TonyElam
asked on
powershell ftp user creation
I am attempting to create a FTP dir and FTP user. I need to give full control of the created directory to the newly created user and add the user to the FTP users group. I need to remove view/list permissions for the newly created dir from the FTP users group. Finally I need to be able to run the ps1 script from a local machine and have it execute on the remote system. Here is the code I have so far.
" -------------------------- ---------- -------"
" ## FTP VIRTUAL DIRECTORY CREATION SCRIPT ##"
""
""
" ## This script will create a new username, password, local directory, and virtual directory for a client "
""
" ## Please enter the following information "
""
" -------------------------- ---------- -------"
### PowerShell Script
### Create local User Acount
$AccountName = Read-Host "Please enter user account name (i.e. krisp)"
$FullName = Read-Host "Please enter the full name (i.e. Kris)"
$Description = Read-Host "Please enter the description (i.e. Krisp FTP Login)"
$Password = Read-Host "Please enter a password"
$Computer = "server.company.net"
$Remote = "\\server.company.net"
"Creating user on $Computer"
# Access to Container using the COM library
$Container = [ADSI] "WinNT://$Computer"
# Create User
$objUser = $Container.Create("user", $Accountname)
$objUser.Put("Fullname", $FullName)
$objUser.Put("Description" , $Description)
# Set Password
$objUser.SetPassword($Pass word)
# Save Changes
$objUser.SetInfo()
# Add User Flags
# The numbers are bitwise - 65536 is Password Never Expires ; 64 is User Cannot Change Password
$objUser.userflags = 65536 -bor 64
$objUser.SetInfo()
"User $AccountName created!"
" ------------------------"
# ---Create FTP local directory---
"Creating directory server.company.net\E\Secur eFtpSite\S upport\$Ac countName"
New-Item \\server.company.net\E\Sec ureFtpSite \Support\$ AccountNam e -type directory
Start-Sleep -Seconds 5
"Directory $AccountName created!"
" ------------------------"
# ---Set Permissions on Folder
"Setting Permissions on server.company.net\E\Secur eFtpSite\S upport\$Ac countName"
$colRights = [System.Security.AccessCon trol.FileS ystemRight s]"Modify"
$Inherit = [System.Security.AccessCon trol.Inher itanceFlag s]"Contain erInherit, ObjectInherit"
$Propagate = [System.Security.AccessCon trol.Propa gationFlag s]::None
$objType =[System.Security.AccessCo ntrol.Acce ssControlT ype]::Allo w
$User = New-Object System.Security.Principal. NTAccount( "$Computer \$AccountN ame")
$objACE = New-Object System.Security.AccessCont rol.FileSy stemAccess Rule($User , $colRights , $Inherit, $Propagate, $objType)
$objACL = Get-Acl "\\server.company.net\E\Se cureFtpSit e\Support\ $AccountNa me"
$objACL.AddAccessRule.($ob jACE)
Set-Acl "\\server.company.net\E\Se cureFtpSit e\Support\ $AccountNa me" $objACL
icacls "\\server.company.net\E\Se cureFtpSit e\Support\ $AccountNa me" /inheritance:d
icacls "\\server.company.net\E\Se cureFtpSit e\Support\ $AccountNa me" /remove "FTP Users"
Start-Sleep -Seconds 5
"Permissions Successfully Applied!"
" ------------------------"
# ---Add User to FTP Users Local Group
"Adding User to FTP Users Group"
$group = [ADSI]"WinNT://$Computer/F TP Users"
$group.add("WinNT:$Compute r/$Account Name")
"User Added!"
"------------------------- "
