Como a ACL estranha parece ser por design, eu tive que verificar e alterá-los, se necessário, durante o logon do usuário com um script Powershell:
Function Repair-UserFullControlACL {
Param(
[Parameter(Mandatory=$true)]
[ValidateScript({Test-Path $_ -PathType "Container"})]
[string]$Folder
)
# We also add System account and local administrators (Replace these french account names if needed)
$OtherAccounts = @("AUTORITE NT\Système", "BUILTIN\Administrateurs", "CREATEUR PROPRIETAIRE")
# 'FullControl' for the user
$ACLUser = New-Object System.Security.Principal.NTAccount($FullUserName)
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($ACLUser, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
# We need the actual folder ACL
$Acl = Get-ACL $Folder
# Checking if everything already OK...
$RuleOK = $False
ForEach ($ACLRule in $Acl.Access){
If (-not(Compare-Object ($Rule | Format-List * | Out-String -Stream) ($ACLRule | Format-List * | Out-String -Stream))){
$RuleOK = $True
break
}
}
# Adding fullControl if needed
If (-not($RuleOK)){
Try{
$Acl.AddAccessRule($Rule)
ForEach ($Account in $OtherAccounts){
$ACLAccount = New-Object System.Security.Principal.NTAccount($Account)
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($ACLAccount, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$Acl.AddAccessRule($Rule)
}
# Saving ACL
Set-ACL $Folder $Acl -ErrorAction Stop
}catch{
Write-Warning "Erreur : Impossible d'accorder le droit 'FullControl' à l'utilisateur sur $Folder : $($_.Exception.Message)"
}
}}
Exemplo:
Repair-UserFullControlACL "\server\shared\userHomeDir"