Skip to main content

Atria File Share Permission Application Script

Overview

The Atria File Share Permission Application Script applies delegated file share permissions for Atria services, validating network share accessibility before and during execution. It ensures the Atria Delegated FileShare Management group has the correct rights across all related shares.

This script is executed from the Atria Provisioning Server (Primary), and if applicable, from each Remote Provisioning Server that manages related services such as FSS, WorkSpace, or Citrix/HAAD.

Download the following files before proceeding: Update-AtriaServiceShares.zip

Description

This PowerShell script retrieves UNC paths from the configuration database, validates their accessibility, and remotely applies or verifies delegated file share permissions for Atria-managed services.
When the -ApplyPermissions switch is used, it ensures the <domain>\Atria Delegated FileShare Management group is present in the local Administrators group and executes Update-AtriaFSSSharePermissions.ps1 remotely for each share.

Temporary scripts are copied to C:\Atria\Temp on target servers during execution and removed afterward.

Parameters

NameTypeRequiredDescription
ServiceStringYesSpecifies which Atria service’s shares to process. Must be one of: FSS, CitrixHAAD, HE, or WorkSpace.
ApplyPermissionsSwitchNoEnables permission application mode. If omitted, the script runs in validation (dry run) mode.

Script Execution Workflow

  1. Initialize Logging
    Creates a timestamped log file in the Logs folder under the script’s directory.
    Logs all events with color-coded console output for clarity.

  2. Retrieve Share Paths from Database
    Connects securely to the Atria configuration database using Get-AtriaSecret.
    Retrieves distinct UNC paths based on the selected service type.

  3. Prepare and Filter Share List
    Expands {FileShareServer} tokens.
    Handles administrative shares (e.g., C$, D$).
    Removes duplicates and prepares the final list for validation.

  4. Domain Detection and Group Validation
    Detects the current Active Directory domain.
    Ensures that the Atria Delegated FileShare Management group exists in local Administrators.

  5. Validate and Apply Permissions
    Uses Test-Path and Get-ChildItem to test share accessibility.
    If -ApplyPermissions is used and shares are accessible:

    • Creates C:\Atria\Temp remotely (if missing).
    • Copies and executes Update-AtriaFSSSharePermissions.ps1 remotely.
    • Cleans up temporary files afterward.
    • Logs failures or limited access for review.

  6. Summary Reporting
    Generates a final summary for all processed shares:

    • OK: Permissions applied successfully
    • Limited: Accessible with restricted access
    • Fail: Share not reachable
    • Error: Execution error or unexpected result

Affected Services

ServiceDescriptionTypical Use
FSS (File Sharing Service)Shared network paths used for customer/user storage.Applies delegated permissions to shared folders managed by Atria.
Citrix/HAADUser profile and home directory shares for Citrix/Hosted Apps.Ensures delegated permissions for Citrix profile storage.
HE (Hosted Exchange)Import/export root paths for mailbox data.Applies permissions to Hosted Exchange mailbox directories.
WorkSpaceTerminal server file and profile shares.Ensures delegated permissions for WorkSpace storage.

Requirements and Dependencies

Execution Environment

  • Must be executed on the Atria Provisioning Server (Primary) and any Remote Provisioning Servers hosting related services.
  • Requires PowerShell 5.1 or higher with Administrator privileges.

Atria Components

  • Membership in the AtriaConfigService Users group (for retrieving Atria Connection Strings).
  • Atria Provisioning Engine must be installed and configured.
  • The following script must exist: 
    C:\Program Files\Automate101\Atria\Provisioning Engine\Scripts\Update-AtriaFSSSharePermissions.ps1

Permissions and Access

  • Administrative rights on local and remote servers.
  • Access to the Atria SQL configuration database.
  • Network access (SMB/CIFS) to all target shares.
  • WinRM (Remote PowerShell Remoting) enabled on target servers.

External Services

  • SQL connectivity to the Atria Configuration Database.
  • Active Directory domain connectivity for validating group membership.

Example Usage

Validation Only (Dry Run)

.\Apply-AtriaSharePermissions.ps1 -Service FSS

Apply Delegated Permissions

.\Apply-AtriaSharePermissions.ps1 -Service WorkSpace -ApplyPermissions

Execution Scope

  • Run from the Primary Provisioning Server.
  • Repeat on Remote Provisioning Servers where corresponding services are hosted.

Output

Console Output

  • Green: Permission successfully applied or validated
  • Yellow: Limited access or skipped admin shares
  • Red: Errors or unreachable shares
  • Gray: Informational messages

Log File

A plain-text log file is generated at:

.\Logs\Update-AtriaServiceShares_<Service>_<Timestamp>.txt

It contains all operations, results, and timestamps.

Notes

  • Must be executed from the Provisioning Server (Primary) and any Remote Provisioning Servers managing related services.
  • Requires Administrator rights locally and remotely.
  • Safe to re-run for the same service; only missing or incorrect permissions will be updated.
  • Ensure consistent versions of Atria components across all servers before execution.

Support

If you encounter any issues or require assistance, contact:
📧 support@getatria.com