Adaxes

New user folder with NTFS permissions?

0 votes

We have our user folders set up in an "odd" way - everyone's main user drive is open to everyone, with the exception of a Private subfolder.

Right now I'm using a VBScript that kinda works (but doesn't do everything it's supposed to). I was wondering if there is some way to get this working in either PowerShell or Adaxes itself so that it can be automated and work correctly as we're trying to automate as much of this process as we can (we sometimes get 30+ new hires in a manner of a few weeks for our peak season).

So the folder permissions should look like the following (and nobody wants to change this):

<fileserver>\users\<username> - Domain Users read/modify, Domain Admins read/modify, Backup Operators read (works as designed)
<fileserver>\users\<username>\Private - <username> read/modify, Domain Admins read/modify, Backup Operators read (Domain admins is here so we can place files here from backup or print PDFs of new login info). (works as designed)
<fileserver>\users\<username>\desktop.ini - Needs to be read only for Administrators so the display of <username> doesn't change to "My Documents" in Windows 7. (doesn't work - however if we manually make the file read only, it fixes this issue too, so that would work).

Here is my current script (I didn't write it):

Option Explicit
Dim WSHSHELL, FILESYS, WSHSHELLEXEC, USERDRIVE, COMMAND, USERLOC, SUBINACL, CURRENTDIR, WRITER
'Set Data
Set WSHSHELL = CreateObject("WScript.Shell")
Set FILESYS = CreateObject("Scripting.FileSystemObject")
if WScript.Arguments.Count = 0 then
    WScript.Echo "Missing parameters"
    wscript.exit
end if

USERDRIVE = WScript.Arguments(0)
USERLOC = "\<fileserver>\USERS\" & USERDRIVE
SUBINACL = "\<fileserver>\Users\subinacl.exe"
CURRENTDIR = FILESYS.GetParentFolderName(Wscript.ScriptFullName)
if NOT RIGHT(currentdir, 1) = "\" then
    currentdir = currentdir & "\"
end if

If FILESYS.FolderExists(USERLOC) then
    WScript.Echo "This folder (" & USERDRIVE & ") currently exists.  Please either archive or delete folder."
    WSCRIPT.QUIT
end if

'Create user's home directory
FILESYS.CreateFolder(USERLOC)
'Create user's private folder
FILESYS.CreateFolder(USERLOC & "\Private")

'Set permissions
WRITER = "%COMSPEC% /C " & SUBINACL & " /subdirectories " & USERLOC & " /setowner=""<domain>\Domain Admins"""
COMMAND = WSHShell.Run(WRITER,0, false)
WRITER = "%COMSPEC% /C " & SUBINACL & " /subdirectories " & USERLOC & "\*.* /setowner=""<domain>\Domain Admins"""
COMMAND = WSHShell.Run(WRITER,0, false)

