Script Repository


Grant access to user's home folder

August 26, 2021
2397

The scripts grant full access permissions over the home folder of the target user account.

Script 1: Manager and additional delegates

The script grants the permissions to the user's manager and other delegates whose usernames (sAMAccountNames) are specified in a text property. The usernames must be specified as a comma-separated list, for example: jdoe, bstephens, jburns. To execute the script, create a business rule, custom command or scheduled task configured for the User object type.

In the script, the $additionalDelegatesPropertyName variable specifies the LDAP name of the property storing the list of additional delegates.

Edit Remove
PowerShell
$additionalDelegatesPropertyName = "adm-CustomAttributeText1" # TODO: modify me

# Get home directory folder
try
{
    $userShare = $Context.TargetObject.Get("homeDirectory")
}
catch
{
    $Context.LogMessage("The user does not have a home directory.", "Warning") # TODO: modify me
    return
}
# Get manager DN
try
{
    $managerDN = $Context.TargetObject.Get("manager")
}
catch
{
    $Context.LogMessage("The user does not have a manager assigned in AD.", "Warning") # TODO: modify me
    return
}
try
{
    $userNames = ($Context.TargetObject.Get($additionalDelegatesPropertyName)).Split(",") # TODO: modify me
}
catch
{
    $userNames = $NULL
}
function SetFullControlPermission($userName, $domainName, $userShare)
{
    $rights = [System.Security.AccessControl.FileSystemRights]"FullControl"
    $objUser = New-Object System.Security.Principal.NTAccount($domainName, $userName)
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $rights, "ContainerInherit, ObjectInherit", "None", "Allow")
    $objACL = Get-ACL $userShare
    try
    {
        $objACL.AddAccessRule($objACE)
        Set-ACL $usershare $objACL -ErrorAction Stop
    }
    catch
    {
        $Context.LogMessage("An error occurred while adding the permissions for user '$userName'. Error: " + $_.Exception.Message, "Warning")
    }
}

# Get domain name
$domainName = $Context.GetObjectDomain("%distinguishedName%")

# Get manager name and domain name
$manager = $Context.BindToObjectByDN($managerDN)
$managerName = $manager.Get("sAMAccountName")

# Set permissions for Manager to the home folder
SetFullControlPermission $managerName $domainName $userShare

# Set permissions for specific users to the home folder
if ($userNames -ne $NULL)
{
     foreach ($userName in $userNames)
     {
         SetFullControlPermission $userName.Trim() $domainName $userShare
     }
}

Script 2: Delegate specified in a parameter

The script grants full access permissions to the account specified in a custom command parameter. The parameter must be of the AD object picker type. Additionally, the script email the delegate about gaining the permissions. If the delegate has no email address specified, the notification will be sent to the initiator.

Parameters:

  • $delegateParameterName - Specifies the name of the parameter used to specify the delegate with the param- prefix.
  • $subject - Specifies the email notification subject.
  • $messageTemplate - Specifies a template for the email notification. In the template, the {0} placeholder will be replaced with the name of the delegate gaining the permissions.
Edit Remove
PowerShell
$delegateParameterName = "param-delegate" # TODO: modify me
$subject = "Grant permissions over home folder"  # TODO: modify me
$messageTemplate = "Full access permissions were granted to user {0} over home folder of user %name%."  # TODO: modify me

function SetFullControlPermission($sid, $userFolderPath)
{
    $objACL = Get-ACL $userFolderPath
    $acessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($sid, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
    $objACL.AddAccessRule($acessRule)
    Set-ACL $userFolderPath $objACL
}

# Get home directory folder
try
{
    $userShare = $Context.TargetObject.Get("homeDirectory")
}
catch
{
    $Context.LogMessage("The user does not have a home directory.", "Warning") # TODO: modify me
    return
}

# Get delegate SID and name
$delegateDN = $Context.GetParameterValue($delegateParameterName)
$delegate = $Context.BindToObjectByDN($delegateDN)
$delegateSidBinary = $delegate.Get("objectSid")
$delegateSid = New-Object System.Security.Principal.SecurityIdentifier($delegateSidBinary, 0)
$delegateName = $delegate.Get("name")

# Get delegate email
try
{
    $recipientEmail = $delegate.Get("mail")
}
catch
{
    $recipientEmail = "%adm-InitiatorEmail%"
}

# Set permissions
SetFullControlPermission $delegateSid $userShare

# Send mail
$message = [System.String]::Format($messageTemplate, @($delegateName))
if ([System.String]::IsNullOrEmpty($recipientEmail))
{
    $Context.LogMessage("Neither the delegate nor the initiator has an email address specified.", "Information")
    return
}

$Context.SendMail($recipientEmail, $subject, $message, $NULL)

Comments ( 0 )
No results found.
Leave a comment