We help IT Professionals succeed at work.

powershell ftp user creation

Medium Priority
2,528 Views
Last Modified: 2013-12-09
I am attempting to create a FTP dir and FTP user.  I need to give full control of the created directory to the newly created user and add the user to the FTP users group.  I need to remove view/list permissions for the newly created dir from the FTP users group.  Finally I need to be able to run the ps1 script from a local machine and have it execute on the remote system.  Here is the code I have so far.  

"       -------------------------------------------"
"       ##     FTP VIRTUAL DIRECTORY CREATION SCRIPT     ##"
""
""
"       ## This script will create a new username, password, local directory, and virtual directory for a client "
""
"       ## Please enter the following information "
""
"       -------------------------------------------"
 
 
### PowerShell Script
### Create local User Acount
 
$AccountName = Read-Host "Please enter user account name (i.e. krisp)"
$FullName = Read-Host "Please enter the full name (i.e. Kris)"
$Description = Read-Host "Please enter the description (i.e. Krisp FTP Login)"
$Password = Read-Host "Please enter a password"
$Computer = "server.company.net"
$Remote = "\\server.company.net"
"Creating user on $Computer"
 
# Access to Container using the COM library
$Container = [ADSI] "WinNT://$Computer"
 
# Create User
$objUser = $Container.Create("user", $Accountname)
$objUser.Put("Fullname", $FullName)
$objUser.Put("Description", $Description)
 
# Set Password
$objUser.SetPassword($Password)
 
# Save Changes
$objUser.SetInfo()
 
# Add User Flags
# The numbers are bitwise - 65536 is Password Never Expires ; 64 is User Cannot Change Password

$objUser.userflags = 65536 -bor 64
$objUser.SetInfo()
 
"User $AccountName created!"
" ------------------------"


 
#       ---Create FTP local directory---
 
"Creating directory server.company.net\E\SecureFtpSite\Support\$AccountName"
 
New-Item \\server.company.net\E\SecureFtpSite\Support\$AccountName -type directory  
Start-Sleep -Seconds 5
"Directory $AccountName created!"
" ------------------------"
 
 
#       ---Set Permissions on Folder
 
"Setting Permissions on server.company.net\E\SecureFtpSite\Support\$AccountName"
 
$colRights = [System.Security.AccessControl.FileSystemRights]"Modify"
$Inherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$Propagate = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$User = New-Object System.Security.Principal.NTAccount("$Computer\$AccountName")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($User, $colRights , $Inherit, $Propagate, $objType)

$objACL = Get-Acl "\\server.company.net\E\SecureFtpSite\Support\$AccountName"
$objACL.AddAccessRule.($objACE)
 
Set-Acl "\\server.company.net\E\SecureFtpSite\Support\$AccountName" $objACL

icacls "\\server.company.net\E\SecureFtpSite\Support\$AccountName" /inheritance:d


icacls "\\server.company.net\E\SecureFtpSite\Support\$AccountName" /remove "FTP Users"
     
 
Start-Sleep -Seconds 5
 
"Permissions Successfully Applied!"
" ------------------------"
 
#       ---Add User to FTP Users Local Group
 
"Adding User to FTP Users Group"
 
$group = [ADSI]"WinNT://$Computer/FTP Users"
$group.add("WinNT:$Computer/$AccountName")
 
"User Added!"
"-------------------------"
 



When I run this code locally I get the following results
1.       User is successfully created
2.      Dir is successfully created
3.      User is unsuccessfully added to the permission set for the new dir
4.      User is unsuccessfully added to the ftp group
5.                  FTP group is being added to the permission set for the newly created dir,                      they              need to be removed.
A tall order I know but any help would be GREATLY appreciated
Comment
Watch Question

To add the user to the FTP Users Group try this:

$objUser = [ADSI]("WinNT://$Computer/$AccountName")
$objGroup = [ADSI]("WinNT://$Computer/FTP Users")

$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)

Open in new window

Author

Commented:
$objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)
throws an error of
Exception calling "Invoke" with "2" argument(s): "The network path was not found.
I just want to clarify, you want to:
Create a new folder - which works in your script
Create a new local user - which works in your script
Add the user to the "FTP Users" Local Group - NOT WORKING
Give the user full control to the new folder - NOT WORKING
Remove just the View/List Permissions from the FTP Users Group - NOT WORKING

Why are you adding the user to the FTP Group which has less rights and giving him specific rights?

