Setting Share and NTFS permissions for redirected profile and home folders with commands

Whether it’s setting up redirected profile or home folders for Active Directory user accounts, folders for VMware View Persona management, or Citrix UPM I find it somewhat cumbersome to manually configure the folders through a series of mouse clicks so I have long been meaning to figure out how to automate the process with regular command prompts commands.  Having set up another home drive folder for another client today, I finally went ahead and looked up the commands that enabled me to automate the task.

Step #1 – Create folder

The first step in the process is to create the actual folder that will be storing the profiles or home folders on the drive of your choice:

Step #2 – Share out folder

The second step is to share out the folder with the following command:

net share Profiles$=E:\Profiles /grant:everyone,full

**Note that whether you create the share as a hidden share or not is up to you as it is not mandatory.

Step #3 – Remove inheritance and inherited permissions

Remove the Include inheritable permissions from this object’s parent setting and the inherited permissions:

… on the folder with the following command:

icacls E:\Profiles /inheritance:r

Note that I’ve come across situations where the command above would remove all the users and times where it would leave an administrator account as such:

Don’t worry about the left over account as we’ll fix that in the following steps.

Step #4 – Configure NTFS permissions

The final step is to assign the appropriate permissions to the following accounts as per the following TechNet blog post: http://blogs.technet.com/b/migreene/archive/2008/03/24/3019467.aspx

• Everyone
• Domain Admins
• System
• Creator Owner

The permissions for the accounts above can be set with the following commands:

icacls E:\Profiles /grant Everyone:(NP)(AD,RD,RA,X)

icacls E:\Profiles /grant "Domain Admins":(OI)(CI)F

icacls E:\Profiles /grant System:(OI)(CI)F

icacls E:\Profiles /grant "CREATOR OWNER":(OI)(CI)F

icacls E:\Profiles /remove administrators

Note that the last line is to remove the administrators permission that was left over from step #3.  Whether this is included isn’t particularly important but I’m removing it for cosmetic reasons.

With the commands successfully executed as shown above, the permissions on the profiles folder should look as the following:

------------------------------------------------------------------------------------------------------------------------------------------------------------------

For those who just want the commands listed out, here it is:

net share Profiles$=E:\Profiles /grant:everyone,full

icacls E:\Profiles /inheritance:r

icacls E:\Profiles /grant Everyone:(NP)(AD,RD,RA,X)

icacls E:\Profiles /grant "Domain Admins":(OI)(CI)F

icacls E:\Profiles /grant System:(OI)(CI)F

icacls E:\Profiles /grant "CREATOR OWNER":(OI)(CI)F

icacls E:\Profiles /remove administrators

Hope this helps anyone looking to save some time when creating these profile folders.