Windows Server Homefolder Permission Fix

In Active Directory environments that redirect user data to network shares, it's common to have a structure like:

\\domain.lan\homefolders\staff\
    mhosker\
    jsmith\
    abrown\

When a new user is created with a homefolder, AD assigns them full permissions on their own folder. These permissions are set explicitly on each subfolder, not inherited from the staff root.

The Problem

If someone modifies permissions on the staff root and propagates them down — even accidentally — it can overwrite the individual explicit permissions, locking users out of their own folders. With hundreds of users, fixing this manually is hours of work.

The Script

Save this as a .bat file and run it from within the homefolder root directory (e.g., \\domain.lan\homefolders\staff):

@echo off

for /d %%i in (*) do (
    echo Fixing permissions for: %%i

    :: Grant the user Change access to their own folder
    icacls "%%i" /grant "DOMAIN\%%i:(OI)(CI)C" /T

    :: Ensure Domain Admins have Full Control
    icacls "%%i" /grant "DOMAIN\Domain Admins:(OI)(CI)F" /T

    :: Ensure SYSTEM has Full Control
    icacls "%%i" /grant "SYSTEM:(OI)(CI)F" /T
)

echo Done.
pause

Replace DOMAIN with your actual NetBIOS domain name.

What It Does

• for /d %%i in (*) — iterates through every subdirectory (each user's folder)
• /grant "DOMAIN\%%i:..." — grants the folder's own name as the username (which matches AD usernames in a standard setup)
• (OI)(CI) — object inherit and container inherit, so permissions apply recursively
• C — Change permission (read, write, execute, delete within their folder)
• F — Full Control for admins
• /T — applies recursively to all subfolders and files

Notes

• Run as a Domain Admin from the homefolder root directory
• Works over UNC paths (\\server\share\staff) as long as you have the right permissions
• If usernames don't match folder names exactly, you'll need to map them — check the AD sAMAccountName attribute against folder names first