[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2300
  • Last Modified:

powershell ftp user creation

I am attempting to create a FTP dir and FTP user.  I need to give full control of the created directory to the newly created user and add the user to the FTP users group.  I need to remove view/list permissions for the newly created dir from the FTP users group.  Finally I need to be able to run the ps1 script from a local machine and have it execute on the remote system.  Here is the code I have so far.  

"       -------------------------------------------"
"       ##     FTP VIRTUAL DIRECTORY CREATION SCRIPT     ##"
""
""
"       ## This script will create a new username, password, local directory, and virtual directory for a client "
""
"       ## Please enter the following information "
""
"       -------------------------------------------"
 
 
### PowerShell Script
### Create local User Acount
 
$AccountName = Read-Host "Please enter user account name (i.e. krisp)"
$FullName = Read-Host "Please enter the full name (i.e. Kris)"
$Description = Read-Host "Please enter the description (i.e. Krisp FTP Login)"
$Password = Read-Host "Please enter a password"
$Computer = "server.company.net"
$Remote = "\\server.company.net"
"Creating user on $Computer"
 
# Access to Container using the COM library
$Container = [ADSI] "WinNT://$Computer"
 
# Create User
$objUser = $Container.Create("user", $Accountname)
$objUser.Put("Fullname", $FullName)
$objUser.Put("Description", $Description)
 
# Set Password
$objUser.SetPassword($Password)
 
# Save Changes
$objUser.SetInfo()
 
# Add User Flags
# The numbers are bitwise - 65536 is Password Never Expires ; 64 is User Cannot Change Password

$objUser.userflags = 65536 -bor 64
$objUser.SetInfo()
 
"User $AccountName created!"
" ------------------------"


 
#       ---Create FTP local directory---
 
"Creating directory server.company.net\E\SecureFtpSite\Support\$AccountName"
 
New-Item \\server.company.net\E\SecureFtpSite\Support\$AccountName -type directory  
Start-Sleep -Seconds 5
"Directory $AccountName created!"
" ------------------------"
 
 
#       ---Set Permissions on Folder
 
"Setting Permissions on server.company.net\E\SecureFtpSite\Support\$AccountName"
 
$colRights = [System.Security.AccessControl.FileSystemRights]"Modify"
$Inherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$Propagate = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$User = New-Object System.Security.Principal.NTAccount("$Computer\$AccountName")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($User, $colRights , $Inherit, $Propagate, $objType)

$objACL = Get-Acl "\\server.company.net\E\SecureFtpSite\Support\$AccountName"
$objACL.AddAccessRule.($objACE)
 
Set-Acl "\\server.company.net\E\SecureFtpSite\Support\$AccountName" $objACL

icacls "\\server.company.net\E\SecureFtpSite\Support\$AccountName" /inheritance:d


icacls "\\server.company.net\E\SecureFtpSite\Support\$AccountName" /remove "FTP Users"
     
 
Start-Sleep -Seconds 5
 
"Permissions Successfully Applied!"
" ------------------------"
 
#       ---Add User to FTP Users Local Group
 
"Adding User to FTP Users Group"
 
$group = [ADSI]"WinNT://$Computer/FTP Users"
$group.add("WinNT:$Computer/$AccountName")
 
"User Added!"
"-------------------------"
 



When I run this code locally I get the following results
1.       User is successfully created
2.      Dir is successfully created
3.      User is unsuccessfully added to the permission set for the new dir
4.      User is unsuccessfully added to the ftp group
5.                  FTP group is being added to the permission set for the newly created dir,                      they              need to be removed.
A tall order I know but any help would be GREATLY appreciated
0
TonyElam
Asked:
TonyElam
  • 18
  • 13
1 Solution
 
rlandquistCommented:
To add the user to the FTP Users Group try this:

$objUser = [ADSI]("WinNT://$Computer/$AccountName")
$objGroup = [ADSI]("WinNT://$Computer/FTP Users")

$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)

Open in new window

0
 
TonyElamAuthor Commented:
$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
throws an error of
Exception calling "Invoke" with "2" argument(s): "The network path was not found.
0
 
rlandquistCommented:
I just want to clarify, you want to:
Create a new folder - which works in your script
Create a new local user - which works in your script
Add the user to the "FTP Users" Local Group - NOT WORKING
Give the user full control to the new folder - NOT WORKING
Remove just the View/List Permissions from the FTP Users Group - NOT WORKING

Why are you adding the user to the FTP Group which has less rights and giving him specific rights?

