[There's a reason that Yoda is the unofficial mascot of SBS.  Size indeed matters not.] Getting access to the My Documents redirected folders - THE OFFICIAL BLOG OF THE SBS DIVA
Sun, Feb 28 2010 9:14 bradley

Getting access to the My Documents redirected folders

When you use redirected folders in SBS (or in any Windows server) by default (unless you check the box) it's limited to only the user having access to the folder.  So if you are the admin you are prompted with a "I'm sorry, Hal, I won't let you do this". Now you can click through the prompt or take ownership of the folders but you might want to do this like Gerhard wanted to do.

 Using this blog post as a guide  --

How to restore Administrators’ access to redirected My Documents folders « My PKB:
http://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/

The first thing you do is to download the PsExec from the PSTools.  You don't have to download Powershell as it's already on the box.

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Copy the script below and change two things:

$StartingDir= "E:\Users\shares"

The location of the redirected shares

$Principal="INSERT_DOMAIN_NAME\INSERT_ADMIN_SBS"

The name and domain of the Domain admin account you want to give rights to.

Now save the file as permissions.ps1 (that's a number 1 not a L by the way)

So download the PsExec and extract it on the box.  Then here's the trick you have to remember.  Right mouse click on the command line icon and "run as administrator"

Now type in the command window to run the script

psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1'"

And then the permissions/ownership will be changed.

And now you won't get the "I'm sorry I won't let you do that" when clicking on the folders.

Proactively you can change the group policy setting to not be as restrictive.

Right mouse click and edit

Under the SBS folder redirect policy (drill down under User Configuration, then Policies, then Windows Settings, the Folder Redirection

And then uncheck the "Grant the user exclusive rights to the Desktop"

 

The permission script is below:

====copy from here ====

#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write

$StartingDir= "E:\Users\shares"

$Principal="INSERT_DOMAIN_NAME\INSERT_ADMIN_SBS"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
#display filename and old permissions
write-Host -foregroundcolor Yellow $file.FullName
#uncomment if you want to see old permissions
#CACLS $file.FullName

#ADD new permission with CACLS
CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
Write-Host -foregroundcolor Green "New Permissions"
CACLS $file.FullName
}
}

===== to here======
Filed under:

# re: Getting access to the My Documents redirected folders

Monday, March 01, 2010 1:16 PM by Evan Anderson

The "Grant the user exclusive rights to ..." (and the behavour of "Active Directory Users and Computers" and even the old "User Manager for Domains" when it comes to creating legacy home directories) has perplexed me. Why would *any* administrator want their permission hierarchy to get mangled up, automatically, by the OS? Further, having a world-writable directory where users' redirected folders will be created "automatically" seems like a gigantic security risk to me.

I've always unticked the "Grant the user exclusive rights to ..." boxes, and pre-created the user's redirected folders during the account provisioning process, adding the user to the permissions on each folder. I do the same thing w/ roaming user profile folders, too. (Though, with roaming user profile folders, be sure and enable the Group Policy option "Do not check for user ownership of Roaming Profile Folders" to counteract that silly functionality that Microsoft slipped into W2K SP4 and WXP SP1.)

# re: Getting access to the My Documents redirected folders

Tuesday, March 02, 2010 3:30 PM by Gerhard

Looks good...I will try next time I run in to this problem again

# re: Getting access to the My Documents redirected folders

Tuesday, March 02, 2010 4:57 PM by Gerhard

btw...once "Grant the user exclusive rights to the Desktop" is enabled on the GPO disabling it will not get the admin access. I tired it again. Unless restarting the server would make a difference  

# re: Getting access to the My Documents redirected folders

Tuesday, March 02, 2010 5:03 PM by bradley

First off do a gpforce /all, then this takes into affect for new redirects not existing, you still need to do this script.

# re: Getting access to the My Documents redirected folders

Tuesday, March 02, 2010 6:17 PM by Gerhard

Ok. Will try the script again

# re: Getting access to the My Documents redirected folders

Wednesday, March 03, 2010 12:38 AM by Chris Hughes

Expanding on what Evan said. The ultimate solution is for MS to modify the Group Policy on the redirected folders to the specific user and the SBS admin account.

Otherwise clearing the "Grant user exclusive rights.." check box is a security problem. Every user on the domain can then browse to the directory and get access.

This PS script is a great tool though, even if you need to run each time a new user is added to the server.