It’s important to provide end users with a stable environment to host ‘user specific’ information. It is not uncommon for IT staff to receive calls from end users reporting they can not access information within their home drives or redirected folders.  Then IT staff find that they cannot access those files either. As a guideline and in an effort to hopefully stop existing IT staff from manually creating user folders; it is suggested that the parent folder NTFS permissions and share permissions be set as follows.

NTFS Perms for Home Drive and FDir
NTFS Permissions for Home Drive or Folder Redirection
Share Perms for Home Drive or FDir
Share Permissions for Home Drive or Folder Redirection

The FILEServerAdministrators group can be replaced with your group that is responsible for managing user data. Additionally, Authenticated users in the NTFS permissions can be replaced with the group of users you want to have Home Drives or Redirected folders on this file server.

It is a good practice to add Authenticated Users or Everyone with Full Control to the Share Permission, then limit access to files and folders with NTFS permissions.  This reduces the complexity when trying evaluate effective permissions when troubleshooting.

These permissions, when applied to the users folders not only give users full control of their files, but also gives administrators access to those files as well. As an extra bonus IT staff does not have to manually create the user folder; the users folders are created by the system.

How to fix it

Now we know what the parent permissions should be, how do you correct your current user folders? If you have gotten to a place where you cannot access users files and folders, you cannot simple check “Replace all child object permission entries with inheritable permission entries from this object”.  Note: if you don’t have access to the folder, you will not be able to change the permission for that folder, subfolders and files.

First you must take ownership of the files and folders, update the permissions and then return the ownership back to the user.  We do this by using two commands; subinacl.exe and icacls.exe.  SubInACL is a part of Windows Server 2003 Resource Kit, but it works well in Server 2008 and Server 2012.

subinacl /file E:Usersthomas.f /setowner=administrators
subinacl /subdirectories E:Usersthomas.f /setowner=administrators
icacls E:Usersthomas.f /reset /t /c
subinacl /file E:Usersthomas.f /setowner=thomas.f
subinacl /subdirectories E:Usersthomas.f /setowner=thomas.f
icacls E:Usersthomas.f /reset /t /c

The first two lines change the owner of the files and folders to the Administrators group. SubInACL has a quirk where when you use /subdirectories, the parent folder is not affected. The first command then is changing the parent user folder. Don’t forget the trailing back-slash at the end of the path for /subdirectories, otherwise only that folder is processed.

icacls /reset replaces ACLs with the inherited ACLs.

The next two lines changes the owner back to the user. The final icacls /reset ensures the ACE for the user is in the ACL.

All there is left to do is repeat this process for each user folder. I wrapped these command lines in a PowerShell script, then ran the script for a few users each weekend until all of the folders were corrected.