By default the roaming profiles folders for users are only allowed access from the SYSTEM and the user themselves. This can be prevented in Group Policy ahead before the folder is created, Computer Configuration, Administrative Templates, System, User Profiles, Add the Administrators security group to roaming user profiles.
However if you haven’t done this and already there are heaps of user profile folders which you don’t have access to, this is how to gain access to roaming profile folders.
Using two tools, the first is SubInAcl.exe available from Microsoft, and the second is cacls.exe which you should already have by default in Windows.
- These first two commands will give the local administrators group ownership of the user’s folder and everything underneath. NOTE: This will not change any existing permissions.
SubInAcl /subdirectories D:\Profile\User.Name /setowner=Administrators
SubInAcl /subdirectories D:\Profile\User.Name\*.* /setowner=Administrators
- This second command will give the local administrators group full access to the user’s folder
cacls D:\Profile\User.Name /T /E /C /G Administrators:F
In the end, the two default entries will stay in the ACL, however this will add in the local administrators group as well. Which is how it should be if the Group Policy did it automatically.