WRITER = "%COMSPEC% /C ECHO Y|CACLS " & USERLOC & " /T /C /G " & USERDRIVE & ":C"
COMMAND = WSHSHELL.Run(WRITER, 0, TRUE)
WRITER = "%COMSPEC% /C ECHO Y|CACLS " & USERLOC & " /T /C /E /G ""Backup Operators"":F"
COMMAND = WSHSHELL.Run(WRITER, 0, TRUE)
WRITER = "%COMSPEC% /C ECHO Y|CACLS " & USERLOC & " /T /C /E /G ""Domain Admins"":F"
COMMAND = WSHSHELL.Run(WRITER, 0, TRUE)
WRITER = "%COMSPEC% /C ECHO Y|CACLS " & USERLOC & " /T /C /E /G ""Domain Users"":C"
COMMAND = WSHSHELL.Run(WRITER, 0, TRUE)
WRITER = "%COMSPEC% /C ECHO Y|CACLS " & USERLOC & " /T /C /E /G SYSTEM:F"
COMMAND = WSHSHELL.Run(WRITER, 0, TRUE)
WRITER = "%COMSPEC% /C ECHO Y|XCOPY " & CurrentDir & "desktop.ini " & USERLOC
COMMAND = WSHSHELL.Run(WRITER, 0, TRUE)
WRITER = "%COMSPEC% /C ECHO Y|CACLS " & USERLOC & "\Private /T /C /G " & USERDRIVE & ":C"
COMMAND = WSHSHELL.Run(WRITER, 0, TRUE)
WRITER = "%COMSPEC% /C ECHO Y|CACLS " & USERLOC & "\Private /T /C /E /G ""Backup Operators"":F"
COMMAND = WSHSHELL.Run(WRITER, 0, TRUE)
WRITER = "%COMSPEC% /C ECHO Y|CACLS " & USERLOC & "\Private /T /C /E /G ""Domain Admins"":F"
COMMAND = WSHSHELL.Run(WRITER, 0, TRUE)
WRITER = "%COMSPEC% /C ECHO Y|CACLS " & USERLOC & "\Private /T /C /E /G SYSTEM:F"
COMMAND = WSHSHELL.Run(WRITER, 0, TRUE)
WRITER = "%COMSPEC% /C " & SUBINACL & " /subdirectories " & USERLOC & " /setowner=""<domain>\" & USERDRIVE & ""
COMMAND = WSHSHELL.Run(WRITER, 0, TRUE)
WRITER = "%COMSPEC% /C " & SUBINACL & " /subdirectories " & USERLOC & "\*.* /setowner=""<domain>\" & USERDRIVE & ""
COMMAND = WSHSHELL.Run(WRITER, 0, TRUE)
'Deny read access to Administrators to desktop.ini to fix file display as My Documents instead of user name.
WRITER = "%COMSPEC% /C " & SUBINACL & " /file " & USERLOC & "desktop.ini /deny=""<domain>\Administrators""=R"
COMMAND = WSHSHELL.Run(WRITER, 0, TRUE)

Set Writer = nothing
Set FILESYS = nothing
Set WSHShell = nothing
by (440 points)
0

Hello,

This can be done in Adaxes with PowerShell scripts. To help you with a solution, we need to ask you a couple of questions for clarification.

At what time is this done? The Private subfolder and the desktop.ini file are usually created by Windows when a user logs on to a Windows session for the first time. So, this should occur not right after the home folder is created. Or is the desktop.ini file copied from some template? If so, where is the source path for the file?

by (216k points)
0

This is usually done after we create a new user - the next step is to create their user drive and private subfolder.

For the desktop.ini file we usually just copy in or create a blank text file and rename it to desktop.ini, mark it as read only and hidden.

by (440 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

Our script guys have completed the job. Find the PowerShell script that they came up with below. The script creates the user's folder, the Private subfolder, the desktop.ini file and sets appropriate permissions for the folders and the file.

In the script:

  • $userDirectoryPath - specifies the template for the user's directory path,
  • $modifyUserFolder - specifies the groups that should have the Modify permission for the user's folder,
  • $readUserFolder - specifies the groups that should have the Read permission for the user's folder,
  • $modifyPrivateFolder - specifies the groups that should have the Modify permission for the Private subfolder,
  • $readPrivateFolder - specifies the groups that should have the Read permission for the Private subfolder.

Modify it to your requirements. 

$userDirectoryPath = "\\server\users\%username%" # TODO: modify me

$modifyUserFolder = @("domain\Domain Users", "domain\Domain Admins") # TODO: modify me
$readUserFolder = @("BUILTIN\Backup Operators") # TODO: modify me
$modifyPrivateFolder = @("domain\Domain Users", "domain\Domain Admins", "domain\%username%") # TODO: modify me
$readPrivateFolder = @("BUILTIN\Backup Operators") # TODO: modify me

