Here is another blog post by Mike Hosker and this time about home folder permissions.
Often in large active directory environments administrators will redirect users data to a share on the network commonly referred to as a homefolder. This data usually includes the users documents, pictures, music and videos folders and can include user downloads and app data although this is less common due to a lesser need of having that data available across workstations.
The method above is applied in group policy and referred to as “folder redirection” with its main benefit being ease of backup of user data e.g not having to backup users local C:\ drives, instead the central server storing the homefolders can be backed up. It also allows users to access their familiar documents folders and save to them as normal giving them access to their data on any workstation they are using.
All sounds great, right? Well, like with everything it is until it goes wrong!
By default when a new user is created in AD with a homefolder they are assigned full permissions over that folder inheriting permissions from the root directory. But what happens when you change permissions on the root directory and it overwrites all the users explicit permissions over their homfolders!
What do I mean by root directory? Say your users homefolder was \\domain.lan\homefolders\staff\mhosker the root directory would be \\domain.lan\homefolders\staff and the mhosker directory below it would be inheriting permissions from it.
So whats the fix? Well, first lets work out what we need to do and then script it.
Each user has a homefolder which contains their data, they need to have read and write permissions over it. So we need a script that will iterate through each user folder and give those permissions:
@echo off
setlocal
set fold="" set fold=%fold:"=% for /F "tokens=" %%i in ('dir "%1" /b /ad') do call :UPERM "%%i"
endlocal
goto end
:UPERM
set user=%1
set user=%user:"=%
if /i %1=="default" goto dflt
echo y|cacls "%user%" /T /G %1:C "YOURDOMAIN\Domain Admins":F SYSTEM:F
goto end
:dflt
echo y|cacls "%user%" /T /G "YOURDOMAIN\Domain Admins":F SYSTEM:F
:end
To run the above script you must copy into a text file and save as .bat, then run the .bat file in the homefolder root directory. So if your users homefolder was located at \\domain.lan\homefolders\staff\mhosker then you would copy the script to \\domain.lan\homefolders\staff and execute there.
A handy script to save to your toolbox that could save you hours of time!