Skip to main content

Atria File Share Permission Application Script

Overview

The Atria File Share Permission Application Script ensures the Atria Delegated FileShare Management group has the correct permissions across all file shares used by Atria services. This script validates network share accessibility and applies or verifies delegated permissions as needed.

Key capabilities:

  • Validates share accessibility across Atria services (FSS, WorkSpace, Citrix/HAAD, Hosted Exchange)
  • Applies delegated permissions to ensure proper access control
  • Supports both automated (database-driven) and manual (single-share) modes
  • Provides detailed logging and validation reporting

This script must be executed from the Atria Provisioning Server (Primary) and, if applicable, from each Remote Provisioning Server hosting related services.

Description

This PowerShell automation script manages file share permissions across your Atria infrastructure. It operates in two distinct modes to accommodate different operational scenarios:

Service Mode (Database-Driven)

In this mode, the script automatically retrieves all relevant UNC paths from the Atria configuration database for the selected service type:

  • FSS (File Sharing Service)
  • CitrixHAAD (Citrix/Hosted Apps profiles and home directories)
  • HE (Hosted Exchange mailbox import/export paths)
  • WorkSpace (Terminal server storage)

The script then validates accessibility and applies or verifies delegated permissions across all discovered shares.

Manual Override Mode (Single Share)

When you need to focus on a specific share, provide both -ServerName and -ShareName parameters. This bypasses all database lookups and processes only the explicit share \\ServerName\ShareName. This mode is ideal for:

  • Troubleshooting specific permission issues
  • Testing new shares before adding them to the database
  • Working with isolated or non-standard file shares

Permission Application Process

When you include the -ApplyPermissions switch, the script performs these key actions:

  1. Verifies that the <domain>\Atria Delegated FileShare Management group is a member of the local Administrators group on the provisioning server (using the localized group name for international deployments)
  2. Copies the helper script Update-AtriaFSSSharePermissions.ps1 to C:\Temp\Atria on each target server from the provisioning server.
  3. Executes the permission update remotely for each share
  4. Captures detailed output for logging and troubleshooting
  5. Cleans up temporary files automatically

Without the -ApplyPermissions switch, the script runs in validation mode (dry run), checking accessibility without making any changes.

Requirements, Dependencies, and Limitations

Execution Environment

  • Must be executed on the Atria Provisioning Server (Primary) and any Remote Provisioning Servers hosting related services.
  • Requires PowerShell 5.1 or higher with Administrator privileges.

Atria Components

  • Membership in AtriaConfigService Users
  • Atria Provisioning Engine installed
  • Script must exist at:
C:\Program Files\Automate101\Atria\Provisioning Engine\Scripts\Update-AtriaFSSSharePermissions.ps1

Permissions and Access

  • Administrative rights on local and remote servers
  • SQL database access (service mode only)
  • SMB access to file shares
  • WinRM enabled

Limitations

For Private/Dedicated Environments, this script is not applicable. Please follow these steps instead:

  1. On the private provisioning server, add the Atria Delegated FileShare Management group to the local Administrators group.
  2. From the private provisioning server, copy the script C:\Program Files\Automate101\Atria\Provisioning Engine\Scripts\Update-AtriaFSSSharePermissions.ps1 going to the server where the Network Share is located.
  3. On each server, run the copied script with the following parameters:
    • ShareName (The name of the share)
    • Principal (domain\Atria Delegated FileShare Management)

For Shares that are managed through DFS Management, this script is not applicable. Please follow these steps instead:

  1. Navigate to the server where DFS Management can be managed
  2. For each Share, manually grant full control security permissions to domain\Atria Delegated FileShare Management

Parameters

NameTypeRequiredDescription
ServiceStringConditionallySpecifies which Atria service’s shares to process (FSS, CitrixHAAD, HE, or WorkSpace). Required when -ServerName and -ShareName are not used.
ApplyPermissionsSwitchNoEnables permission application mode. If omitted, the script runs in validation (dry run) mode and does not change permissions.
ServerNameStringConditionallyTarget server name for manual override mode. Must be used together with -ShareName. When both are provided, database lookups are skipped.
ShareNameStringConditionallyTarget share name on ServerName for manual override mode. Must be used together with -ServerName. When both are provided, database lookups are skipped.

Important

  • Use either -Service (service mode) or -ServerName + -ShareName (manual override mode).
  • -Service is mandatory only when -ServerName and -ShareName are not supplied.