# Function to set the Modify permission
function SetModifyPermission($objectName, $folderPath)
{
    $rights = [System.Security.AccessControl.FileSystemRights]"Modify"
    $objType = [System.Security.AccessControl.AccessControlType]::Allow
    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly

    $object = New-Object System.Security.Principal.NTAccount($objectName)
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($object, $rights, $inheritanceFlag, $propagationFlag, $objType)
    $objACL = Get-ACL $folderPath

    try
    {
        $objACL.AddAccessRule($objACE)
    }
    catch
    {
        $Context.LogMessage("The object $objectName does not exist", "Warning")
    }

    Set-ACL $folderPath $objACL
}

# Function to set the Read permission
function SetReadPermission($objectName, $folderPath)
{
    $rights = [System.Security.AccessControl.FileSystemRights]"Read"
    $objType = [System.Security.AccessControl.AccessControlType]::Allow
    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly

    $object = New-Object System.Security.Principal.NTAccount($objectName)
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($object, $rights, $inheritanceFlag, $propagationFlag, $objType)
    $objACL = Get-ACL $folderPath

    try
    {
        $objACL.AddAccessRule($objACE)
    }
    catch
    {
        $Context.LogMessage("The object $objectName does not exist", "Warning")
    }

    Set-ACL $folderPath $objACL 
}

# Give error and exit if the folder already exists
if (Test-Path -Path $userDirectoryPath)
{
    $Context.LogMessage("User folder already exists", "Error")
    return
}

# Create folder for the user
New-Item -Path $userDirectoryPath -Type Directory | Out-Null

# Set the Modify permission for the user's folder
foreach ($objectName in $modifyUserFolder)
{
    SetModifyPermission $objectName $userDirectoryPath
}

# Set the Read permission for the user's folder
foreach ($objectName in $readUserFolder)
{
    SetModifyPermission $objectName $userDirectoryPath
}

# Create the 'Private' subfolder
$subFolderPath = "$userDirectoryPath\Private"
New-Item $subFolderPath -Type Directory | Out-Null

# Set the Modify permission for the 'Private' subfolder
foreach ($objectName in $modifyPrivateFolder)
{
    SetModifyPermission $objectName $subFolderPath
}
# Set the Read permission for the 'Private' subfolder
foreach ($objectName in $readPrivateFolder)
{
    SetModifyPermission $objectName $subFolderPath
}

# Create the 'desktop.ini' file, make it hidden and set appropriate permissions
$filePath = "$userDirectoryPath\desktop.ini"
$file = New-Item $filePath -Type File
$file.attributes="Hidden"

$rights = [System.Security.AccessControl.FileSystemRights]"Read"
$objType = [System.Security.AccessControl.AccessControlType]::Deny
$inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$propagationFlag = [System.Security.AccessControl.PropagationFlags]::None

$everyone = New-Object System.Security.Principal.NTAccount("Everyone")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($everyone, $rights, $inheritanceFlag, $propagationFlag, $objType)
$objACL = Get-ACL $filePath
$objACL.SetAccessRuleProtection($True, $True)
$objACL.PurgeAccessRules($everyone)
$objACL.AddAccessRule($objACE)
Set-ACL $filePath $objACL

To execute the script every time a user is created, you need to create a Business Rule that will launch the script and will be executed after creating a user. To do this:

  1. Create a new Business Rule.
  2. On the 2nd step of the Create Business Rule wizard, select User and After Creating a User.
  3. On the 3rd step, add the Run a program or PowerShell script and paste the above script in the Script field.
0

Okay - I was able to test this and it worked for the most part.

However, it gave domain users read only rights to the main folder - not modify - which is the inherited permission (don't ask me why).

