/ BLOG / Fixing redirected My Docs ACLs, using Powershell

For many of our customers we redirect a user’s My Documents to a directory of the same name, on a Windows share. For example, the user ‘JMcCockFaceTheIII’ * may have their My Docs redirected to “\FILESERVER\Home\JMcCockFaceTheIII\My Documents”, which are stored in a local path of D:\Data\Users\JMcCockFaceTheIII, on FILESERVER. Obviously you can switch \FILESERVER\Home for a DFS share, etc.

In some instances you might have a significant number and for whatever reason the permissions may have been altered, and the Group Policy defaults don’t quite suit your requirements.

In days of old we’d sort this with a batch script and it would be ok, but might take a while to run. Powershell has changed things though. The script we’ve popped together (below) runs lightning quick in comparison, and we thought someone else might also find it useful.

Just save it in a ps1 file, and invoke it from powershell, providing your directory path that you want to “fix”.

To use our example from above, you’d call the script on FILESERVER, from Powershell:

PS C:\Users\Karl> C:\path\to\scripts\fix-perms.ps1 "D:\Data\Users"

The script would then go over each directory and try and add that user to the ACL with Modify rights - i.e. the JMcCockFaceTheIII user to the D:\Data\Users\JMcCockFaceTheIII directory.

In our scenario we required ourselves, a specific group, SYSTEM and each user to have access only - So we pushed the common permissions from the parent, and then ran the script to add the individual users.

# Fix-Perms # Iterates over all child directories, and adds the user, with the same name as the directory, to the ACL with modify rights # Usage: # Fix-Perms "C:\Path\To\Directory" # Or, for the current directory # Fix-Perms "." # our parameters, throw a warning if we get none param ( [string] $dirpath = $(throw "Please specify the full path to the directory!") ) # get list of all child directories, in the current directory $directories = dir $dirpath | where {$_.PsIsContainer} # iterate over the directories foreach ($dir in $directories) { # echo out what the full directory is that we're working on now write-host Working on $dir.fullname using $dir.name # setup the inheritance and propagation as we want it $inheritance = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit" $propagation = [system.security.accesscontrol.PropagationFlags]"None" # get the existing ACLs for the directory $acl = get-acl $dir.fullname # add our user (with the same name as the directory) to have modify perms $aclrule = new-object System.Security.AccessControl.FileSystemAccessRule($dir.name, "Modify", $inheritance, $propagation, "Allow") # check if given user is Valid, this will barf if not $sid = $aclrule.IdentityReference.Translate([System.Security.Principal.securityidentifier]) # add the ACL to the ACL rules $acl.AddAccessRule($aclrule) # set the acls set-acl -aclobject $acl -path $dir.fullname }

There’s no warranty on this, so use and test at your own risk - I can tell you it works in our scenario, however.