Access Denied to Roaming Profiles

By default the roaming profiles folders for users are only allowed access from the SYSTEM and the user themselves. This can be prevented in Group Policy ahead before the folder is created, Computer Configuration, Administrative Templates, System, User Profiles, Add the Administrators security group to roaming user profiles.

However if you haven’t done this and already there are heaps of user profile folders which you don’t have access to, this is how to gain access to roaming profile folders.

Using two tools, the first is SubInAcl.exe available from Microsoft, and the second is cacls.exe which you should already have by default in Windows.

  1. These first two commands will give the local administrators group ownership of the user’s folder and everything underneath. NOTE: This will not change any existing permissions.

    SubInAcl /subdirectories D:\Profile\User.Name /setowner=Administrators
    SubInAcl /subdirectories D:\Profile\User.Name\*.* /setowner=Administrators

  2. This second command will give the local administrators group full access to the user’s folder

    cacls D:\Profile\User.Name /T /E /C /G Administrators:F

In the end, the two default entries will stay in the ACL, however this will add in the local administrators group as well. Which is how it should be if the Group Policy did it automatically.


  1. helped me, only 5 users but easier to do it all at server than on each PC

    I could see using the cacls line in a login script in a larger organization being very helpful

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s