It also should stop inheritance for the private folder - any assistance with that? (I'm extremely new to PowerShell)

Here is what I have for my slightly moded code:

$userDirectoryPath = "\<server>\users\%username%" # TODO: modify me

$modifyUserFolder = @("<domain>\Domain Users", "<domain>\Domain Admins") # TODO: modify me
$readUserFolder = @("BUILTIN\Backup Operators") # TODO: modify me
$modifyPrivateFolder = @("<domain>\Domain Admins", "<domain>\%username%") # TODO: modify me
$readPrivateFolder = @("BUILTIN\Backup Operators") # TODO: modify me

# Function to set the Modify permission
function SetModifyPermission($objectName, $folderPath)
{
    $rights = [System.Security.AccessControl.FileSystemRights]"Modify"
    $objType = [System.Security.AccessControl.AccessControlType]::Allow
    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly

    $object = New-Object System.Security.Principal.NTAccount($objectName)
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($object, $rights, $inheritanceFlag, $propagationFlag, $objType)
    $objACL = Get-ACL $folderPath

    try
    {
        $objACL.AddAccessRule($objACE)
    }
    catch
    {
        $Context.LogMessage("The object $objectName does not exist", "Warning")
    }

    Set-ACL $folderPath $objACL
}

# Function to set the Read permission
function SetReadPermission($objectName, $folderPath)
{
    $rights = [System.Security.AccessControl.FileSystemRights]"Read"
    $objType = [System.Security.AccessControl.AccessControlType]::Allow
    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly

    $object = New-Object System.Security.Principal.NTAccount($objectName)
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($object, $rights, $inheritanceFlag, $propagationFlag, $objType)
    $objACL = Get-ACL $folderPath

    try
    {
        $objACL.AddAccessRule($objACE)
    }
    catch
    {
        $Context.LogMessage("The object $objectName does not exist", "Warning")
    }

    Set-ACL $folderPath $objACL 
}

# Give error and exit if the folder already exists
if (Test-Path -Path $userDirectoryPath)
{
    $Context.LogMessage("User folder already exists", "Error")
    return
}

# Create folder for the user
New-Item -Path $userDirectoryPath -Type Directory | Out-Null

# Set the Modify permission for the user's folder
foreach ($objectName in $modifyUserFolder)
{
    SetModifyPermission $objectName $userDirectoryPath
}

# Set the Read permission for the user's folder
foreach ($objectName in $readUserFolder)
{
    SetModifyPermission $objectName $userDirectoryPath
}

# Create the 'Private' subfolder
$subFolderPath = "$userDirectoryPath\Private"
New-Item $subFolderPath -Type Directory | Out-Null

# Set the Modify permission for the 'Private' subfolder
foreach ($objectName in $modifyPrivateFolder)
{
    SetModifyPermission $objectName $subFolderPath
}
# Set the Read permission for the 'Private' subfolder
foreach ($objectName in $readPrivateFolder)
{
    SetModifyPermission $objectName $subFolderPath
}

# Create the 'desktop.ini' file, make it hidden and set appropriate permissions
$filePath = "$userDirectoryPath\desktop.ini"
$file = New-Item $filePath -Type File
$file.attributes="Hidden"

$rights = [System.Security.AccessControl.FileSystemRights]"Read"
$objType = [System.Security.AccessControl.AccessControlType]::Deny
$inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$propagationFlag = [System.Security.AccessControl.PropagationFlags]::None

$everyone = New-Object System.Security.Principal.NTAccount("Everyone")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($everyone, $rights, $inheritanceFlag, $propagationFlag, $objType)
$objACL = Get-ACL $filePath
$objACL.SetAccessRuleProtection($True, $True)
$objACL.PurgeAccessRules($everyone)
$objACL.AddAccessRule($objACE)
Set-ACL $filePath $objACL
by (440 points)
0

Hello,

We've assigned the task to our script guys and will update the topic as soon as they come up with a script for you.

by (216k points)
0

Hello,

Here's an updated version of the script. With this version of the script, the folders do not inherit permissions from their parents, and all the permissions for the folders are set correctly as per your requirements.

