I am using folder redirection and roaming profiles. Both are hosted on a DFS namespace, with access based enumeration enabled, and are in the format:
\\domain\home\F\L\user
where F = First initial, L = Last initial (yes there are a very large number of users)
Roaming profiles point to: \\domain\home\user\profile.v2
Redirects to: \\domain\home\F\L\user\redirected folder (via script and direct registry writes)
This works well for the most part but recently we had issues with a corrupted virtual disk on one of our dc's. Long story short the host died and i had to rebuild a new dc to put in its place. All was fine until the next morning and dfs was non functional.
DFS was brought back online and everything was functional except for a subset of users. These users where still not getting the redirect, and upon further investigation it came down to a permission issue.
What has happened is that each users home directory is Owned by the User and has the following permissions assigned:
Creator Owner | Full Control | Subfolder and files only.
Administrators and System | Full Control | This folder, subfolder and files
On most home directories I see also:
Owner User | Full Control | This folder only.
Which has been assigned from the Creator Owner Group
For those users who are having issues, on the specific folders they cannot access, the last permission in bold is missing. Due to access based enumeration they cannot even see the folder for which they are Owner.
My question is simple, how do I force the creator owner permission to be re-applied and to re-assign the Owner User | Full Control permission ?
I can do this manually by going into advanced properties and ticking replace all child object permissions with inheritable permissions from this object. Preferably I would like to build something into the script which forces a check and re-assign's as appropriate the permission from creator owner.