Correctly Configure Microsoft Redirected Folder Permissions
Updated: Nov 2, 2020
This script configures NTFS permissions on your Microsoft redirected folders based on Microsoft's best practice. Below are the permissions recommended by Microsoft.
NTFS Permissions for the Root Folder
Creator Owner - Full control, sub-folders and files only.
Administrator - None (The script will give you an option to modify this to allow full NTFS permissions for administrators).
Security group of users that will be using folder redirection - List folder / read data, create folders / append data, this folder only.
Local system - Full control, this folder, sub-folders and files.
NTFS Permissions for the Users' Redirected Folders
%username% - Full control, owner of folder.
Local system - Full control.
Administrators - None (The script will give you an option to modify this to allow full NTFS permissions for administrators).
Reset NTFS permissions on all Microsoft redirected folders based on Microsoft's best practices.
Add administrative access to Microsoft redirected folders.
Script Prerequisites / Read Me
Before doing anything, backup your data.
Test the script in your environment and verify the results prior to running this script on your production data.
Takeown.exe is required as part of the script. This will most likely already be on the system, but make sure.
The domain name of the domain you will be running this script in (e.g. domain.com).
A UNC path to the redirected folders root (e.g. \\server\redirfolders).
An Active Directory administrative security group. This group is used as part of the process to reset permissions as well as if you want to have administrative access, this group will be left, otherwise it will be removed once the permissions are set.
PowerShell run with administrative rights.
The user that will be launching this script to be part of the administrative group mentioned above.
For better performance, disable antivirus when running this script.
Make sure to disable any replication that may be setup for this data while you run this script (please note, if you are using DFSR, this will cause the algorigthm used by DFSR to see the files and folders as updated and copy according to your DFSR configuration).
Do not run this script while users are accessing the system.
Did I mention to backup prior to running the script.
When running the script against the test data, make note of the amount of data as well as how long the script took to process the data to help make a calculation of how long the script will take on your production data.
Run this script at your own risk. But, don’t be too scared as I have run this in many production environments with no issues.
Script How To
Download and place it in a directory of your choosing. It is recommended to run this on the same server as where the files reside.
Open PowerShell as an administrator.
Since this is really a PowerShell function, you need to add the function to your PowerShell session with the following dot sourcing. Use the following without the quotes “. ./set-redirectedfolderpermissions.ps1”
Once you dot source the script which now adds the function to use in your PowerShell session, to run the function type set-redirectedfolderpermissions.
You will be prompted for the information mentioned above in the requirements.
DomainName – Enter the domain name (e.g. domain.local).
RootProfileUNCDir – Enter the UNC path to the root folder (e.g. \\server\redirfolders).
AdminGroup – Enter the admin group that will be used to set the appropriate permissions as well as which group you want to assign administrative rights to the users folders (e.g. Domain Admins).
UserGroup – Enter the user group that uses redirected folders (e.g. Domain Users).
GiveAdminAccess – Specified in either Y or N to allow the administrators group access to users folders (e.g. Y).
GiveLocalAdminAccess – Specified in either Y or N to allow local administrators rights to users folders (e.g. N).
After you enter the above information, you will be asked to confirm if everything is correct, use Y or N to confirm.
The script will run, and depending on the amount of data, it might run for a long time. You will see output in the PowerShell screen of what is happening.
In some instances, the script might have to run a couple of times to get everything set correctly.