$userDirectoryPath = "\<server>\users\%username%" # TODO: modify me

$modifyUserFolder = @("<domain>\Domain Users", "<domain>\Domain Admins") # TODO: modify me
$readUserFolder = @("BUILTIN\Backup Operators") # TODO: modify me
$modifyPrivateFolder = @("<domain>\Domain Admins", "<domain>\%username%") # TODO: modify me
$readPrivateFolder = @("BUILTIN\Backup Operators") # TODO: modify me

# Function to set the Modify permission
function SetModifyPermission($objectName, $folderPath)
{
    $rights = [System.Security.AccessControl.FileSystemRights]"Modify"
    $objType = [System.Security.AccessControl.AccessControlType]::Allow
    $inheritanceFlag = @([System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit)
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None

    $object = New-Object System.Security.Principal.NTAccount($objectName)
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($object, $rights, $inheritanceFlag, $propagationFlag, $objType)
    $objACL = Get-ACL $folderPath
    $objACL.SetAccessRuleProtection($True, $False)
    try
    {
        $objACL.AddAccessRule($objACE)
    }
    catch
    {
        $Context.LogMessage("The object $objectName does not exist", "Warning")
    }

    Set-ACL $folderPath $objACL
}

# Function to set the Read permission
function SetReadPermission($objectName, $folderPath)
{
    $rights = [System.Security.AccessControl.FileSystemRights]"Read"
    $objType = [System.Security.AccessControl.AccessControlType]::Allow
    $inheritanceFlag = @([System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit)
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None

    $object = New-Object System.Security.Principal.NTAccount($objectName)
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($object, $rights, $inheritanceFlag, $propagationFlag, $objType)
    $objACL = Get-ACL $folderPath
    $objACL.SetAccessRuleProtection($True, $False)
    try
    {
        $objACL.AddAccessRule($objACE)
    }
    catch
    {
        $Context.LogMessage("The object $objectName does not exist", "Warning")
    }

    Set-ACL $folderPath $objACL 
}

# Give error and exit if the folder already exists
if (Test-Path -Path $userDirectoryPath)
{
    $Context.LogMessage("User folder already exists", "Error")
    return
}

# Create folder for the user
New-Item -Path $userDirectoryPath -Type Directory | Out-Null

# Set the Modify permission for the user's folder
foreach ($objectName in $modifyUserFolder)
{
    SetModifyPermission $objectName $userDirectoryPath
}

# Set the Read permission for the user's folder
foreach ($objectName in $readUserFolder)
{
    SetReadPermission $objectName $userDirectoryPath
}

# Create the 'Private' subfolder
$subFolderPath = "$userDirectoryPath\Private"
New-Item $subFolderPath -Type Directory | Out-Null

# Set the Modify permission for the 'Private' subfolder
foreach ($objectName in $modifyPrivateFolder)
{
    SetModifyPermission $objectName $subFolderPath
}
# Set the Read permission for the 'Private' subfolder
foreach ($objectName in $readPrivateFolder)
{
    SetReadPermission $objectName $subFolderPath
}

# Create the 'desktop.ini' file, make it hidden and set appropriate permissions
$filePath = "$userDirectoryPath\desktop.ini"
$file = New-Item $filePath -Type File
$file.attributes="Hidden"

$rights = [System.Security.AccessControl.FileSystemRights]"Read"
$objType = [System.Security.AccessControl.AccessControlType]::Deny
$inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$propagationFlag = [System.Security.AccessControl.PropagationFlags]::None

$everyone = New-Object System.Security.Principal.NTAccount("Everyone")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($everyone, $rights, $inheritanceFlag, $propagationFlag, $objType)
$objACL = Get-ACL $filePath
$objACL.SetAccessRuleProtection($True, $False)
$objACL.PurgeAccessRules($everyone)
$objACL.AddAccessRule($objACE)
Set-ACL $filePath $objACL
by (216k points)
0

Thanks - that worked.

Now I need to be able to delete that folder upon a termination and right now the deny read causes it to not delete.

