Tuesday, November 6, 2012

Setting Share and NTFS permissions for redirected profile and home folders with commands

Whether it’s setting up redirected profile or home folders for Active Directory user accounts, folders for VMware View Persona management, or Citrix UPM I find it somewhat cumbersome to manually configure the folders through a series of mouse clicks so I have long been meaning to figure out how to automate the process with regular command prompts commands.  Having set up another home drive folder for another client today, I finally went ahead and looked up the commands that enabled me to automate the task.

Step #1 – Create folder

The first step in the process is to create the actual folder that will be storing the profiles or home folders on the drive of your choice:

clip_image002

Step #2 – Share out folder

The second step is to share out the folder with the following command:

net share Profiles$=E:\Profiles /grant:everyone,full

clip_image002[4]

imageclip_image002[6]clip_image002[8]

**Note that whether you create the share as a hidden share or not is up to you as it is not mandatory.

Step #3 – Remove inheritance and inherited permissions

Remove the Include inheritable permissions from this object’s parent setting and the inherited permissions:

clip_image002[10]

… on the folder with the following command:

icacls E:\Profiles /inheritance:r

clip_image002[14]

Note that I’ve come across situations where the command above would remove all the users and times where it would leave an administrator account as such:

image

Don’t worry about the left over account as we’ll fix that in the following steps.

Step #4 – Configure NTFS permissions

The final step is to assign the appropriate permissions to the following accounts as per the following TechNet blog post: http://blogs.technet.com/b/migreene/archive/2008/03/24/3019467.aspx

  • Everyone
  • Domain Admins
  • System
  • Creator Owner

The permissions for the accounts above can be set with the following commands:

icacls E:\Profiles /grant Everyone:(NP)(AD,RD,RA,X)

icacls E:\Profiles /grant "Domain Admins":(OI)(CI)F

icacls E:\Profiles /grant System:(OI)(CI)F

icacls E:\Profiles /grant "CREATOR OWNER":(OI)(CI)F

icacls E:\Profiles /remove administrators

Note that the last line is to remove the administrators permission that was left over from step #3.  Whether this is included isn’t particularly important but I’m removing it for cosmetic reasons.

clip_image002[17]

With the commands successfully executed as shown above, the permissions on the profiles folder should look as the following:

image

clip_image002[19]clip_image002[21]

clip_image002[23]image

------------------------------------------------------------------------------------------------------------------------------------------------------------------

For those who just want the commands listed out, here it is:

net share Profiles$=E:\Profiles /grant:everyone,full

icacls E:\Profiles /inheritance:r

icacls E:\Profiles /grant Everyone:(NP)(AD,RD,RA,X)

icacls E:\Profiles /grant "Domain Admins":(OI)(CI)F

icacls E:\Profiles /grant System:(OI)(CI)F

icacls E:\Profiles /grant "CREATOR OWNER":(OI)(CI)F

icacls E:\Profiles /remove administrators

Hope this helps anyone looking to save some time when creating these profile folders.

4 comments:

digital signature PDF said...

A special thanks for this informative post. I definitely learned new stuff here I wasn't aware of !

Daniel Chang said...

Thanks. Any idea why the subfolders in this setup that are created by XA/XD 7.5 and 7.6 do not inherit permissions? For example if John Doe has a folder on the share, Citrix creates an additional "John Doe" subfolder that the domain admins cannot access. The leads to an inability to delete corrupted profiles.

Anonymous said...

We can automate this more by putting the commands in a Batch file then its one button click.. great post though

kesavapani said...

Excellent Terrence !!!!! Thanks alot for your help. This information made my life easy...