I am testing the permissions script right now.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
TonyElamAuthor Commented:
i am using the script to create individual user folders with right only for that newly created user.  I need them to be in the ftp users group so they can access the ftp server.  But I do not want the entire ftp group to have access to every folder created.  Your outline above is all correct with what is so far working.
0
 
rlandquistCommented:
Here you go.  This version should accomplish all the tasks you are trying to do.

Let me know if you have any questions.
$AccountName = Read-Host "Please enter user account name (i.e. krisp)"
$FullName = Read-Host "Please enter the full name (i.e. Kris)"
$Description = Read-Host "Please enter the description (i.e. Krisp FTP Login)"
$Password = Read-Host "Please enter a password"
$Computer = "server.company.net"
$Remote = "\\$Computer"
$Folder = "$Remote\E\SecureFtpSite\Support\$AccountName"

"Creating user on $Computer"
# Access to Container using the COM library
$Container = [ADSI] "WinNT://$Computer"
 
# Create User
$objUser = $Container.Create("user", $Accountname)
$objUser.Put("Fullname", $FullName)
$objUser.Put("Description", $Description)
 
# Set Password
$objUser.SetPassword($Password)
 
# Save Changes
$objUser.SetInfo() 

# Add User Flags
# The numbers are bitwise - 65536 is Password Never Expires ; 64 is User Cannot Change Password

$objUser.userflags = 65536 -bor 64
$objUser.SetInfo()
 
"User $AccountName created!"
" ------------------------"

#       ---Create FTP local directory---
 
"Creating directory server.company.net\E\SecureFtpSite\Support\$AccountName"
 
New-Item $Folder -type directory  
Start-Sleep -Seconds 5
"Directory $AccountName created!"
" ------------------------"

#       ---Set Permissions on Folder
 
"Setting Permissions on server.company.net\E\SecureFtpSite\Support\$AccountName"
$objACL = Get-Acl $Folder 
$objACL.SetAccessRuleProtection($True, $True)
Set-Acl -Path $Folder -aclObject $objACL

$colRights = [System.Security.AccessControl.FileSystemRights] "FullControl" 
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit `
-bor[System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::none 
$objType = [System.Security.AccessControl.AccessControlType]::Allow 
$objUser = New-Object System.Security.Principal.NTAccount("$Computer\$AccountName") 
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) 
$objACL = Get-Acl $Folder 
$objACL.AddAccessRule($objACE) 
Set-Acl $Folder $objACL


$colRights = [System.Security.AccessControl.FileSystemRights] "Read" 
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit `
-bor[System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None 
$objType = [System.Security.AccessControl.AccessControlType]::Allow 
$objUser = New-Object System.Security.Principal.NTAccount("$Computer\FTP Users") 
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) 
$objACL = Get-Acl $Folder 
$objACL.RemoveAccessRuleAll($objACE) 
Set-Acl $Folder $objACL

Start-Sleep -Seconds 5
 
"Permissions Successfully Applied!"
" ------------------------"

#       ---Add User to FTP Users Local Group
 
"Adding User to FTP Users Group"
  
$group = [ADSI] ( "WinNT://$Computer/FTP Users,group" )
$group.add("WinNT://$Computer/$AccountName,user") 
 
"User Added!"

Open in new window

0
 
TonyElamAuthor Commented:
here is what i am getting with the modified code
Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated.     ps1:58 char:22
           + $objACL.AddAccessRule <<<< ($objACE)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Exception calling "RemoveAccessRuleAll" with "1" argument(s): "Some or all identity references could not be translated."       71 char:28
                     + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Exception calling "add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist.
"          84 char:11

       + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI


any thoughts?








       
0
 
TonyElamAuthor Commented:
this is a local user to the machine not a domain account on the ftp server I am trying to add
0
 
rlandquistCommented:
Ok, that is strange, it ran great on my computer.
What OS are you running it from, and what OS are you running it against?
What version of PowerShell are you using? Type $PSVersionTable at a PS Prompt and look for the PSVersion.