What I'm currently doing upon an AD account delete is the below (part of a larger script that makes sure the archive folder location exists)

Copy-Item -recurse -force \<server>\users\%username%\ \<server>\Archive\%username%\userdrive\
Remove-Item -force -recurse \<server>\users\%username%\

I'm assuming that if I reuse the code that creates the file, but change it so it removes the deny read, it should fix it, right?

by (440 points)
0

Hello,

Here's the script that will do the job:

$userDirectoryPath = "\<server>\users\%username%" # TODO: modify me
$archiveDirectoryPath = "\<server>\Archive\%username%\userdrive" # TODO: modify me

# Remove the Deny permission for Everyone from the desktop.ini file and set modify permission for Everyone
$filePath = "$userDirectoryPath\desktop.ini"
if (Test-Path -Path $filePath)
{
    $rights = [System.Security.AccessControl.FileSystemRights]"Modify"
    $objType = [System.Security.AccessControl.AccessControlType]::Allow
    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None

    $everyone = New-Object System.Security.Principal.NTAccount("Everyone")
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($everyone, $rights, $inheritanceFlag, $propagationFlag, $objType)
    $objACL = Get-ACL $filePath

    $objACL.PurgeAccessRules($everyone)
    $objACL.AddAccessRule($objACE)
    Set-ACL $filePath $objACL
}

Copy-Item -Recurse -Force $userDirectoryPath $archiveDirectoryPath
Remove-Item -Force -Recurse $userDirectoryPath

It removes the Deny permission from the desktop.ini file, copies the user folder specified by $userDirectoryPath to the archive folder specified by $archiveDirectoryPath, and then removes the user folder.

by (216k points)
0

Thank you very much - works great now.

by (440 points)
0

After turning over most of the new hires to other users, this script isn't doing the assign the new user account to the private folder if anyone else runs the script.

They are the same permission level in AD (Domain Admin) and Adaxes as I am, but it doesn't add the user to the folder.

It adds the domain admin and backup accounts, just not the user.

Any ideas?

If they manually go in and add the permissions, they can, it's just when this script runs as part of the business rule for new accounts. It still functions as normal for me.

by (440 points)
0

Hello,

We've asked our script guys to investigate the issue. We'll update the forum topic as soon as they come up with something.

by (216k points)
0

Hello,

Try the following modified version of the script. It should remedy the issue.

In the script:

  • $userDirectoryPath - a template for the user folder path,
  • $userFolderPermissions - specifies users/groups that should gain access to the user's folder along with their permissions for the folder,
  • $privateFolderPermissions - specifies users/groups that should gain access to the Private folder along with their permissions for the folder,

Modify the script to your requirements. 

$userDirectoryPath = "\\server\users\%username%" # TODO: modify me

$userFolderPermissions = @{"domain\Domain Users" = "Modify";
                          "domain\Domain Admins" = "Modify";
                          "BUILTIN\Backup Operators" = "Read"} # TODO: modify me

$privateFolderPermissions = @{"domain\Domain Admins" = "Modify";
                              "BUILTIN\Backup Operators" = "Read"} # TODO: modify me

# Function to set permissions
function AddACE($objectName, $permissions, $folderPath, $objACL)
{
    $rights = [System.Security.AccessControl.FileSystemRights]$permissions
    $objType = [System.Security.AccessControl.AccessControlType]::Allow
    $inheritanceFlag = @([System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit)
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None

    $object = New-Object System.Security.Principal.NTAccount($objectName)
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($object, $rights, $inheritanceFlag, $propagationFlag, $objType)

    try
    {
        $objACL.AddAccessRule($objACE)
    }
    catch
    {
        $Context.LogMessage("The object $objectName does not exist", "Warning")

    }

    return $objACL
}

# Give error and exit if the folder already exists
if (Test-Path -Path $userDirectoryPath)
{
    $Context.LogMessage("User folder already exists", "Error")
    return
}