Script Execution Workflow

  1. Initialize Logging
    Creates a timestamped log file in the Logs folder for complete audit trail. All events are logged with color-coded console output for immediate visibility.

  2. Determine Mode and Retrieve Share Paths

    • If -ServerName and -ShareName are provided:
      • The script enters manual override mode.
      • Builds a single UNC share \\ServerName\ShareName.
      • No database connection is made.
    • Otherwise (-Service mode):
      • Connects securely to the Atria configuration database using Get-AtriaSecret.
      • Retrieves distinct UNC paths based on the selected service type.

  3. Prepare and Filter Share List
    In service mode only, the script performs intelligent share path processing:

    • Expands {FileShareServer} tokens from database configurations
    • Detects administrative paths (e.g., \\server\C$\Atria\FSS) and intelligently tests:
      • The administrative share itself
      • Standard share variants (e.g., \\server\FSS)
      • Hidden share variants (e.g., \\server\FSS$)
    • Normalizes paths to root-level \\Server\Share format when possible
    • Removes duplicates to optimize processing

  4. Domain Detection and Group Validation

    • Detects the current Active Directory domain.
    • Constructs the principal <domain>\Atria Delegated FileShare Management.
    • Resolves the localized built in Administrators group via its well known SID.
    • Ensures the Atria Delegated FileShare Management group is a member of the local Administrators group on the provisioning server.

  5. Validate and Apply Permissions
    For each prepared share:

    • Uses Test-Path and Get-ChildItem to test share accessibility.
    • If -ApplyPermissions is used and the share is accessible:
      • Skips admin shares such as \\server\C$ (they are logged but not modified).
      • Creates C:\Temp\Atria remotely on the target server if missing.
      • Copies Update-AtriaFSSSharePermissions.ps1 to C:\Temp\Atria.
      • Executes the script remotely for the specific share and principal.
      • Captures and logs remote output.
      • Cleans up the temporary script file afterward.
    • Logs failures or limited access for later review.

  6. Summary Reporting
    Generates a final summary for all processed shares:

    • OK: Share accessible and (if enabled) permissions update completed successfully
    • Limited: Share accessible but with limited rights (for example Get-ChildItem fails)
    • Fail: Share not reachable (Test-Path fails)
    • Error: Execution error or unexpected exception

Affected Services (Service Mode)

ServiceDescriptionTypical Use
FSS (File Sharing Service)Shared network paths used for customer/user storage.Applies delegated permissions to shared folders managed by Atria.
CitrixHAADUser profile and home directory shares for Citrix/Hosted Apps.Ensures delegated permissions for Citrix profile storage.
HE (Hosted Exchange)Import/export root paths for mailbox data.Applies permissions to Hosted Exchange mailbox directories.
WorkSpaceTerminal server file and profile shares.Ensures delegated permissions for WorkSpace storage.

These service mappings apply only when running in service mode with -Service.
In manual override mode, the script processes only the explicit \\ServerName\ShareName you provide.

Example Usage

Validation Only (Dry Run)

.\Update-AtriaServiceShares.ps1 -Service FSS

Apply Delegated Permissions

.\Update-AtriaServiceShares.ps1 -Service WorkSpace -ApplyPermissions

Manual Override: Validate a Single Share

.\Update-AtriaServiceShares.ps1 -ServerName FS01 -ShareName FSS

Manual Override: Apply Permissions to a Single Share

.\Update-AtriaServiceShares.ps1 -ServerName FS01 -ShareName FSS -ApplyPermissions

Output

Console Output Colors

  • Green: Success
  • Yellow: Limited access or skipped admin shares
  • Red: Errors or unreachable shares
  • Gray: Informational messages

Log File

Log files are saved under:

.\Logs\Update-AtriaServiceShares_<Service>_<Timestamp>.txt

In manual override mode:

.\Logs\Update-AtriaServiceShares__<Timestamp>.txt

Important Notes

  • Repeatable design: The script can be re-run safely; it only applies missing permissions without overwriting existing configurations
  • Cross-server consistency: Designed for reliable execution across multiple servers in complex Atria deployments
  • Internationalization support: Automatically resolves localized Administrators group names for non-English Windows installations
  • Best practice: Use manual override mode (-ServerName + -ShareName) when diagnosing specific permission issues

Download

Now that you understand how this script works and its requirements, you can download it here:

Download Update-AtriaServiceShares.zip

The package includes:

  • Update-AtriaServiceShares.ps1 (main script)

Support

If you encounter any issues or require assistance, contact:
support@getatria.com