We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script repository

Remove permissions for Adaxes service administrators to access user's home directory

February 22, 2021 Views: 3668

The script can be used in business rules, scheduled tasks and custom commands to remove any permissions assigned to Adaxes service administrators to access a user's home directory.

Note: By default, if a home directory is created for a user via Adaxes, the service account will be assigned Full Access permissions for the home directory.

If you remove the permissions, Adaxes will be unable to perform operations with the home directory, for example, move or delete it.
Edit Remove
PowerShell
# Get home directory path
try
{
    $homeDirectoryPath = $Context.TargetObject.Get("homeDirectory")
}
catch
{
    $Context.LogMessage("The user doesn't have a home directory", "Warning")
    return
}

# Bind to the Configuration Set Settings container
$configSetSettingsPath = $Context.GetWellKnownContainerPath("ConfigurationSetSettings")
$configSetSettings = $Context.BindToObject($configSetSettingsPath)

# Get Security Identifiers of all service administrators
$adminManager = $configSetSettings.AdministratorManager
$adminsSidsBytes = $adminManager.Administrators
$adminSids = New-Object "System.Collections.Generic.HashSet[System.String]"
foreach ($sidBytes in $adminsSidsBytes)
{
    $sid = New-Object "Softerra.Adaxes.Adsi.Sid" @($sidBytes, 0)
    [void]$adminSids.Add($sid)
}

# Get home directory Access Control List
$acl = Get-Acl -Path $homeDirectoryPath

# Find and remove the Adaxes service account from the Access Control List
$accessRules = $acl.Access
for ($i = $accessRules.Count - 1; $i -ge 0; $i--)
{
    $accessRule = $accessRules[$i]
    $isInherited = $accessRule.IsInherited
    foreach ($identityReference in $accessRule.IdentityReference)
    {
        # Translate identity to SID
        $sid = $identityReference.Translate("System.Security.Principal.SecurityIdentifier").Value
        if (!($adminSids.Contains($sid)))
        {
            continue
        }
        
        # Check if permission are inherited from a parent container
        $userIdentity = $identityReference.Value
        $userPermissions = $identityReference
        if ($isInherited)
        {
            $Context.LogMessage("Cannot remove permissions '$userPermissions' for '$userIdentity' because access rights are inherited from a parent container", "Warning")
            continue
        }
        
        [void]$acl.RemoveAccessRule($accessRule)
    }
}

# Assign the modified Access Control List
$folder = Get-Item $homeDirectoryPath
$folder.SetAccessControl($acl)
Comments 2
avatar
Dennis May 20, 2025
Hi,

Does this script still work? When executing this we get the error:

Method invocation failed because [System.IO.DirectoryInfo] does not contain a method named 'SetAccessControl'. Stack trace: at <ScriptBlock>, <No file>: line 59


Cheers,

Dennis
avatar
Support May 20, 2025
Hello Dennis,

For troubleshooting purposes, please, send us (support@adaxes.com) a screenshot of the Multi-server environment dialog. The dialog displays how many Adaxes services you have and what their versions are. For information on how to view it, see https://www.adaxes.com/help/MultiServerEnvironment.
Leave a comment
Loading...

Got questions?

Support Questions & Answers