?
Solved

I need a script to apply ACLs to everyone's home directory at one time, based on their userID?

Posted on 2011-05-04
7
Medium Priority
?
1,051 Views
Last Modified: 2012-05-11
We have several hundred users, and their home directories currently live on a Samba server that doesn't have ACLs...we are migrating to a SAN that uses Windows ACLs...so we are going to copy everyone's home directories to the new SAN, but then we need to setup the ACLs for each home directory so the user has access to only their home directory.  The name of the folder corresponds to their login.

Obviously I want to script this, but not sure how :)

So I want a script that will look at the folder for each home directory, take the name of the directory and use it as the user name and set ACLs so that user name can have full access to the folder.

folder path:
\\san\home\joesmith

set ACL on the folder so that user joesmith has read/write access

any ideas are appreciated!
0
Comment
Question by:biocompute
  • 4
  • 2
7 Comments
 
LVL 2

Expert Comment

by:twigahil
ID: 35692890
When we migrated from Novell to Windows a few years ago, we created the new Windows user accounts and home drives first so that the home drives were created with the proper permissions.  Then we copied he contents of each user's home folder into their new home folder.  Having ADUC create the home drives automatically gives the account creator/owner on the home folder.  If the home folder is created and then the home path populated in the user properties, you may have to respond to this dialog box for each user: "The \\server\home\username home folder already exists.  Do you want this user to be granted full control of this folder?"

That said, you may be able use cacls or icacls or xcacls in a script to set the ownership.  I'd test one first to see if that eliminates the message.  
0
 
LVL 13

Expert Comment

by:soostibi
ID: 35693528
What about this PowerShell script, using Quest AD cmdlets:
dir \\server\share\* | %{
    $acl = get-acl -Path $_.fullname
    $user = (Get-QADUser $_.name -IncludedProperties "msDS-PrincipalName").("msDS-PrincipalName")
    $entry = New-Object System.Security.AccessControl.FileSystemAccessRule($user,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
    $acl.AddAccessRule($entry)
    Set-Acl -Path $_.fullname -AclObject $acl
}

Open in new window

0
 

Author Comment

by:biocompute
ID: 35693570
I had that idea after posting this question to just let ADUC do the job for me.  So I've been testing this.  If I pre-create the new user directory on the SAN, then I edit the user's home folder path and put in the new path on the SAN, I get the prompt saying that the folder already exists. Do you want this user to be granted full control of this folder?

when I click YES, then login as the user, that does it! the user has full control of their new home directory, and I didn't have to edit the ACLS...

The question now is how I can do this for everyone.  I've used 'PowerGUI' before to do some powershell type things, so I went into PowerGUI, I can edit the home directory in there for the user, and that works, but it doesn't do the job of setting the security (i.e. it doesn't grant full control over the folder for the user)

I've never used icacls before, is that the way to go?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 13

Accepted Solution

by:
soostibi earned 2000 total points
ID: 35695921
Or without AD cmdlets:
$domainname = "domain"
dir \\san\home\* | %{  
    $acl = get-acl -Path $_.fullname  
    $user = "$domain\$($_.name)"
    $entry = New-Object System.Security.AccessControl.FileSystemAccessRule($user,"FullControl","ContainerInherit,ObjectInherit","None","Allow")  
    $acl.AddAccessRule($entry)  
    Set-Acl -Path $_.fullname -AclObject $acl  
}

Open in new window

0
 
LVL 13

Expert Comment

by:soostibi
ID: 35700869
Just to be precise, a little typo is there. Here is the corrected one:
$domainname = "domain"  
dir \\san\home\* | %{    
    $acl = get-acl -Path $_.fullname    
    $user = "$domainname\$($_.name)"  
    $entry = New-Object System.Security.AccessControl.FileSystemAccessRule($user,"FullControl","ContainerInherit,ObjectInherit","None","Allow")    
    $acl.AddAccessRule($entry)    
    Set-Acl -Path $_.fullname -AclObject $acl    
}

Open in new window

0
 

Author Comment

by:biocompute
ID: 35770508
Hi soostibi--if I wanted to NOT grant full control to the user over their home directory, but instead just allow the modify ACL, is that possible?
0
 
LVL 13

Expert Comment

by:soostibi
ID: 35772055
Yes, replace the "FullControl" to "Modify, Synchronize". I have not tried, but probably will work. Get back if not.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question