Just a snippit I needed to run to resolve an issue - it is a dos script that re-takes ownership of a roaming profile, then re-sets up the user security, so it still runs
BE CAREFUL
I ran this on a W2K3 server hosting the TS roaming profile shares, to retroactively add the administrators with ownership permissions on the user profile folders.
Note: there is a GPO item to do this, but it doesn't work retroactively on already created profiles, hence this script.
(for reference, Computer Configuration->Administrative Templates->System->User Profiles->Add the Administrators security group to roaming user profiles)
NOTE: USE THIS AT YOUR OWN RISK, I AM NOT RESPONSIBLE IF THIS DOESN'T WORK FOR YOU, IT JUST WORKED FOR ME (perfectly actually)!
Save the following as "fixprofile.bat"
---------------------------------------------------------
@echo off
takeown /R /A /F %1 /D Y
cacls %1 /T /E /G "Domain Admins":F
cacls %1 /T /E /G %2:F
cacls %1 /T /E /G SYSTEM:F
echo Folder %1 has been retaken by Administrator and repermissioned for user %2
@echo on
---------------------------------------------------------
Then just call this script like "fixprofile.bat FULLFOLDERNAME DOMAINUSERNAME" (note: DOMAINUSERNAME DOES NOT NEED THE DOMAIN\username, just username)
If you need to do this in batch mode for ALL the profiles, try something like the following:
for /D %i in (*) do fixprofile.bat %i %i
(assuming your profile folders are named the same as mine, and match your usernames)
If your folders are username.DOMAIN, then this won't work, however, you could do something like this:
dir /b> user.list.txt
Then edit user.list.txt (remove anything not a user profile folder, or not a folder you need to do this to!)
Copy the entire list to the first two columns in excel, split the second column into multiple columns at the period, delete the new third column, then write a formula like this into the third column
="fixprofiles.bat " & A1 & " " & B1
and copy it to all the rows.
Then copy that entire column to a new batch script on the server (massupdate.bat or something) and run it.
Wait and Pray
Voila
If you are also trying do this to migrate profiles to the new .V2 format for W2K8, add lines like below into the fixprofiles.bat script:
robocopy %1 %2.V2 /e /z /sec
echo Folder %1 has been copied to %2.V2 for 2008 Profiles
(make sure robocopy is in the same folder as this script)
This script utilizes the following two windows native programs/scripts: takeown & cacls
Help menu's on them are below
D:\Profiles>takeown /?
TAKEOWN [/S system [/U username [/P [password]]]]
/F filename [/A] [/R [/D prompt]]
Description:
This tool allows an administrator to recover access to a file that
was denied by re-assigning file ownership.
Parameter List:
/S system Specifies the remote system to
connect to.
/U [domain\]user Specifies the user context under
which the command should execute.
/P [password] Specifies the password for the
given user context.
Prompts for input if omitted.
/F filename Specifies the filename or directory
name pattern. Wildcard "*" can be used
to specify the pattern. Allows
sharename\filename.
/A Gives ownership to the administrators
group instead of the current user.
/R Recurse: instructs tool to operate on
files in specified directory and all
subdirectories.
/D prompt Default answer used when the current user
does not have the "list folder" permission
on a directory. This occurs while operating
recursively (/R) on sub-directories. Valid
values "Y" to take ownership or "N" to skip.
/? Displays this help message.
NOTE: 1) If /A is not specified, file ownership will be given to the
current logged on user.
2) Mixed patterns using "?" and "*" are not supported.
3) /D is used to suppress the confirmation prompt.
Examples:
TAKEOWN /?
TAKEOWN /F lostfile
TAKEOWN /F \\system\share\lostfile /A
TAKEOWN /F directory /R /D N
TAKEOWN /F directory /R /A
TAKEOWN /F *
TAKEOWN /F C:\Windows\System32\acme.exe
TAKEOWN /F %windir%\*.txt
TAKEOWN /S system /F MyShare\Acme*.doc
TAKEOWN /S system /U user /F MyShare\foo.dll
TAKEOWN /S system /U domain\user /P password /F share\filename
TAKEOWN /S system /U user /P password /F Doc\Report.doc /A
TAKEOWN /S system /U user /P password /F Myshare\*
TAKEOWN /S system /U user /P password /F Home\Logon /R
TAKEOWN /S system /U user /P password /F Myshare\directory /R /A
D:\Profiles>cacls /?
Displays or modifies access control lists (ACLs) of files
CACLS filename [/T] [/M] [/S[:SDDL]] [/E] [/C] [/G user:perm] [/R user [...]]
[/P user:perm [...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/M Changes ACLs of volumes mounted to a directory
/S Displays the SDDL string for the DACL.
/S:SDDL Replaces the ACLs with those specified in the SDDL string
(not valid with /E, /G, /R, /P, or /D).
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
Perm can be: R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with /E).
/P user:perm Replace specified user's access rights.
Perm can be: N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.
Abbreviations:
CI - Container Inherit.
The ACE will be inherited by directories.
OI - Object Inherit.
The ACE will be inherited by files.
IO - Inherit Only.
The ACE does not apply to the current file/directory.