folder, and no one else, not even the administrator, has any rights to it. If you clear this check box, no changes are made to the permissions on the folder. Whatever permissions are in effect by default remain in effect.
This means that if you already have a bunch of existing redirected My Documents folders set up that way and that you need to access them, you are out of luck. The only documented way to regain access to the folders is to take ownership of each individual folder and manually edit the permissions to give the Administrators group full control. I found a better way.
Note that if you are just setting up folder redirection and want to make sure that administrators will have access to the folders, follow the steps listed in the following article: Enabling the administrator to have access to redirected folders. For everybody else, read on.
The trick is to realize that the local system account has full control over the folder and that PsExec allows you to run commands using that account (using the -s switch). So, if the command in question happens to be a PowerShell script that gives full control to a group you belong to, the problem is solved!
Here is what you need to do:
1. Download and install PsExec and PowerShell. PowerShell needs to be installed on the computer (probably a server) hosting the redirected folders.
2. Edit the $StartingDir and $Principal variables in the following script to match your environment. $StartingDir should be the path to the shared folder that contains all you users redirected My Documents folders, $Principal is the name of the local user or local group that should be granted the permission. It has to be a local account because the script will be run using the local system account, which doesn’t know about domain accounts. We’ll add domain users and/or groups later (step 4).
#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write
$StartingDir= "C:\Users"
$Principal="Administrators"
$Permission="F"
$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"
if ($Verify -eq "Y") {
foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
#display filename and old permissions
write-Host -foregroundcolor Yellow $file.FullName
#uncomment if you want to see old permissions
#CACLS $file.FullName
#ADD new permission with CACLS
CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL
#display new permissions
Write-Host -foregroundcolor Green "New Permissions"
CACLS $file.FullName
}
}
Note: This script is a simplified version of Don Jones’ script found here:
http://technet.microsoft.com/en-us/maga ... shell.aspx. Check it out for more options.
3. Now, we need to run the above script using PsExec using the local system account. Note that the command line shown will run PsExec on the current computer and that the -noexit switch will prevent PowerShell from closing when the script terminates, so you get a chance to read the output.
Here is what you need to type at the command prompt (changing the paths and file names to match your environment):
>psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1'"
The -i switch will make the PowerShell window visible on the Desktop. If you use Remote Desktop to connect to your server, make sure that you connect to the console or you won’t see any output.
4. Now that the local Administrators group has full control on all files and folders (and I am assuming that you are a member of the local Administrator group), you can run the script again as yourself (remove the -s switch) to give domain users and groups full control, using the domain\user or domain\group format for the $Principal variable.
5. Done!
http://blogs.technet.com/b/danstolts/ar ... ected=trueowerShell is an incredible tool that will allow you to run scripts or commands on your server. PowerShell is included with Windows Server 2008 R2 but it has to be added to Windows Server 2003. I recently had a customer who got their server (DC) infected with a virus and it was a huge problem to do anything to the box because when they logged in (with any user) the virus kicked in and prevented them from running anything. Remote Management was NOT enabled on the server so they were in big trouble. If they had PowerShell installed this monumental problem would have been nothing but an annoyance. So, take a bit of advice and install PowerShell on all your servers, just in case you ever need the power of PowerShell on your server you will have it available. You must be on Windows Server 2002 Service Pack 2 (SP2) in order to use PowerShell v2.
First you need to download and install “Windows Management Framework” (Which gives you Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0) Details on this package as well as the download links can be found here
http://support.microsoft.com/kb/968929In this customers case they would have downloaded
Windows Management Framework Core (WinRM 2.0 and Windows PowerShell 2.0)
from:
DownloadDownload the Windows Management Framework Core for Windows Server 2003 package now. (
http://www.microsoft.com/downloads/deta ... 7f5f81407e)
Or if they had a 64bit OS …
DownloadDownload the Windows Management Framework Core for Windows Server 2003 x64 Edition package now.
This will install as an OS Hotfix. When I did it on my 2003 server, it did not create an icon for the PowerShell.exe program.
I simply clicked Start-Run typed in powershell <ENTER> and PowerShell launched. When I ran it the first time, PowerShell was automatically added to my freqently used programs but if you are not so lucky, you can manually create an icon for it. The Powershell Executable is located at c:\windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
You will want to make sure that remote management and WMI is enabled on the server.
Start – Run – services.msc <ENTER>
Scroll down and find: Windows Management Instrumentation and Windows Remote Management (WS-Management) and make sure they are both started and set to run automatically.
Now, we need to enable remote sessions:
Open PowerShell on the Windows 2003 Server and run the command Enable-psRemoting.
Open PowerShell Window
Enable-psRemoting <ENTER>
Now you should be able to go to a different computer that has powershell enabled and test connecting to the 2003 machine. I my case I am connecting to the 2003 machine from a Windows 2008 R2 machine. From a 2008 R2 machine, open a PowerShell Windows and type in
If you have not enabled-psRemoting on the 2008 R2 box go ahead and do that while you are there. Let’s try the following from the 2008 machine to connect and remotely manage the 2003 machine
Open PowerShell windows and type…
Enter-psSession MachineName <ENTER>
Any commands you want to run will now run on the remote machine see screenshot
to end your remote session type
Exit-psSession <ENTER>
- See more at:
http://blogs.technet.com/b/danstolts/ar ... 6FtLS.dpufnakonec v PowerShellu
set-executionpolicy remotesigned
nebo
Set-ExecutionPolicy unrestricted