[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Getting access to the My Documents redirected folders - THE OFFICIAL BLOG OF THE SBS DIVA
Sun, Feb 28 2010 9:14 bradley

Getting access to the My Documents redirected folders

When you use redirected folders in SBS (or in any Windows server) by default (unless you check the box) it's limited to only the user having access to the folder.  So if you are the admin you are prompted with a "I'm sorry, Hal, I won't let you do this". Now you can click through the prompt or take ownership of the folders but you might want to do this like Gerhard wanted to do.

 Using this blog post as a guide  --

How to restore Administrators’ access to redirected My Documents folders « My PKB:
http://mypkb.wordpress.com/2008/12/29/how-to-restore-administrators-access-to-redirected-my-documents-folder/

The first thing you do is to download the PsExec from the PSTools.  You don't have to download Powershell as it's already on the box.

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Copy the script below and change two things:

$StartingDir= "E:\Users\shares"

The location of the redirected shares

$Principal="INSERT_DOMAIN_NAME\INSERT_ADMIN_SBS"

The name and domain of the Domain admin account you want to give rights to.

Now save the file as permissions.ps1 (that's a number 1 not a L by the way)

So download the PsExec and extract it on the box.  Then here's the trick you have to remember.  Right mouse click on the command line icon and "run as administrator"

Now type in the command window to run the script

psexec -s -i powershell -noexit "& 'C:\Path\To\ChangePermissions.ps1'"

And then the permissions/ownership will be changed.

And now you won't get the "I'm sorry I won't let you do that" when clicking on the folders.

Proactively you can change the group policy setting to not be as restrictive.

Right mouse click and edit

Under the SBS folder redirect policy (drill down under User Configuration, then Policies, then Windows Settings, the Folder Redirection

And then uncheck the "Grant the user exclusive rights to the Desktop"

 

The permission script is below:

====copy from here ====

#ChangePermissions.ps1
# CACLS rights are usually
# F = FullControl
# C = Change
# R = Readonly
# W = Write

$StartingDir= "E:\Users\shares"

$Principal="INSERT_DOMAIN_NAME\INSERT_ADMIN_SBS"

$Permission="F"

$Verify=Read-Host `n "You are about to change permissions on all" `
"files starting at"$StartingDir.ToUpper() `n "for security"`
"principal"$Principal.ToUpper() `
"with new right of"$Permission.ToUpper()"."`n `
"Do you want to continue? [Y,N]"

if ($Verify -eq "Y") {

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
#display filename and old permissions
write-Host -foregroundcolor Yellow $file.FullName
#uncomment if you want to see old permissions
#CACLS $file.FullName

#ADD new permission with CACLS
CACLS $file.FullName /E /P "${Principal}:${Permission}" >$NULL

#display new permissions
Write-Host -foregroundcolor Green "New Permissions"
CACLS $file.FullName
}
}


===== to here======
  
                  
            Filed under: 
    

    
    
            
                    

			            

				            #
				            re: Getting access to the My Documents redirected folders
			            

			            

			                
			                    
                            
			                Monday, March 01, 2010 1:16 PM
			                by Evan Anderson
        			        
                        
			
		                

		                    
The "Grant the user exclusive rights to ..." (and the behavour of "Active Directory Users and Computers" and even the old "User Manager for Domains" when it comes to creating legacy home directories) has perplexed me. Why would *any* administrator want their permission hierarchy to get mangled up, automatically, by the OS? Further, having a world-writable directory where users' redirected folders will be created "automatically" seems like a gigantic security risk to me. 


I've always unticked the "Grant the user exclusive rights to ..." boxes, and pre-created the user's redirected folders during the account provisioning process, adding the user to the permissions on each folder. I do the same thing w/ roaming user profile folders, too. (Though, with roaming user profile folders, be sure and enable the Group Policy option "Do not check for user ownership of Roaming Profile Folders" to counteract that silly functionality that Microsoft slipped into W2K SP4 and WXP SP1.)



                        

                     

                
                    

			            

				            #
				            re: Getting access to the My Documents redirected folders
			            

			            

			                
			                    
                            
			                Tuesday, March 02, 2010 3:30 PM
			                by Gerhard
        			        
                        
			
		                

		                    
Looks good...I will try next time I run in to this problem again



                        

                     

                
                    

			            

				            #
				            re: Getting access to the My Documents redirected folders
			            

			            

			                
			                    
                            
			                Tuesday, March 02, 2010 4:57 PM
			                by Gerhard
        			        
                        
			
		                

		                    
btw...once "Grant the user exclusive rights to the Desktop" is enabled on the GPO disabling it will not get the admin access. I tired it again. Unless restarting the server would make a difference  



                        

                     

                
                    

			            

				            #
				            re: Getting access to the My Documents redirected folders
			            

			            

			                
			                    
                            
			                Tuesday, March 02, 2010 5:03 PM
			                by bradley
        			        
                        
			
		                

		                    
First off do a gpforce /all, then this takes into affect for new redirects not existing, you still need to do this script.



                        

                     

                
                    

			            

				            #
				            re: Getting access to the My Documents redirected folders
			            

			            

			                
			                    
                            
			                Tuesday, March 02, 2010 6:17 PM
			                by Gerhard
        			        
                        
			
		                

		                    
Ok. Will try the script again



                        

                     

                
                    

			            

				            #
				            re: Getting access to the My Documents redirected folders
			            

			            

			                
			                    
                            
			                Wednesday, March 03, 2010 12:38 AM
			                by Chris Hughes
        			        
                        
			
		                

		                    
Expanding on what Evan said. The ultimate solution is for MS to modify the Group Policy on the redirected folders to the specific user and the SBS admin account. 


Otherwise clearing the "Grant user exclusive rights.." check box is a security problem. Every user on the domain can then browse to the directory and get access.


This PS script is a great tool though, even if you need to run each time a new user is added to the server.