When I run this code locally I get the following results
1. User is successfully created
2. Dir is successfully created
3. User is unsuccessfully added to the permission set for the new dir
4. User is unsuccessfully added to the ftp group
5. FTP group is being added to the permission set for the newly created dir, they need to be removed.
A tall order I know but any help would be GREATLY appreciated
" --------------------------
" ## FTP VIRTUAL DIRECTORY CREATION SCRIPT ##"
""
""
" ## This script will create a new username, password, local directory, and virtual directory for a client "
""
" ## Please enter the following information "
""
" --------------------------
### PowerShell Script
### Create local User Acount
$AccountName = Read-Host "Please enter user account name (i.e. krisp)"
$FullName = Read-Host "Please enter the full name (i.e. Kris)"
$Description = Read-Host "Please enter the description (i.e. Krisp FTP Login)"
$Password = Read-Host "Please enter a password"
$Computer = "server.company.net"
$Remote = "\\server.company.net"
"Creating user on $Computer"
# Access to Container using the COM library
$Container = [ADSI] "WinNT://$Computer"
# Create User
$objUser = $Container.Create("user", $Accountname)
$objUser.Put("Fullname", $FullName)
$objUser.Put("Description"
# Set Password
$objUser.SetPassword($Pass
# Save Changes
$objUser.SetInfo()
# Add User Flags
# The numbers are bitwise - 65536 is Password Never Expires ; 64 is User Cannot Change Password
$objUser.userflags = 65536 -bor 64
$objUser.SetInfo()
"User $AccountName created!"
" ------------------------"
# ---Create FTP local directory---
"Creating directory server.company.net\E\Secur
New-Item \\server.company.net\E\Sec
Start-Sleep -Seconds 5
"Directory $AccountName created!"
" ------------------------"
# ---Set Permissions on Folder
"Setting Permissions on server.company.net\E\Secur
$colRights = [System.Security.AccessCon
$Inherit = [System.Security.AccessCon
$Propagate = [System.Security.AccessCon
$objType =[System.Security.AccessCo
$User = New-Object System.Security.Principal.
$objACE = New-Object System.Security.AccessCont
$objACL = Get-Acl "\\server.company.net\E\Se
$objACL.AddAccessRule.($ob
Set-Acl "\\server.company.net\E\Se
icacls "\\server.company.net\E\Se
icacls "\\server.company.net\E\Se
Start-Sleep -Seconds 5
"Permissions Successfully Applied!"
" ------------------------"
# ---Add User to FTP Users Local Group
"Adding User to FTP Users Group"
$group = [ADSI]"WinNT://$Computer/F
$group.add("WinNT:$Compute
"User Added!"
"-------------------------
When I run this code locally I get the following results
1. User is successfully created
2. Dir is successfully created
3. User is unsuccessfully added to the permission set for the new dir
4. User is unsuccessfully added to the ftp group
5. FTP group is being added to the permission set for the newly created dir, they need to be removed.
A tall order I know but any help would be GREATLY appreciated
ASKER
$objGroup.PSBase.Invoke("A dd",$objUs er.PSBase. Path)
throws an error of
Exception calling "Invoke" with "2" argument(s): "The network path was not found.
throws an error of
Exception calling "Invoke" with "2" argument(s): "The network path was not found.
I just want to clarify, you want to:
Create a new folder - which works in your script
Create a new local user - which works in your script
Add the user to the "FTP Users" Local Group - NOT WORKING
Give the user full control to the new folder - NOT WORKING
Remove just the View/List Permissions from the FTP Users Group - NOT WORKING
Why are you adding the user to the FTP Group which has less rights and giving him specific rights?
I am testing the permissions script right now.
Create a new folder - which works in your script
Create a new local user - which works in your script
Add the user to the "FTP Users" Local Group - NOT WORKING
Give the user full control to the new folder - NOT WORKING
Remove just the View/List Permissions from the FTP Users Group - NOT WORKING
Why are you adding the user to the FTP Group which has less rights and giving him specific rights?
I am testing the permissions script right now.
ASKER
i am using the script to create individual user folders with right only for that newly created user. I need them to be in the ftp users group so they can access the ftp server. But I do not want the entire ftp group to have access to every folder created. Your outline above is all correct with what is so far working.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
here is what i am getting with the modified code
Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated. ps1:58 char:22
+ $objACL.AddAccessRule <<<< ($objACE)
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Exception calling "RemoveAccessRuleAll" with "1" argument(s): "Some or all identity references could not be translated." 71 char:28
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Exception calling "add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist.
" 84 char:11
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CatchFromBaseAdapterMethod InvokeTI
any thoughts?
Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated. ps1:58 char:22
+ $objACL.AddAccessRule <<<< ($objACE)
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Exception calling "RemoveAccessRuleAll" with "1" argument(s): "Some or all identity references could not be translated." 71 char:28
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Exception calling "add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist.
" 84 char:11
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CatchFromBaseAdapterMethod
any thoughts?
ASKER
this is a local user to the machine not a domain account on the ftp server I am trying to add
Ok, that is strange, it ran great on my computer.
What OS are you running it from, and what OS are you running it against?
