Permissions on redirected folders - Use the scripting force

One of Profile Migrator’s new features in version 2.3 is the new licensing model for service providers and integrators. Coincidentally one of those recently reported an issue with Profile Migrator and redirected folders. During his tests the service provider relocated redirected folders while migrating profiles from Server 2003 to Server 2008. Unfortunately after logging on migrated users received an error message telling them that they had no access to their redirected data. So what happened?

A first analysis of the migration project showed no obvious misconfigurations. The migration process completed successfully each time and all the data was in the right place after the migration. The crux however was that the root folder for the newly created redirected folders was only accessible by administrators. The user folders were created by Profile Migrator, but no permissions were added or set. This behavior by design. It is a common practice to redirect folders into a users home drive or, for the sake of data separation, into another folder with exclusive access for the user. Usually these folders are created when the user is created, so that they exist prior to the migration. As mentioned before, this was not the case for our potential customer. But is there a way for him to perform the migration as planned without having to manually adjust the security settings for every user’s redirected folders after the migration?

Fortunately Profile Migrator offers to call scripts at certain points during the migration. During this server migration scenario a script called after every profile migration is the way to go. The permissions will be set using the free tool SetACL by Helge Klein.

I've created two simple cmd-scripts that will account for setting the permissions as planned if you’re in the same situation as above mentioned service provider. The first script receives a folder and grants full access for the Administrators group and the user specified by the SID in the second parameter.

@echo off
::
:: AddUserPermissions.cmd, version 1.0
:: Author: Holger Adam
:: Copyright sepago GmbH 2012
:: Sets full access for the user and administrators on the specified redirected folder root
:: Parameters:
:: 1) The path of the redirected folder
:: 2) The user SID for full access
::

:: Keep variables in this script
setlocal

:: Redirected folder root 
if "%~1"=="" (
    echo Please specify the redirected folders root as the first parameter!
    exit /b 1
)
set RedirectedFolder=%~1
set RedirectedFolder=%RedirectedFolder:"=%

:: User SID
if "%~2"=="" (
    echo Please specify the user SID as the second parameter!
    exit /b 1
)
set UserSid=%~2
set UserSid=%UserSid:"=%
if not exist "%~dp0\SetACL.exe" (
    echo SetACL not found!
    exit /b 1
)

:: Check if profile folder exists
if not exist "%RedirectedFolder%" (
    echo Folder '%RedirectedFolder%' does not exist!
    exit /b 1
)

:: Set full access on folder
"%~dp0\setacl" -on "%RedirectedFolder%" -ot file -actn ace -ace "n:%UserSid%;p:full;s:y" -actn ace -ace "n:S-1-5-18;p:full;s:y
if ERRORLEVEL 1 (
    echo SetACL on '%RedirectedFolder%' failed.
    exit /b 1
)

exit /b 0

The second script also takes a folder path and a SID, but it breaks the inheritance on the specified folder and adds ACEs for the user and System with full access. It also sets the user as the owner. Exclusive access granted similar to checking the box in the folder redirection group policy configuration.

@echo off
::
:: SetExclusiveUserAccess.cmd, version 1.0
:: Author: Holger Adam
:: Copyright sepago GmbH 2012
:: Sets exclusive access for the user on the specified redirected folder
:: Parameters:
:: 1) The path of the redirected folder
:: 2) The user SID for full access
::

:: Keep variables in this script
setlocal

:: Redirected folder
if "%~1"=="" (
    echo Please specify the redirected folder as the first parameter!
    exit /b 1
)
set RedirectedFolder=%~1
set RedirectedFolder=%RedirectedFolder:"=%

:: User SID
if "%~2"=="" (
    echo Please specify the user SID as the second parameter!
    exit /b 1
)
set UserSid=%~2
set UserSid=%UserSid:"=%

if not exist "%~dp0\SetACL.exe" (
    echo SetACL not found!
    exit /b 1
)

:: Check if profile folder exists
if not exist "%RedirectedFolder%" (
    echo Folder '%RedirectedFolder%' does not exist!
    exit /b 1
)

:: Set full access on folder
"%~dp0\setacl" -on "%RedirectedFolder%" -ot file -actn ace -ace "n:%UserSid%;p:full;s:y" -actn ace -ace "n:S-1-5-18;p:full;s:y" -actn setprot -op "dacl:p_nc;sacl:nc" -actn setowner -ownr "n:%UserSid%;s:y"
if ERRORLEVEL 1 (
    echo SetACL on '%RedirectedFolder%' failed.
    exit /b 1
)

exit /b 0

Store the scripts in a directory with SetAcl, then call them from Profile Migrator with these command lines:

"\\server\share\scripts\AddUserPermissions.cmd" "%PM_VAR_TARGETPATHTEMPORARY%" %PM_VAR_USERSID%
"\\server\share\scripts\SetExclusiveUserAccess.cmd" "%PM_VAR_TARGETPATHTEMPORARY%\Desktop" %PM_VAR_USERSID%
 
And of course you can use the Profile Migrator scripting interface for any other task you might want to add as a custom step!
 
 
Update: There was an issue in the example call. Instead of %PM_VAR_TARGETPATHTEMPORARY% \\server\share\%PM_VAR_USERNAME% was used. This will not work. The above call has been fixed now.

++++ Wir suchen Verstärkung ++++ Arbeitskultur, IT Kompetenz und Innovation werden bei sepago zum Wohle unserer Mitarbeiter und Kunden maximal gefördert. Das ist der Sinn der sepago. Wenn Dich das anspricht, dann schau doch mal im Karrierebereich.

Microsoft Competence Blog

Application Infrastructure mit Microsoft Technologien ist ein wichtiges Fokusthema der sepago. Wir haben langjährige Projekterfahrung, sind neugierig auf neue Technologien und möchten diese bis in letzte Detail verstehen. Die Competence Blogs berichten davon.

RSS-Feed Alle Artikel des Competence Blogs abonnieren.