I have been trying to fix a permissions problem with our users' homefolders where everyone has access to all of the data in everyones' homefolders. This is on our Windows Server 2008 R2 domain controller. The problem is that our UserHomes folder containing all of these homefolders has "Domain Users" set to have full control in the ACL. If I remove that, many people cannot access their homefolders because the owner of every homefolder has been set to the "Administrators" group instead of the user themselves, and most of the users have not individually been given control to their respective homefolder. It would be impossible to grant each user permission to their homefolder by hand, there are far too many users. My thought was that maybe I could run a Powershell script to give everyone full control of their respective homefolder, or somehow make everyone the owner of their own homefolder, so that I can remove "Domain Users" from having full control in the ACL of the parent folder. I put together the following Powershell script, which gets the username from the name of the homefolder since they are always the same, the sleep call is just because it wouldn't do anything without it for some reason: $a = Get-Item D:\UserHomes $b = Get-ChildItem $a foreach ($i in $b) { $Acl = Get-Acl D:\UserHomes\$i $Ar = New-Object system.security.accesscontrol.filesystemaccessrule($i,"FullControl","Allow") $Acl.SetAccessRule($Ar) Set-Acl D:\UserHomes\$i $Acl Start-Sleep -m 10 } This script doesn't work and complains about identity references not being translated. I also tried replacing $i with ($i.toString()). Is a script the proper way to go about solving this or is there a better way? Thanks!

I just figured out the solution on my own. The reason I was getting the identity references error is because I was testing the script on users who still had homefolders but were no longer AD users. The fix for everyone else was to change the $Ar = New-Object system.security.accesscontrol.filesystemaccessrule($i,"FullControl","Allow") line to instead be $Ar = New-Object system.security.accesscontrol.filesystemaccessrule($i,"FullControl","ContainerInherit, ObjectInherit","None","Allow") so that subfolders would inherit the full control rule for that user. Thanks.