PowerShell: Automate roaming profile folder permissions

Overview

Roaming profiles are great for mobile users and VDI users, but managing the profile folders can present extra challenges. By default, newly created profile folders gives access to the local system and the user. You can add Administrator access using group policy [Link] but it does not have the ability to add other security prinicpals such as Help Desk users.

The sample script below does the following:

Goes through each subfolder (top level only) and assigns permissions to a specific security prinicpal
Security Principal, access level, and profile location are all configurable

Script Limitations

Runs in a single pass (must schedule this manually)
Not designed for adding multiple security principals or multiple locations
Script must be ran in the context of a security principal that has permissions, so it is best used in conjunction with KB222043

This script can be enhanced or modified to suit other purposes.

DISCLAIMER: This sample script is provided AS-IS with no warranties and confers no rights.

Sample PowerShell Code

#SCRIPT SAMPLE TITLE - Automate roaming profile folder permissions
#AUTHOR - Joji Oshima - Microsoft Corporation
#VERSION - 1.0
#RoamingProfile.ps1

############################################################
# Configuration Section
############################################################
# The possible values for Rights are:
############################################################
# ListDirectory, ReadData, WriteData
# CreateFiles, CreateDirectories, AppendData
# ReadExtendedAttributes, WriteExtendedAttributes, Traverse
# ExecuteFile, DeleteSubdirectoriesAndFiles, ReadAttributes
# WriteAttributes, Write, Delete
# ReadPermissions, Read, ReadAndExecute
# Modify, ChangePermissions, TakeOwnership
# Synchronize, FullControl
############################################################

$ProfileFolder = "\\server1\profiles"
$Principal = "contoso\helpdesk"
$Right = "FullControl"

############################################################
# Main Program
############################################################
cls
Write-Host "`n WARNING: This script sample is provided AS-IS with no warranties and confers no rights." -ForegroundColor Yellow
Write-Host " This script sample is NOT intended for production use." -ForegroundColor Yellow
Write-Host " There is NO error handling and is not ready for mission-critical work." -ForegroundColor Yellow
Write-Host "`n This script sample will add defined ACLs for a security principal to the first level folders only"
Write-Host " It is designed to give permissions to each roaming profile folder for non-administatros (like help desk users)`n"

$permission = $Principal,$Right,"ContainerInherit,ObjectInherit","None","Allow"
$rule = new-object System.Security.AccessControl.FileSystemAccessRule($permission)

foreach ($folder in $(Get-ChildItem $ProfileFolder | where {$_.psIsContainer -eq $true}))
{
Write-Host " Changing ACLs for: $folder" -ForegroundColor Green
$acl=get-acl $folder.FullName
#Add this access rule to the ACL
$acl.SetAccessRule($rule)
#Write the changes to the object
set-acl $folder.Fullname $acl
}

Write-Host "`n Done!`n" -ForegroundColor Yellow

################################################################