What version of PowerShell are you using? Type $PSVersionTable at a PS Prompt and look for the PSVersion.
Also, the errors start with the folder permission changes. Can you verify that the user was created correctly, AND the folder was created correctly?
What OS are you running it from, and what OS are you running it against?
What version of PowerShell are you using? Type $PSVersionTable at a PS Prompt and look for the PSVersion.
Also, the errors start with the folder permission changes. Can you verify that the user was created correctly, AND the folder was created correctly?
Yes, I understand we are dealing with a local user and not a domain user.
ASKER
1. folder created correctly
a. created user is not in the permission list for the new folder
b. FTP user group is in the permission list for the folder
2. User created correctly
a. user is not in the FTP user group
3. FTP server is a windows 2008 standard R2 machine
4. The script is being run on my local machine which is a Windows 7 box
5. Powershell Version v2
I would like to again thank you very much for your time on this matter. It truly is appreciated.
a. created user is not in the permission list for the new folder
b. FTP user group is in the permission list for the folder
2. User created correctly
a. user is not in the FTP user group
3. FTP server is a windows 2008 standard R2 machine
4. The script is being run on my local machine which is a Windows 7 box
5. Powershell Version v2
I would like to again thank you very much for your time on this matter. It truly is appreciated.
ASKER
more specifically
CLRVersion 2.0.50727.4952
BuildVersion 6.1.7600.16385
PSVersion 2.0
PSCompatableVersions <1.0 2.0>
SerializedVersion 1.1.0.1
PSRemotingProtocolVersion 2.1
CLRVersion 2.0.50727.4952
BuildVersion 6.1.7600.16385
PSVersion 2.0
PSCompatableVersions <1.0 2.0>
SerializedVersion 1.1.0.1
PSRemotingProtocolVersion 2.1
Are you running the PowerShell window as administrator?
ASKER
open cmd as an admin then i input powershell.exe and run the script from there
ASKER
correction i have been running Windowspowershell ISE, but not as an admin
just clicking on it and opening the editor
I will open ISE as an admin tommorrow when I get to work and see what that brings
/facepalm
just clicking on it and opening the editor
I will open ISE as an admin tommorrow when I get to work and see what that brings
/facepalm
ASKER
Ok running as admin here is what I am getting
Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At C:\Users\Tony Elam.DOMAIN\Desktop\ftpuse r4.ps1:58 char:22
+ $objACL.AddAccessRule <<<< ($objACE)
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Exception calling "RemoveAccessRuleAll" with "1" argument(s): "Some or all identity references could not be translated."
At C:\Users\Tony Elam.DOMAIN\Desktop\ftpuse r4.ps1:71 char:28
+ $objACL.RemoveAccessRuleAl l <<<< ($objACE)
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Permissions Successfully Applied!
------------------------
Adding User to FTP Users Group
Exception calling "add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist.
"
At C:\Users\Tony Elam.DOMAIN\Desktop\ftpuse r4.ps1:84 char:11
+ $group.add <<<< ("WinNT://$Computer/$Accou ntName,use r")
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CatchFromBaseAdapterMethod InvokeTI
it is creating the user
it is creating the folder
it is not removing the FTP group from the permission set for the folder
it is not adding the user to the FTP users group
it is not adding the newly created user to the permission set for the folder
Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At C:\Users\Tony Elam.DOMAIN\Desktop\ftpuse
+ $objACL.AddAccessRule <<<< ($objACE)
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Exception calling "RemoveAccessRuleAll" with "1" argument(s): "Some or all identity references could not be translated."
At C:\Users\Tony Elam.DOMAIN\Desktop\ftpuse
+ $objACL.RemoveAccessRuleAl
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Permissions Successfully Applied!
------------------------
Adding User to FTP Users Group
Exception calling "add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist.
"
At C:\Users\Tony Elam.DOMAIN\Desktop\ftpuse
+ $group.add <<<< ("WinNT://$Computer/$Accou
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CatchFromBaseAdapterMethod
it is creating the user
it is creating the folder
it is not removing the FTP group from the permission set for the folder
it is not adding the user to the FTP users group
it is not adding the newly created user to the permission set for the folder
Instead of runningin ISE, can you right click on Windows PowerShell an select Run as Administrator?
I want to verify the same issue from PS command line.
Let me know if you get the same issues.
I want to verify the same issue from PS command line.