Also, the errors start with the folder permission changes.  Can you verify that the user was created correctly, AND the folder was created correctly?
0
 
rlandquistCommented:
Yes, I understand we are dealing with a local user and not a domain user.
0
 
TonyElamAuthor Commented:
1. folder created correctly
         a. created user is not in the permission list for the new folder
         b.  FTP user group is in the permission list for the folder
2. User created correctly
        a.  user is not in the FTP user group
3.  FTP server is a windows 2008 standard R2 machine
4. The script is being run on my local machine which is a Windows 7 box
5. Powershell Version v2

I would like to again thank you very much for your time on this matter.  It truly is appreciated.
0
 
TonyElamAuthor Commented:
more specifically
CLRVersion     2.0.50727.4952
BuildVersion     6.1.7600.16385
PSVersion     2.0
PSCompatableVersions     <1.0 2.0>
SerializedVersion     1.1.0.1
PSRemotingProtocolVersion     2.1
0
 
rlandquistCommented:
Are you running the PowerShell window as administrator?
0
 
TonyElamAuthor Commented:
open cmd as an admin then i input powershell.exe and run the script from there
0
 
TonyElamAuthor Commented:
correction i have been running Windowspowershell ISE, but not as an admin
just clicking on it and opening the editor
I will open ISE as an admin tommorrow when I get to work and see what that brings
/facepalm
0
 
TonyElamAuthor Commented:
Ok running as admin here is what I am getting

Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At C:\Users\Tony Elam.DOMAIN\Desktop\ftpuser4.ps1:58 char:22
+ $objACL.AddAccessRule <<<< ($objACE)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException
 
Exception calling "RemoveAccessRuleAll" with "1" argument(s): "Some or all identity references could not be translated."
At C:\Users\Tony Elam.DOMAIN\Desktop\ftpuser4.ps1:71 char:28
+ $objACL.RemoveAccessRuleAll <<<< ($objACE)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException
 
Permissions Successfully Applied!
 ------------------------
Adding User to FTP Users Group
Exception calling "add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist.
"
At C:\Users\Tony Elam.DOMAIN\Desktop\ftpuser4.ps1:84 char:11
+ $group.add <<<< ("WinNT://$Computer/$AccountName,user")
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI

it is creating the user
it is creating the folder
it is not removing the FTP group from the permission set for the folder
it is not adding the user to the FTP users group
it is not adding the newly created user to the permission set for the folder
0
 
rlandquistCommented:
Instead of runningin ISE, can you right click on Windows PowerShell an select Run as Administrator?
I want to verify the same issue from PS command line.
Let me know if you get the same issues.
0
 
TonyElamAuthor Commented:
action completed as requested.  Same result., odd thing is if i run my original script locally on the 2008 box it work fine, additionally the original run remotly created the user, and puts the user into the ftp users group, but does not add the user to the permission set for the new folder or remove the FTP users group from the permission set for the new folder as well.


























0
 
rlandquistCommented:
It seems to not like the $Computer\$AccountName variables

You could try hard coding the values and seeing if that works., otherwise I am not sure what is going on.  I ran it locally on my Win7 machine and it worked great.  Maybe it doesn't work remotely.

Have you tried my script locally on the server?
0
 
TonyElamAuthor Commented:
I have tried to run the script you created locally and it threw the same errors
0
 
rlandquistCommented:
for the $Computer
instead of "server.company.net"
try just "server"
0
 
TonyElamAuthor Commented:
ok i made the following changes as well as your suggested change
$objACL = Get-Acl "\\ptcnt016.eaglesoft.net\E\SecureFtpSite\Support\$AccountName"
$objACL.AddAccessRule($objACE)
 
Set-Acl "server.domain.net\E\SecureFtpSite\Support\$AccountName" $objACL

icacls "\\server.domain.net\E\SecureFtpSite\Support\$AccountName" /inheritance:d


icacls "\\server.domain.net\E\SecureFtpSite\Support\$AccountName" /remove "FTP Users"

just 1 error left

Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At C:\ftp\ftpuser5.ps1:70 char:22
+ $objACL.AddAccessRule <<<< ($objACE)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

