Script Repository


Grant access to user's home folder

July 11, 2017
1336

The script shows how to grant full access to a user's home folder to the user's manager and to users specified in Adaxes custom property CustomAttributeText1.

The usernames of the users whom you want to grant the full access to must be specified in the custom attribute as a comma-separated list, for example: jdoe, bstephens, jburns. To allow users to edit the property, you need to make it available on the page for creating and/or editing users. For information on how to do this, see Customize Forms for User Creation and Editing (starting from step 6).

To grant access to home folders using the script, you need to create a Business Rule triggered after creating or updating a user. For more details, see Run PowerShell Script after Creating a User.

Edit Remove
PowerShell
# Get home directory folder
try
{
    $userShare = $Context.TargetObject.Get("homeDirectory")
}
catch
{
    $Context.LogMessage("The user does not have a home directory.", "Warning") # TODO: modify me
    return
}
# Get manager DN
try
{
    $managerDN = $Context.TargetObject.Get("manager")
}
catch
{
    $Context.LogMessage("The user does not have a manager assigned in AD.", "Warning") # TODO: modify me
    return
}
try
{
    $userNames = ($Context.TargetObject.Get("adm-CustomAttributeText1")).Split(",") # TODO: modify me
}
catch
{
    $userNames = $NULL
}
function SetFullControlPermission($userName, $domainName, $userShare)
{
    $rights = [System.Security.AccessControl.FileSystemRights]"FullControl"
    $objType = [System.Security.AccessControl.AccessControlType]::Allow
    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
    $objUser = New-Object System.Security.Principal.NTAccount($domainName, $userName)
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $rights, $inheritanceFlag, $propagationFlag, $objType)
    $objACL = Get-ACL $userShare
    $objACL.AddAccessRule($objACE)
    Set-ACL $usershare $objACL
}
# Get domain name
$domainName = $Context.GetObjectDomain("%distinguishedName%")
# Get manager name and domain name
$manager = $Context.BindToObjectByDN($managerDN)
$managerName = $manager.Get("sAMAccountName")
# Set permissions for Manager to the home folder
SetFullControlPermission $managerName $domainName $userShare
# Set permissions for specific users to the home folder
if ($userNames -ne $NULL)
{
     foreach ($userName in $userNames)
     {
         SetFullControlPermission $userName.Trim() $domainName $userShare
     }
}

Comments ( 0 )
No results found.
Leave a comment