Let me know if you get the same issues.
ASKER
action completed as requested. Same result., odd thing is if i run my original script locally on the 2008 box it work fine, additionally the original run remotly created the user, and puts the user into the ftp users group, but does not add the user to the permission set for the new folder or remove the FTP users group from the permission set for the new folder as well.
It seems to not like the $Computer\$AccountName variables
You could try hard coding the values and seeing if that works., otherwise I am not sure what is going on. I ran it locally on my Win7 machine and it worked great. Maybe it doesn't work remotely.
Have you tried my script locally on the server?
You could try hard coding the values and seeing if that works., otherwise I am not sure what is going on. I ran it locally on my Win7 machine and it worked great. Maybe it doesn't work remotely.
Have you tried my script locally on the server?
ASKER
I have tried to run the script you created locally and it threw the same errors
for the $Computer
instead of "server.company.net"
try just "server"
instead of "server.company.net"
try just "server"
ASKER
ok i made the following changes as well as your suggested change
$objACL = Get-Acl "\\ptcnt016.eaglesoft.net\ E\SecureFt pSite\Supp ort\$Accou ntName"
$objACL.AddAccessRule($obj ACE)
Set-Acl "server.domain.net\E\Secur eFtpSite\S upport\$Ac countName" $objACL
icacls "\\server.domain.net\E\Sec ureFtpSite \Support\$ AccountNam e" /inheritance:d
icacls "\\server.domain.net\E\Sec ureFtpSite \Support\$ AccountNam e" /remove "FTP Users"
just 1 error left
Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At C:\ftp\ftpuser5.ps1:70 char:22
+ $objACL.AddAccessRule <<<< ($objACE)
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
1. user created successfully
2. user added to FTP group successfully
3. folder created successfully
4 still need to add user to folder permission
5 still need to remove ftp group from folder permission
this is the code i am currently using
" -------------------------- ---------- -------"
" ## FTP VIRTUAL DIRECTORY CREATION SCRIPT ##"
""
""
" ## This script will create a new username, password, local directory, and virtual directory for a client "
""
" ## Please enter the following information "
""
" -------------------------- ---------- -------"
### PowerShell Script
### Create local User Acount
$AccountName = Read-Host "Please enter user account name (i.e. krisp)"
$FullName = Read-Host "Please enter the full name (i.e. Kris)"
$Description = Read-Host "Please enter the description (i.e. Krisp FTP Login)"
$Password = Read-Host "Please enter a password"
$Computer = "server"
"Creating user on $Computer"
# Access to Container using the COM library
$Container = [ADSI] "WinNT://$Computer"
# Create User
$objUser = $Container.Create("user", $Accountname)
$objUser.Put("Fullname", $FullName)
$objUser.Put("Description" , $Description)
# Set Password
$objUser.SetPassword($Pass word)
# Save Changes
$objUser.SetInfo()
# Add User Flags
# The numbers are bitwise - 65536 is Password Never Expires ; 64 is User Cannot Change Password
$objUser.userflags = 65536 -bor 64
$objUser.SetInfo()
"User $AccountName created!"
" ------------------------"
# ---Create FTP local directory---
"Creating directory E:\SecureFtpSite\Support\$ AccountNam e"
New-Item \\server.domain.net\E\Secu reFtpSite\ Support\$A ccountName -type directory
Start-Sleep -Seconds 5
"Directory $AccountName created!"
" ------------------------"
# ---Set Permissions on Folder
"Setting Permissions on E:\SecureFtpSite\Support\$ AccountNam e"
$colRights = [System.Security.AccessCon trol.FileS ystemRight s]"Modify"
$Inherit = [System.Security.AccessCon trol.Inher itanceFlag s]"Contain erInherit, ObjectInherit"
$Propagate = [System.Security.AccessCon trol.Propa gationFlag s]::None
$objType =[System.Security.AccessCo ntrol.Acce ssControlT ype]::Allo w
$User = New-Object System.Security.Principal. NTAccount( "$Computer \$AccountN ame")
$objACE = New-Object System.Security.AccessCont rol.FileSy stemAccess Rule($User , $colRights , $Inherit, $Propagate, $objType)
$objACL = Get-Acl "\\server.domain.net\E\Sec ureFtpSite \Support\$ AccountNam e"
$objACL.AddAccessRule($obj ACE)
Set-Acl "\\server.domain.net\E\Sec ureFtpSite \Support\$ AccountNam e" $objACL
icacls "\\server.domain.net\E\Sec ureFtpSite \Support\$ AccountNam e" /inheritance:d
icacls "\\server.domain.net\E\Sec ureFtpSite \Support\$ AccountNam e" /remove "FTP Users"
Start-Sleep -Seconds 5
"Permissions Successfully Applied!"
