Maybe you already had the following problem: You’re using roaming profiles. You are the administrator of the domain. You can’t access the roaming profiles folder. You have to take ownership of each folder and grant yourself access to every subfolder inside the parent folder. It’s a nuisance. That’s over now. Just use my advanced PowerShell function Grant-RoamingProfilesAccess to get access to all profiles folder and files.
The Roaming Profiles Folder
In my case, all roaming profiles are stored on my domain controller in c:\Profiles.
When I try to access that folder, I get an Access Denied.
You don’t currently have permissions to access this folder.
If you now think you can get access simply by following the instructions and clicking on Continue, then you are right. But what if you need access to all profiles? It is very tedious to do the work for all folders. That brought me to an idea: I will make function out of it to grant access to all profiles and profiles subfolders. Let’s jump in.
Breaking into the Profiles Folders
Firstly, we have to take ownership of all folders. Secondly, we have to grant full access to the administrators group. My function will do all that.
Here it is in action:
Grant-RoamingProfilesAccess -Path C:\Profiles\
After running that command, administrators have full access to all folders including sub folders.
The function Grant-RoamingProfilesAccess
Here is the code:
function Grant-RoamingProfilesAccess {
# .SYNOPSIS
# Grant-RoamingProfilesAccess is an advanced Powershell function. It takes ownership of the users roaming profiles folders and grants the administrators group full access.
# .DESCRIPTION
# Uses takeown and icacls. Define the path to the roaming profiles root directory.
# .PARAMETER
# Path
# Enter the path to the roaming profiles root folder.
# .EXAMPLE
# Grant-RoamingProfilesAccess -Path C:\Profiles\
# .NOTES
# Author: Patrick Gruenauer
# Web:
# https://sid-500.com
[CmdletBinding()]
param
(
[Parameter(Position=0,Mandatory=$true,Helpmessage = 'Enter Path to the Roaming Profiles Root Directory')]
$Path
)
$ErrorActionPreference="SilentlyContinue"
Get-ChildItem $Path -Recurse |
ForEach-Object {
takeown /f $_.FullName /a
icacls $_.Fullname /grant "administrators:(OI)(CI)F" /t
}
}
Make it permanent
Copy this code into your PowerShell ISE session and run the code. Then type the command and have fun with it. Or download it here:
Grant-RoamingProfilesAccess
If you want to make the function permanently available, so that the function is there every time you start PowerShell, you have to create a folder in C:\Program Files\WindowsPowerShell\Modules. Name it Grant-RoamingProfilesAccess. Then save the code as .psm1 file in that folder. The screenshot below will help you.
Categories: Cyber Security, PowerShell, Windows Server
My name is Patrick Gruenauer. From Austria.
SID-500.COM 
Hi Patrick, I have some bad experience when take ownership of the users roaming profile folder using other script. The users will have problem signing in to their computer. They will log in to “temporary profile”. Maybe I need to test this script first. Thanks
LikeLike
Hallo,
leider erhalte ich bei Ausführung des Scrips folgenden Fehler:
ERFOLGREICH: Die Gruppe “Administratoren” ist jetzt der Besitzer der Datei
E:\Profile\benutzername.V6″ .
administrators: Zuordnungen von Kontennamen und Sicherheitskennungen wurden nicht durchgeführt.
0 Dateien erfolgreich verarbeitet, bei 1 Dateien ist ein Verarbeitungsfehler aufgetreten.
Zugriff auf die Profile durch Administratoren weiterhin nicht möglich.
Wo könnte der Fehler liegen? (Windows Server 2016)
LikeLike
Hallo!
Arbeitest du auf einem deutschen Betriebssystem? Wenn ja …
Du musst das Skript anpassen. Die Gruppe heißt dann nicht Administrators sondern Administratoren.
Lg
O
LikeLike
function Grant-RoamingProfilesAccess {
# .SYNOPSIS
# Grant-RoamingProfilesAccess is an advanced Powershell function. It takes ownership of the users roaming profiles folders and grants the administrators group full access.
# .DESCRIPTION
# Uses takeown and icacls. Define the path to the roaming profiles root directory.
# .PARAMETER
# Path
c:\profile2\
# .EXAMPLE
Grant-RoamingProfilesAccess -Path C:\Profile2\
# .NOTES
# Author: Patrick Gruenauer
# Web:
# https://sid-500.com
[CmdletBinding()]
param
(
[Parameter(Position=0,Mandatory=$true,Helpmessage = ‘C:\Profile2\’)]
$Path
)
$ErrorActionPreference=”SilentlyContinue”
Get-ChildItem $Path -Recurse |
ForEach-Object {
takeown /f $_.FullName /a
icacls $_.Fullname /grant “administrators:(OI)(CI)F” /t
}
}
this is not working for me can u see what i did wrong?
LikeLike
Patrick do you tell me what is and purpose of roaming profiles. What does mean when you say roaming profiles. Do you mean roaming profiles store my files and folders on server intend on my local pc or laptop
LikeLike
Hi,
Yes it’s stored locally and on the server.
Best,
P
LikeLike
Hi Patrick – thank you for sharing!
Have a little question for yourself in regards to the script.
If i only wanted to run this on a particular sub folder or a set of folders how would i proceed with this?
As i do not want to remove all Roaming Profile Folder and only need to remove around 15 is there anyway around this – i thought if i create a script now it will save me time and effort doing it in future plus leaning something new always excites me 🙂
Awaiting in anticipation for a response – thank you in advance.
LikeLike
Just modify the folder in the function. Take the time to investigate my function and then modify the script as you see fit.
LikeLike