Permit Domain Admins access to roaming user profiles and redirected folders

Question

I've started forcing myself to use PowerShell scripts for GPOs. I have updated GPOs to permit this but I'm seeking to allow Domain Admin access to userprofiles for existing roaming user profiles.

icacls.exe \\sharedpath\user` profiles$\%username%.v2 /grant “domain\Domain Admins”:F /T /Q

This one is for the user profiles. Took some googling to figure out ` deals with spaces in paths. However, I'm really stuck with:

icacls.exe : Invalid parameter "domain\Domain Admins"

I can't seem to find anything related to spaces in parameters. I tried the obvious ' char but that makes no difference.

Answer 1

The powershell way:

$profile = "\\sharedpath\user profiles`$\$($env:username).v2"

$currentAcl = (Get-Item $profile).GetAccessControl('Access')
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList "Domain\Domain Admins",'Full','ContainerInherit,ObjectInherit','None','Allow'
$currentAcl.SetAccessRule($rule)
$currentAcl | Set-Acl -path $profile

Should go without saying that you should test it thoroughly before using it in a logon script.