Posts Tagged ‘Security’

Fix User’s Home Directory Permissions with Take Ownership

Wednesday, February 15th, 2017

Fix-HomeDrivePerms.ps1 is a PowerShell script which attempts to reset folder security when the permissions are really hosed.  It uses a take ownership function, Set-Owner, by Boe Prox, instead of takeown.exe, but does shell out to iCacls.exe.  I wrote this to fix home directories where a user might be logged on with files open a the time, and so it doesn’t rip out the old permissions and replace.

This will require a some editing to run, and this code fragment is set up to do one user folder at a time.  But it might get you going in the right direction.

Script Text

Another User Folder Security Reset Script

Saturday, February 11th, 2017

This simple batch file resets the inheritance on users folders and then grants them “modify” using the builtin icacls.exe.   This script does not address issues which require you to take ownership — I will post one that does that soon.

I added the “echo” command so you can see what it is doing — remove “echo” when you are ready to run it.

Remember that the variable character for batch files is the percentage sign “%” which must be escaped with a second percentage sign inside a batch file. So if you intend to run this from a command line, you would need to use only a single percentage sign for each variable.

PushD does a temporary drive mapping and changes you to the folder. Popd is the undo for PushD. Both are available inside of PowerShell.

The “FOR” command reads like this: For each directory assign the variable %u.  Run iCacls  to reset security, traversing the folders and continuing  on errors.  The expression %~fu expands %u to a fully qualified path name. The semi-colon allows multiple commands to be stacked. The next iCacls command grants the user modify based on the assumption that the username and folder name are the same.  %~du expands %u to a drive letter only – here, the temporary drive you got from the pushd command.

Variable assignments in the batch for command are case sensitive. If you run “FOR /?” from a command line, you will see a long list of interesting things that the tilde modifier can do with a batch variable.