Whether it’s setting up redirected profile or home folders for Active Directory user accounts, folders for VMware View Persona management, or Citrix UPM I find it somewhat cumbersome to manually configure the folders through a series of mouse clicks so I have long been meaning to figure out how to automate the process with regular command prompts commands. Having set up another home drive folder for another client today, I finally went ahead and looked up the commands that enabled me to automate the task.
Step #1 – Create folder
The first step in the process is to create the actual folder that will be storing the profiles or home folders on the drive of your choice:
Step #2 – Share out folder
The second step is to share out the folder with the following command:
net share Profiles$=E:\Profiles /grant:everyone,full
**Note that whether you create the share as a hidden share or not is up to you as it is not mandatory.
Step #3 – Remove inheritance and inherited permissions
Remove the Include inheritable permissions from this object’s parent setting and the inherited permissions:
… on the folder with the following command:
icacls E:\Profiles /inheritance:r
Note that I’ve come across situations where the command above would remove all the users and times where it would leave an administrator account as such:
Don’t worry about the left over account as we’ll fix that in the following steps.
Step #4 – Configure NTFS permissions
The final step is to assign the appropriate permissions to the following accounts as per the following TechNet blog post: http://blogs.technet.com/b/migreene/archive/2008/03/24/3019467.aspx
- Everyone
- Domain Admins
- System
- Creator Owner
The permissions for the accounts above can be set with the following commands:
icacls E:\Profiles /grant Everyone:(NP)(AD,RD,RA,X)
icacls E:\Profiles /grant "Domain Admins":(OI)(CI)F
icacls E:\Profiles /grant System:(OI)(CI)F
icacls E:\Profiles /grant "CREATOR OWNER":(OI)(CI)F
icacls E:\Profiles /remove administrators
Note that the last line is to remove the administrators permission that was left over from step #3. Whether this is included isn’t particularly important but I’m removing it for cosmetic reasons.
With the commands successfully executed as shown above, the permissions on the profiles folder should look as the following:
------------------------------------------------------------------------------------------------------------------------------------------------------------------
For those who just want the commands listed out, here it is:
net share Profiles$=E:\Profiles /grant:everyone,full
icacls E:\Profiles /inheritance:r
icacls E:\Profiles /grant Everyone:(NP)(AD,RD,RA,X)
icacls E:\Profiles /grant "Domain Admins":(OI)(CI)F
icacls E:\Profiles /grant System:(OI)(CI)F
icacls E:\Profiles /grant "CREATOR OWNER":(OI)(CI)F
icacls E:\Profiles /remove administrators
Hope this helps anyone looking to save some time when creating these profile folders.
4 comments:
A special thanks for this informative post. I definitely learned new stuff here I wasn't aware of !
Thanks. Any idea why the subfolders in this setup that are created by XA/XD 7.5 and 7.6 do not inherit permissions? For example if John Doe has a folder on the share, Citrix creates an additional "John Doe" subfolder that the domain admins cannot access. The leads to an inability to delete corrupted profiles.
We can automate this more by putting the commands in a Batch file then its one button click.. great post though
Excellent Terrence !!!!! Thanks alot for your help. This information made my life easy...
Post a Comment