I am testing the permissions script right now.

Author

Commented:
i am using the script to create individual user folders with right only for that newly created user.  I need them to be in the ftp users group so they can access the ftp server.  But I do not want the entire ftp group to have access to every folder created.  Your outline above is all correct with what is so far working.
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
here is what i am getting with the modified code
Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated.     ps1:58 char:22
           + $objACL.AddAccessRule <<<< ($objACE)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Exception calling "RemoveAccessRuleAll" with "1" argument(s): "Some or all identity references could not be translated."       71 char:28
                     + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Exception calling "add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist.
"          84 char:11

       + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI


any thoughts?








       

Author

Commented:
this is a local user to the machine not a domain account on the ftp server I am trying to add
Ok, that is strange, it ran great on my computer.
What OS are you running it from, and what OS are you running it against?
What version of PowerShell are you using? Type $PSVersionTable at a PS Prompt and look for the PSVersion.

Also, the errors start with the folder permission changes.  Can you verify that the user was created correctly, AND the folder was created correctly?
Yes, I understand we are dealing with a local user and not a domain user.

Author

Commented:
1. folder created correctly
         a. created user is not in the permission list for the new folder
         b.  FTP user group is in the permission list for the folder
2. User created correctly
        a.  user is not in the FTP user group
3.  FTP server is a windows 2008 standard R2 machine
4. The script is being run on my local machine which is a Windows 7 box
5. Powershell Version v2

I would like to again thank you very much for your time on this matter.  It truly is appreciated.

Author

Commented:
more specifically
CLRVersion     2.0.50727.4952
BuildVersion     6.1.7600.16385
PSVersion     2.0
PSCompatableVersions     <1.0 2.0>
SerializedVersion     1.1.0.1
PSRemotingProtocolVersion     2.1
Are you running the PowerShell window as administrator?

Author

Commented:
open cmd as an admin then i input powershell.exe and run the script from there

Author

Commented:
correction i have been running Windowspowershell ISE, but not as an admin
just clicking on it and opening the editor
I will open ISE as an admin tommorrow when I get to work and see what that brings
/facepalm

Author

Commented:
Ok running as admin here is what I am getting

Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At C:\Users\Tony Elam.DOMAIN\Desktop\ftpuser4.ps1:58 char:22
+ $objACL.AddAccessRule <<<< ($objACE)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException
 
Exception calling "RemoveAccessRuleAll" with "1" argument(s): "Some or all identity references could not be translated."
At C:\Users\Tony Elam.DOMAIN\Desktop\ftpuser4.ps1:71 char:28
+ $objACL.RemoveAccessRuleAll <<<< ($objACE)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException
 
Permissions Successfully Applied!
 ------------------------
Adding User to FTP Users Group
Exception calling "add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist.
"
At C:\Users\Tony Elam.DOMAIN\Desktop\ftpuser4.ps1:84 char:11
+ $group.add <<<< ("WinNT://$Computer/$AccountName,user")
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI

it is creating the user
it is creating the folder
it is not removing the FTP group from the permission set for the folder
it is not adding the user to the FTP users group
it is not adding the newly created user to the permission set for the folder
Instead of runningin ISE, can you right click on Windows PowerShell an select Run as Administrator?
I want to verify the same issue from PS command line.
Let me know if you get the same issues.

Author

Commented:
action completed as requested.  Same result., odd thing is if i run my original script locally on the 2008 box it work fine, additionally the original run remotly created the user, and puts the user into the ftp users group, but does not add the user to the permission set for the new folder or remove the FTP users group from the permission set for the new folder as well.


























It seems to not like the $Computer\$AccountName variables

You could try hard coding the values and seeing if that works., otherwise I am not sure what is going on.  I ran it locally on my Win7 machine and it worked great.  Maybe it doesn't work remotely.

Have you tried my script locally on the server?

