I need to grant rights to server admin staff to access redirected folder content in user home shares. Since the user has exclusive rights to the content, I have created and linked a user logoff script which uses icacls.exe to make the changes to the DACL on the folders. (NOTE: I tried to make these changes using a logon script and they never took effect. I'm guessing it's related to timing and that the drives referenced by the script were not yet mapped during the logon process.)
The client machines are Windows 7 and the home folder shares are hosted on Windows Server 2003 servers.
I have some users reporting that it is literally taking minutes for them to logoff, and we have isolated it to the logoff script and specific changes made by icacls.exe.
My script enables inheritance and/or grants rights to built-in Administrators and a domain group to redirected folder content.
Script is detailed here
<---Begin
icacls %HomeDrive%%HomePath% /inheritance:e
icacls "%HomeDrive%%HomePath%\My Documents" /grant "Administrators":(OI)(CI)F
icacls "%HomeDrive%%HomePath%\My Documents" /grant "Group":(OI)(CI)MRXRW
icacls "%HomeDrive%%HomePath%\My Documents\My Music" /grant "Administrators":(OI)(CI)F
icacls "%HomeDrive%%HomePath%\My Documents\My Music" /grant "Group":(OI)(CI)MRXRW
icacls "%HomeDrive%%HomePath%\My Documents\My Pictures" /grant "Administrators":(OI)(CI)F
icacls "%HomeDrive%%HomePath%\My Documents\My Pictures" /grant "Group":(OI)(CI)MRXRW
icacls "%HomeDrive%%HomePath%\My Documents\My Videos" /grant "Administrators":(OI)(CI)F
icacls "%HomeDrive%%HomePath%\My Documents\My Videos" /grant "Group":(OI)(CI)MRXRW
icacls "%HomeDrive%%HomePath%\Favorites" /grant "Administrators":(OI)(CI)F
icacls "%HomeDrive%%HomePath%\Favorites" /grant "Group":(OI)(CI)MRXRW
<---End
I've read some postings about issues using icacls in script files, but for the users in question running the same command from a command prompt still takes as long. The first command enabling inheritance to the user's home folder seems to take the longest.
Any suggestions for troubleshooting further or alternative methods for granting the privileges automatically would be appreciated.