Contact Us

SBS 2008 Folder Redirection Policy – Permissions?

By default the users redirected folders on the server have a group policy enabled to “Grant the user exclusive rights to the folder”, meaning that not even the Administrators group have access to it!

Best practice dictates that you should turn this policy off before creating users, however if the server is already commissioned or you’ve forgotten about this little gem of a policy, you’ll need to follow the below proceedure to disable it!

Simply unticking the software will not do the job. The policy and permissions are already set.

  1. Fire up GP Management.
  2. Browse to My Business > Users > SBSUsers> Small business server Folder redirection policy.
  3. Right click > Edit
  4. Browse to User configuration > Policies > Windows Settings > Folder Redirections
  5. right click each of the folders you are redirecting and go to the setttings tab
  6. Untick Grant users exclusive rights to this folder

Next you will have to forcibly change the permissions of each of the folders

1. Download and install PsExec and PowerShell. PowerShell needs to be installed on the computer (probably a server) hosting the redirected folders.

2. Edit the $StartingDir and $Principal variables in the following script to match your environment. $StartingDir should be the path to the shared folder that contains all you users redirected My Documents folders, $Principal is the name of the local user or local group that should be granted the permission. It has to be a local account because the script will be run using the local system account, which doesn’t know about domain accounts. We can add domainusers etc later.

#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write

$StartingDir= "C:Users"

$Principal="Administrators"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
#display filename and old permissions
write-Host -foregroundcolor Yellow $file.FullName
#uncomment if you want to see old permissions
#CACLS $file.FullName

#ADD new permission with CACLS
CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
Write-Host -foregroundcolor Green "New Permissions"
CACLS $file.FullName
}
}

3. Now, we need to run the above script using PsExec using the local system account. Note that the command line shown will run PsExec on the current computer and that the -noexit switch will prevent PowerShell from closing when the script terminates, so you get a chance to read the output.

Here is what you need to type at the command prompt (changing the paths and file names to match your environment):

>psexec -s -i powershell -noexit "& 'C:PathToChangePermissions.ps1'"

The -i switch will make the PowerShell window visible on the Desktop. If you use Remote Desktop to connect to your server, make sure that you connect to the console or you won’t see any output.

The Local administrators will now have access to the folders. You can now add/change permissions as you see fit (providing you have local admin rights!!!)