1

I've started forcing myself to use PowerShell scripts for GPOs. I have updated GPOs to permit this but I'm seeking to allow Domain Admin access to userprofiles for existing roaming user profiles.

icacls.exe \\sharedpath\user` profiles$\%username%.v2 /grant “domain\Domain Admins”:F /T /Q

This one is for the user profiles. Took some googling to figure out ` deals with spaces in paths. However, I'm really stuck with:

icacls.exe : Invalid parameter "domain\Domain Admins"

I can't seem to find anything related to spaces in parameters. I tried the obvious ' char but that makes no difference.

Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
mknight
  • 11
  • 2
  • 3
    Don't use scripts when you have a [group policy](https://support.microsoft.com/en-us/kb/222043) to do the same thing. Don't use typographic quotes. Put paths with spaces in quotes rather than escaping spaces with backticks. Also, PowerShell doesn't recognize `%` notation for environment variables, and CMD doesn't recognize backticks as escape characters. If for some reason you need to run the `icacls` commandline from PowerShell anyway do it like this: `icacls.exe "\\sharedpath\user profiles$\$env:USERNAME.v2" /grant "domain\Domain Admins:F" /T /Q` – Ansgar Wiechers Feb 14 '17 at 21:47

1 Answers1

0

The powershell way:

$profile = "\\sharedpath\user profiles`$\$($env:username).v2"

$currentAcl = (Get-Item $profile).GetAccessControl('Access')
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList "Domain\Domain Admins",'Full','ContainerInherit,ObjectInherit','None','Allow'
$currentAcl.SetAccessRule($rule)
$currentAcl | Set-Acl -path $profile

Should go without saying that you should test it thoroughly before using it in a logon script.

Nasir
  • 10,935
  • 8
  • 31
  • 39
  • Escaping the trailing `$` in the share name isn't required. Neither is the subexpression around `$env:username` (if you want to be on the safe side use `${env:username}`). Also, `Set-Acl` sometimes has issues with setting ACLs, e.g. if the owner of an object is not the user running the cmdlet or any of his groups. Until Microsoft fixes that `icacls` is the more reliable approach. – Ansgar Wiechers Feb 15 '17 at 08:23
  • you're correct about the ownership issue. I've replaced the `Get-Acl` with more appropriate method. Escaping `$` and sub-expression are stylistic choices, more than anything. But noted for future :-) – Nasir Feb 16 '17 at 00:10