" ------------------------"
# ---Add User to FTP Users Local Group
"Adding User to FTP Users Group"
$group = [ADSI]"WinNT://$computer/F TP Users"
$group.add("WinNT://$Compu ter/$Accou ntName")
"User Added!"
"------------------------- "
$objACL = Get-Acl "\\ptcnt016.eaglesoft.net\
$objACL.AddAccessRule($obj
Set-Acl "server.domain.net\E\Secur
icacls "\\server.domain.net\E\Sec
icacls "\\server.domain.net\E\Sec
just 1 error left
Exception calling "AddAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At C:\ftp\ftpuser5.ps1:70 char:22
+ $objACL.AddAccessRule <<<< ($objACE)
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
1. user created successfully
2. user added to FTP group successfully
3. folder created successfully
4 still need to add user to folder permission
5 still need to remove ftp group from folder permission
this is the code i am currently using
" --------------------------
" ## FTP VIRTUAL DIRECTORY CREATION SCRIPT ##"
""
""
" ## This script will create a new username, password, local directory, and virtual directory for a client "
""
" ## Please enter the following information "
""
" --------------------------
### PowerShell Script
### Create local User Acount
$AccountName = Read-Host "Please enter user account name (i.e. krisp)"
$FullName = Read-Host "Please enter the full name (i.e. Kris)"
$Description = Read-Host "Please enter the description (i.e. Krisp FTP Login)"
$Password = Read-Host "Please enter a password"
$Computer = "server"
"Creating user on $Computer"
# Access to Container using the COM library
$Container = [ADSI] "WinNT://$Computer"
# Create User
$objUser = $Container.Create("user", $Accountname)
$objUser.Put("Fullname", $FullName)
$objUser.Put("Description"
# Set Password
$objUser.SetPassword($Pass
# Save Changes
$objUser.SetInfo()
# Add User Flags
# The numbers are bitwise - 65536 is Password Never Expires ; 64 is User Cannot Change Password
$objUser.userflags = 65536 -bor 64
$objUser.SetInfo()
"User $AccountName created!"
" ------------------------"
# ---Create FTP local directory---
"Creating directory E:\SecureFtpSite\Support\$
New-Item \\server.domain.net\E\Secu
Start-Sleep -Seconds 5
"Directory $AccountName created!"
" ------------------------"
# ---Set Permissions on Folder
"Setting Permissions on E:\SecureFtpSite\Support\$
$colRights = [System.Security.AccessCon
$Inherit = [System.Security.AccessCon
$Propagate = [System.Security.AccessCon
$objType =[System.Security.AccessCo
$User = New-Object System.Security.Principal.
$objACE = New-Object System.Security.AccessCont
$objACL = Get-Acl "\\server.domain.net\E\Sec
$objACL.AddAccessRule($obj
Set-Acl "\\server.domain.net\E\Sec
icacls "\\server.domain.net\E\Sec
icacls "\\server.domain.net\E\Sec
Start-Sleep -Seconds 5
"Permissions Successfully Applied!"
" ------------------------"
# ---Add User to FTP Users Local Group
"Adding User to FTP Users Group"
$group = [ADSI]"WinNT://$computer/F
$group.add("WinNT://$Compu
"User Added!"
"-------------------------
I have no idea, sorry.
ASKER
no problem thanks for you time, it has been appreciated!
I will keep looking into it, and let you know if I find anything.
ASKER
my work around is to use the invoke command on the local machine, thank you for your help sir!!!!
ASKER
what is the accept solution for awarding points in this case may i ask?
I guess that is up to you.
If you feel the solutions do not work for you, you can request the question closed and the points refunded to you.
If you feel the solutions do not work for you, you can request the question closed and the points refunded to you.
ASKER
your temendous amount of attention this matter leads my to think that the award should go to you
ASKER
i ultimatly used a local ps1 script ( i ran an invoke-command) to call the script on the remote machine
ASKER
thankyou
Thanks for the grade! It was nice working with you!
Open in new window