Cyber Security

Grant Administrators Full Control Access on Roaming Profiles Folders (Grant-RoamingProfilesAccess)

Maybe you already had the following problem: You’re using roaming profiles. You are the administrator of the domain. You can’t access the roaming profiles folder. You have to take ownership of each folder and grant yourself access to every subfolder inside the parent folder. It’s a nuisance. That’s over now. Just use my advanced PowerShell function Grant-RoamingProfilesAccess to get access to all profiles folder and files.

The Roaming Profiles Folder

In my case, all roaming profiles are stored on my domain controller in c:\Profiles.

Unbenannt.PNG

When I try to access that folder, I get an Access Denied.

You don’t currently have permissions to access this folder.

Unbenannt.PNG

If you now think you can get access simply by following the instructions and clicking on Continue, then you are right. But what if you need access to all profiles? It is very tedious to do the work for all folders. That brought me to an idea: I will make function out of it to grant access to all profiles and profiles subfolders. Let’s jump in.

Breaking into the Profiles Folders

Firstly, we have to take ownership of all folders. Secondly, we have to grant full access to the administrators group. My function will do all that.

Here it is in action:


Grant-RoamingProfilesAccess -Path C:\Profiles\

1.PNG

After running that command, administrators have full access to all folders including sub folders.

The function Grant-RoamingProfilesAccess

Here is the code:


function Grant-RoamingProfilesAccess {

# .SYNOPSIS
# Grant-RoamingProfilesAccess is an advanced Powershell function. It takes ownership of the users roaming profiles folders and grants the administrators group full access.

# .DESCRIPTION
# Uses takeown and icacls. Define the path to the roaming profiles root directory.

# .PARAMETER
# Path
# Enter the path to the roaming profiles root folder.

# .EXAMPLE
# Grant-RoamingProfilesAccess -Path C:\Profiles\

# .NOTES
# Author: Patrick Gruenauer
# Web:
# https://sid-500.com

[CmdletBinding()]

param

(

[Parameter(Position=0,Mandatory=$true,Helpmessage = 'Enter Path to the Roaming Profiles Root Directory')]
$Path

)

$ErrorActionPreference="SilentlyContinue"

Get-ChildItem $Path -Recurse |
ForEach-Object {

takeown /f $_.FullName /a
icacls $_.Fullname /grant "administrators:(OI)(CI)F" /t

}
}

Make it permanent

Copy this code into your PowerShell ISE session and run the code. Then type the command and have fun with it. Or download it here:

Grant-RoamingProfilesAccess

If you want to make the function permanently available, so that the function is there every time you start PowerShell, you have to create a folder in C:\Program Files\WindowsPowerShell\Modules. Name it Grant-RoamingProfilesAccess. Then save the code as .psm1 file in that folder. The screenshot below will help you.

Unbenannt.PNG

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.