How do you take ownership over multiple roaming profiles?

albangaalbanga Member Posts: 164
Hi All,

I was just wondering if their is a way to take ownership over multiple roaming profiles at once? Within my company we have a lot of people coming and going so about every quarter i do a roaming profile deletion of old staff. Problem is i have to go into each folder and take ownership before i can delete it. This is a nightmare and takes forever.

I do not want to take ownesrhip at the top folder level because that will ruin everyones security on there profiles.

I simply want to know if there is "an easy to use" :) tool that would allow me select all the folders i want at once and then take ownership so i can delete.

Any help would be greatly appreciated.

Thanks

Comments

  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    subinacl.exe is your new best friend. It can do everything calcs and xcalcs can do and a heck of a lot more. icon_cool.gif
    subinacl /noverbose /subdirectories [I]<directoryname>[/I] /setowner=[I]<DOMAIN\user>[/I]
    

    You could combine it with a FOR loop and read in a list of the directories from a file if that helped too.
  • ClaymooreClaymoore Member Posts: 1,637
    Group Policy can take care of this going forward:

    Computer Config - Admin Templates - System - User Profiles
    Add the Administrators security group to roaming user profiles - Enabled

    This must be done on an OU that applies to the workstations (not just the server that stores the profiles) and will only affect profiles created after the policy is set.
  • albangaalbanga Member Posts: 164
    Thanks for the feedback. Claymoore i will definitely look at this moving further.

    In regards to your reply astorrs I have tried this and it tells me that it has done it successfull (i think) but it still has access denies on the file and no change of ownership. I have run the following;

    subinacl /noverbose /subdirectories \\server\roamingprofiles$\user\* /setowner=domain\administrator

    Server = name of server which hosts the roaming profiles.
    Roamingprofiles$ = Share name of profiles
    user = user whos permissions i am trying to change

    I have read that this is a good method to use but at the moment it just does not seem to be doing anything. It is not throwing up any errors so i am not sure where to look. Have i perhaps got a wrong switch.

    I also read a forum with a couple of users experiencing the same problem and someone mentioned to make sure they had the latest version which i do. Any ideas?
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    I'm not sure if /setowner is supported over the network, can you try running it again from the file server directly?

    Also is this by chance a Dfs share?

    And drop the /noverbose switch the next time you run it so you can see what's happening.
  • albangaalbanga Member Posts: 164
    Hey astorrs,

    I have been running the command directly from the server, so that should not be an issue and it is a normal share.

    I did what you asked and dropped the /noverbose switch. It showed the application running through all the files and "claimed" it had set all the files to the new administrator owner but when i try to access the folder it again says access denied. The final report shows it modified 8500 all with no errors.

    Is there a chance that it is modifying all the files but is not changing ownership at the top folder level hence denying me access?

    Can you see anything else i might be missing?

    Thanks again for all your help.
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    Good question, do you have Full Control on the root folder already? You may need to run it once at \user\ and then again at \user\*
  • undomielundomiel Member Posts: 2,818
    Running it from the server using the UNC though wouldn't make a difference. Perhaps if you used the directory structure instead? i.e. subinacl /subdirectories D:\profilesstorage\roamingprofiles$\user\* /setowner=domain\administrator

    It could be related to permissions on the share not giving you FC.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    Thanks for clarifying that undomiel, that's what I meant him to do, but I see you're correct and he's still using the UNC path.
  • albangaalbanga Member Posts: 164
    Hi Guys,

    Sorry for the late reply. Still having no luck. I have tried using the directory structure path. When i use the /subdirectories command it looks as though it works but then doesnt do a thing.

    I have tried taking control over just the root of the folder without its subdirectories and get the following;

    C:\Program Files\Windows Resource Kits\Tools>subinacl D:\FS-RoamingProfiles\cust
    oms.temp\* /setowner=NN\Administrator
    WARNING : Error parsing line +:\fs-roamingprofiles\customs.temp\* /setowner=nn\a
    dministrator
    Use :
    SubInacl /help to get the usage information
    or
    SubInAcl /help syntax to understand SubInAcl syntax.

    Elapsed Time: 00 00:00:00
    Done: 0, Modified 0, Failed 0, Syntax errors 1
    Last Syntax Error:WARNING : Error parsing line +:\fs-roamingprofiles\customs.tem
    p\* /setowner=nn\administrator

    Any ideas?
  • undomielundomiel Member Posts: 2,818
    For the specific directory I believe you would want to do
    subinacl /file D:\FS-RoamingProfiles\customs.temp /setowner=NN\Administrator
    

    For subinacl you have to specify a type that you are working with it looks like. This is just based off Subinacl - Modify Access Control Entries as I haven't had a chance yet to put it to work. Something else that could be tried is using icacls.
    icacls D:\FS-RoamingProfiles\customs.temp\* /setowner NN\Administrator /T
    
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • albangaalbanga Member Posts: 164
    None of it works. I think i might just throw in the towel and manually delete them and change the rule for the future.
Sign In or Register to comment.