# Create folder for the user
New-Item -Path $userDirectoryPath -Type Directory | Out-Null

# Set permissions for the user's folder
$objACL = Get-ACL $userDirectoryPath
$objACL.SetAccessRuleProtection($True, $False)
foreach ($objectName in $userFolderPermissions.Keys)
{
    AddACE $objectName $userFolderPermissions[$objectName] $userDirectoryPath $objACL
}
Set-ACL $userDirectoryPath $objACL

# Create the 'Private' subfolder
$subFolderPath = "$userDirectoryPath\Private"
New-Item $subFolderPath -Type Directory | Out-Null

# Set permissions for the 'Private' subfolder
$objACL = Get-ACL $subFolderPath
$objACL.SetAccessRuleProtection($True, $False)
foreach ($objectName in $privateFolderPermissions.Keys)
{
    AddACE $objectName $privateFolderPermissions[$objectName] $subFolderPath $objACL
}
Set-ACL $subFolderPath $objACL

# Set permissions for the target user
$userSidBinary = $Context.TargetObject.Get("objectSid")
$userSid = New-Object System.Security.Principal.SecurityIdentifier($userSidBinary, 0)
$acl = Get-ACL $subFolderPath
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSid, "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-ACL $subFolderPath $acl

# Create the 'desktop.ini' file, make it hidden and set permissions
$filePath = "$userDirectoryPath\desktop.ini"
$file = New-Item $filePath -Type File
$file.attributes="Hidden"

$rights = [System.Security.AccessControl.FileSystemRights]"Read"
$objType = [System.Security.AccessControl.AccessControlType]::Deny
$inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$propagationFlag = [System.Security.AccessControl.PropagationFlags]::None

$everyone = New-Object System.Security.Principal.NTAccount("Everyone")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($everyone, $rights, $inheritanceFlag, $propagationFlag, $objType)
$objACL = Get-ACL $filePath
$objACL.SetAccessRuleProtection($True, $False)
$objACL.PurgeAccessRules($everyone)
$objACL.AddAccessRule($objACE)
Set-ACL $filePath $objACL
by (216k points)
0

Thanks, I'll have them try it out.

by (440 points)
0

Sorry to jump onto an older thread, but this script is exactly what I needed. Can you tell me what I would need to add in order to set the folder owner to be %username%?

Thanks
Ryan

by (920 points)
0

Hello Ryan,

We've asked our script guys to modify the script for you. We'll update you as soon as they come up with something.

by (216k points)
0

Ryan,

Here you are:

$userDirectoryPath = "\\server\users\%username%" # TODO: modify me

$userFolderPermissions = @{"domain\Domain Users" = "Modify";
                      "domain\Domain Admins" = "Modify";
                      "BUILTIN\Backup Operators" = "Read"} # TODO: modify me

$privateFolderPermissions = @{"domain\Domain Admins" = "Modify";
                          "BUILTIN\Backup Operators" = "Read"} # TODO: modify me

# Function to set permissions
function AddACE($objectName, $permissions, $folderPath, $objACL)
{
$rights = [System.Security.AccessControl.FileSystemRights]$permissions
$objType = [System.Security.AccessControl.AccessControlType]::Allow
$inheritanceFlag = @([System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit)
$propagationFlag = [System.Security.AccessControl.PropagationFlags]::None

$object = New-Object System.Security.Principal.NTAccount($objectName)
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($object, $rights, $inheritanceFlag, $propagationFlag, $objType)

try
{
    $objACL.AddAccessRule($objACE)
}
catch
{
    $Context.LogMessage("The object $objectName does not exist", "Warning")

}

return $objACL
}

# Give error and exit if the folder already exists
if (Test-Path -Path $userDirectoryPath)
{
$Context.LogMessage("User folder already exists", "Error")
return
}