Author

Commented:
I have tried to run the script you created locally and it threw the same errors
for the $Computer
instead of "server.company.net"
try just "server"

Author

Commented:
ok i made the following changes as well as your suggested change
$objACL = Get-Acl "\\ptcnt016.eaglesoft.net\E\SecureFtpSite\Support\$AccountName"
$objACL.AddAccessRule($objACE)
 
Set-Acl "server.domain.net\E\SecureFtpSite\Support\$AccountName" $objACL

icacls "\\server.domain.net\E\SecureFtpSite\Support\$AccountName" /inheritance:d


icacls "\\server.domain.net\E\SecureFtpSite\Support\$AccountName" /remove "FTP Users"

just 1 error left

Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At C:\ftp\ftpuser5.ps1:70 char:22
+ $objACL.AddAccessRule <<<< ($objACE)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

1.  user created successfully
2. user added to FTP group successfully
3. folder created successfully
4 still need to add user to folder permission
5 still need to remove ftp group from folder permission

this is the code i am currently using

"       -------------------------------------------"
"       ##     FTP VIRTUAL DIRECTORY CREATION SCRIPT     ##"
""
""
"       ## This script will create a new username, password, local directory, and virtual directory for a client "
""
"       ## Please enter the following information "
""
"       -------------------------------------------"
 
 
### PowerShell Script
### Create local User Acount
 
$AccountName = Read-Host "Please enter user account name (i.e. krisp)"
$FullName = Read-Host "Please enter the full name (i.e. Kris)"
$Description = Read-Host "Please enter the description (i.e. Krisp FTP Login)"
$Password = Read-Host "Please enter a password"
$Computer = "server"
 
"Creating user on $Computer"
 
# Access to Container using the COM library
$Container = [ADSI] "WinNT://$Computer"
 
# Create User
$objUser = $Container.Create("user", $Accountname)
$objUser.Put("Fullname", $FullName)
$objUser.Put("Description", $Description)
 
# Set Password
$objUser.SetPassword($Password)
 
# Save Changes
$objUser.SetInfo()
 
# Add User Flags
# The numbers are bitwise - 65536 is Password Never Expires ; 64 is User Cannot Change Password

$objUser.userflags = 65536 -bor 64
$objUser.SetInfo()
 
"User $AccountName created!"
" ------------------------"


 
#       ---Create FTP local directory---
 
"Creating directory E:\SecureFtpSite\Support\$AccountName"
 
New-Item \\server.domain.net\E\SecureFtpSite\Support\$AccountName -type directory  
Start-Sleep -Seconds 5
"Directory $AccountName created!"
" ------------------------"
 
 
#       ---Set Permissions on Folder
 
"Setting Permissions on E:\SecureFtpSite\Support\$AccountName"
 
$colRights = [System.Security.AccessControl.FileSystemRights]"Modify"
$Inherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$Propagate = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$User = New-Object System.Security.Principal.NTAccount("$Computer\$AccountName")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($User, $colRights , $Inherit, $Propagate, $objType)

$objACL = Get-Acl "\\server.domain.net\E\SecureFtpSite\Support\$AccountName"
$objACL.AddAccessRule($objACE)
 
Set-Acl "\\server.domain.net\E\SecureFtpSite\Support\$AccountName" $objACL

icacls "\\server.domain.net\E\SecureFtpSite\Support\$AccountName" /inheritance:d


icacls "\\server.domain.net\E\SecureFtpSite\Support\$AccountName" /remove "FTP Users"
     
 
Start-Sleep -Seconds 5
 
"Permissions Successfully Applied!"
" ------------------------"
 
#       ---Add User to FTP Users Local Group
 
"Adding User to FTP Users Group"
 
$group = [ADSI]"WinNT://$computer/FTP Users"
$group.add("WinNT://$Computer/$AccountName")
 
"User Added!"
"-------------------------"
 

I have no idea, sorry.

Author

Commented:
no problem thanks for you time, it has been appreciated!
I will keep looking into it, and let you know if I find anything.

Author

Commented:
my work around is to use the invoke command on the local machine, thank you for your help sir!!!!

Author

Commented:
what is the accept solution for awarding points in this case may i ask?
I guess that is up to you.

If you feel the solutions do not work for you, you can request the question closed and the points refunded to you.

Author

Commented:
your temendous amount of attention this matter leads my to think that the award should go to you

Author

Commented:
i ultimatly used a local ps1 script  ( i ran an invoke-command) to call the script on the remote machine

Author

Commented:
thankyou
Thanks for the grade!  It was nice working with you!
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.