roaming profile permissions

Last year I started a new job at a company that was overwhelmed with IT and not enough staff to handle it for several years. I have slowly been able to assist in getting everyone up to speed and many issues resolved. Right now I am looking at the roaming profiles and I see the pretty much everyone has full permissions to everyone else’s profile. This is obviously a security issue and I want to resolve it without taking 15 hours of manually changing the permissions and ownership of each folder.

I found the following link with the security recommendations for roaming profiles
http://technet.microsoft.com/en-us/library/cc757013(WS.10).aspx

and I found this link on how to set permissions for a specified group for those profiles.
http://social.technet.microsoft.com/wiki/contents/articles/12460.powershell-automate-roaming-profile-folder-permissions.aspx
It works great for assigning domain admins permissions but I need to do more:

  1. Assign ownership of each folder to the user it belongs to, I do not know how to take ownership via powershell, and if I did how could I change the ownership using a wildcard that would put that user as the owner. As I understand scripting, using a wildcard like %username% would assign the permissions of the user running the script, not the user who needs ownership.

  2. Assign full permissions for the user of the profile

  3. Basically it needs to assign the permissions as it is described in the technet article listed above.

Any help and suggestions would be greatly appreciated.

hi,

In the good old days, we used a resourcekit tool called subinacl.exe. That might be the a solution, unless you want to embark on a P/Invoke snippet in powershell. See this thread from the scriptingguy for more information:

how-can-i-use-windows-powershell-to-determine-the-owner-of-a-file

Cheers

Yeah, unfortunately PowerShell remains sucky for file permissions. Set-Acl works, but basically gets down to .NET Framework programming. And no, you can’t use wildcards ;). But you could certainly save time by looking at the folder name in order to look up the user’s SID in Active Directory, and then applying that as the owner/permission/whatever. The help for Set-Acl has some good examples.

There’s a really nice module for managing Security and Audit settings:
http://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85

Been using it for a while and I feel it offers much better granularity and control than subinacl,t he builtin ACL related cmdlets or 3rd party tools like SetAcl.