# Create folder for the user
$userFolder = New-Item -Path $userDirectoryPath -Type Directory

# Set permissions for the user's folder
$objACL = Get-ACL $userDirectoryPath
$objACL.SetAccessRuleProtection($True, $False)
foreach ($objectName in $userFolderPermissions.Keys)
{
AddACE $objectName $userFolderPermissions[$objectName] $userDirectoryPath $objACL
}
Set-ACL $userDirectoryPath $objACL

# Set user as the directory owner
$ownerAcl = New-Object "System.Security.AccessControl.DirectorySecurity"
$ownerAcl.SetOwner($userSid)
$userFolder.SetAccessControl($ownerAcl)

# Create the 'Private' subfolder
$subFolderPath = "$userDirectoryPath\Private"
New-Item $subFolderPath -Type Directory | Out-Null

# Set permissions for the 'Private' subfolder
$objACL = Get-ACL $subFolderPath
$objACL.SetAccessRuleProtection($True, $False)
foreach ($objectName in $privateFolderPermissions.Keys)
{
AddACE $objectName $privateFolderPermissions[$objectName] $subFolderPath $objACL
}
Set-ACL $subFolderPath $objACL

# Set permissions for the target user
$userSidBinary = $Context.TargetObject.Get("objectSid")
$userSid = New-Object System.Security.Principal.SecurityIdentifier($userSidBinary, 0)
$acl = Get-ACL $subFolderPath
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSid, "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-ACL $subFolderPath $acl

# Create the 'desktop.ini' file, make it hidden and set permissions
$filePath = "$userDirectoryPath\desktop.ini"
$file = New-Item $filePath -Type File
$file.attributes="Hidden"

$rights = [System.Security.AccessControl.FileSystemRights]"Read"
$objType = [System.Security.AccessControl.AccessControlType]::Deny
$inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$propagationFlag = [System.Security.AccessControl.PropagationFlags]::None

$everyone = New-Object System.Security.Principal.NTAccount("Everyone")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($everyone, $rights, $inheritanceFlag, $propagationFlag, $objType)
$objACL = Get-ACL $filePath
$objACL.SetAccessRuleProtection($True, $False)
$objACL.PurgeAccessRules($everyone)
$objACL.AddAccessRule($objACE)
Set-ACL $filePath $objACL
by (216k points)
0

Thank you so much! You guys are wonderful!

by (920 points)

Related questions

0 votes
1 answer
creating shared folder for set of people inside of file server with individual permissions

Hi, I need a script that will retrospectively create a sub-folder on file server's shared folder with following permissions: employee his/hers manager (taken from AD) specific ... for more pre-existing users that don't have them. Thanks for any feedback.

asked Nov 3, 2020 by roberttryba (70 points)
0 votes
1 answer
Home Folder Permissions after move

I am having an issue with home folder moves between servers. When I move a folder between servers, using Adaxes, the user permissions are lost. I know that this is expected ... to re-assign the user permissions so they can access their home folder again :?:

asked Sep 23, 2014 by rmedeiros (380 points)
0 votes
1 answer
Script to assign mailbox folder permissions for users

How would a script be written that accomplishes the following task? In this scenario, UserA would be selected with the Modify user action, then UserB would be input to ... rule that runs the script to allow reviewer permissions on UserA's calendar for UserB

asked Dec 6, 2012 by mdeflice (350 points)
0 votes
1 answer
Will it be possible to create a cloud only user through the REST AI with the new Azure AD integration in version 2023?

Hi When reading the REST API documentation it does not mention working directly against Azure AD and Exchange Online. Will this be added? Thanks /Peter Sonander

asked Jan 26, 2023 by Sonander (40 points)
0 votes
1 answer
create new user hybrid exchange with automatically update email addresses rule disable

Hi all I need to modify the template $remoteRoutingAddressTemplate with the default exchange option automatically update email addresses disable. How i make it?

asked Nov 28, 2022 by Simone.Vailati (430 points)
3,343 questions
3,044 answers
7,766 comments
544,953 users