1.  user created successfully
2. user added to FTP group successfully
3. folder created successfully
4 still need to add user to folder permission
5 still need to remove ftp group from folder permission

this is the code i am currently using

"       -------------------------------------------"
"       ##     FTP VIRTUAL DIRECTORY CREATION SCRIPT     ##"
""
""
"       ## This script will create a new username, password, local directory, and virtual directory for a client "
""
"       ## Please enter the following information "
""
"       -------------------------------------------"
 
 
### PowerShell Script
### Create local User Acount
 
$AccountName = Read-Host "Please enter user account name (i.e. krisp)"
$FullName = Read-Host "Please enter the full name (i.e. Kris)"
$Description = Read-Host "Please enter the description (i.e. Krisp FTP Login)"
$Password = Read-Host "Please enter a password"
$Computer = "server"
 
"Creating user on $Computer"
 
# Access to Container using the COM library
$Container = [ADSI] "WinNT://$Computer"
 
# Create User
$objUser = $Container.Create("user", $Accountname)
$objUser.Put("Fullname", $FullName)
$objUser.Put("Description", $Description)
 
# Set Password
$objUser.SetPassword($Password)
 
# Save Changes
$objUser.SetInfo()
 
# Add User Flags
# The numbers are bitwise - 65536 is Password Never Expires ; 64 is User Cannot Change Password

$objUser.userflags = 65536 -bor 64
$objUser.SetInfo()
 
"User $AccountName created!"
" ------------------------"


 
#       ---Create FTP local directory---
 
"Creating directory E:\SecureFtpSite\Support\$AccountName"
 
New-Item \\server.domain.net\E\SecureFtpSite\Support\$AccountName -type directory  
Start-Sleep -Seconds 5
"Directory $AccountName created!"
" ------------------------"
 
 
#       ---Set Permissions on Folder
 
"Setting Permissions on E:\SecureFtpSite\Support\$AccountName"
 
$colRights = [System.Security.AccessControl.FileSystemRights]"Modify"
$Inherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$Propagate = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$User = New-Object System.Security.Principal.NTAccount("$Computer\$AccountName")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($User, $colRights , $Inherit, $Propagate, $objType)

$objACL = Get-Acl "\\server.domain.net\E\SecureFtpSite\Support\$AccountName"
$objACL.AddAccessRule($objACE)
 
Set-Acl "\\server.domain.net\E\SecureFtpSite\Support\$AccountName" $objACL

icacls "\\server.domain.net\E\SecureFtpSite\Support\$AccountName" /inheritance:d


icacls "\\server.domain.net\E\SecureFtpSite\Support\$AccountName" /remove "FTP Users"
     
 
Start-Sleep -Seconds 5
 
"Permissions Successfully Applied!"
" ------------------------"
 
#       ---Add User to FTP Users Local Group
 
"Adding User to FTP Users Group"
 
$group = [ADSI]"WinNT://$computer/FTP Users"
$group.add("WinNT://$Computer/$AccountName")
 
"User Added!"
"-------------------------"
 

0
 
rlandquistCommented:
I have no idea, sorry.
0
 
TonyElamAuthor Commented:
no problem thanks for you time, it has been appreciated!
0
 
rlandquistCommented:
I will keep looking into it, and let you know if I find anything.
0
 
TonyElamAuthor Commented:
my work around is to use the invoke command on the local machine, thank you for your help sir!!!!
0
 
TonyElamAuthor Commented:
what is the accept solution for awarding points in this case may i ask?
0
 
rlandquistCommented:
I guess that is up to you.

If you feel the solutions do not work for you, you can request the question closed and the points refunded to you.
0
 
TonyElamAuthor Commented:
your temendous amount of attention this matter leads my to think that the award should go to you
0
 
TonyElamAuthor Commented:
i ultimatly used a local ps1 script  ( i ran an invoke-command) to call the script on the remote machine
0
 
TonyElamAuthor Commented:
thankyou
0
 
rlandquistCommented:
Thanks for the grade!  It was nice working with you!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 18
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now