I’ve written this blog post with the intention of documenting the permissions required when creating a share that is to be used for folder redirection. I have worked on a number of sites where there has been permission issues when attempting to redirect folders (however they are being implemented: GPO or AppSense Environment Manager).
Microsoft have written a knowledge base article about this so I’m assuming that they’ve had a number of calls about this as well. Their article can be found here.
To make my life easier when I attend site (and to ensure that my implementations stay as consistent as possible), I have written a quick batch file that can be executed on the server that will contain the share. There isn’t a huge amount of error checking in it at present, but it does adhere to the settings in the Microsoft article.
There is a reliance on the icacls utility which is included in Windows Server 2008 and above. The utility is also available on Server 2003 SP2 as described here. I haven’t checked, but the syntax may well be different.
Contents of the batch file:
@echo off title Creating Folder Redirection Share set /p FOLDER_PATH=Enter the path for the folder: set /p SHARE_NAME=Enter the sharename for the folder: if exist %FOLDER_PATH% (goto DIR_ALREADY) ELSE (goto CREATE_DIR) :CREATE_DIR echo Creating %FOLDER_PATH% mkdir %FOLDER_PATH% goto SET_PERM :DIR_ALREADY choice /m "%FOLDER_PATH% already exists. Would you like to continue " if ERRORLEVEL 2 GOTO END :SET_PERM echo Setting permissions on %FOLDER_PATH% icacls %FOLDER_PATH% /inheritance:r /grant "CREATOR OWNER":(OI)(CI)(IO)F "SYSTEM":(OI)(CI)F "Domain Admins":(OI)(CI)F "Everyone":(S,RD,AD,X,RA) > NUL :DIR_CONFIRM echo Permissions on %FOLDER_PATH% are now set to: - icacls %FOLDER_PATH% :DIR_SHARE echo Sharing %FOLDER_PATH% as %SHARE_NAME% net share %SHARE_NAME%=%FOLDER_PATH% /GRANT:Everyone,FULL :END echo. pause
It can be downloaded from here