biocompute
asked on
I need a script to apply ACLs to everyone's home directory at one time, based on their userID?
We have several hundred users, and their home directories currently live on a Samba server that doesn't have ACLs...we are migrating to a SAN that uses Windows ACLs...so we are going to copy everyone's home directories to the new SAN, but then we need to setup the ACLs for each home directory so the user has access to only their home directory. The name of the folder corresponds to their login.
Obviously I want to script this, but not sure how :)
So I want a script that will look at the folder for each home directory, take the name of the directory and use it as the user name and set ACLs so that user name can have full access to the folder.
folder path:
\\san\home\joesmith
set ACL on the folder so that user joesmith has read/write access
any ideas are appreciated!
Obviously I want to script this, but not sure how :)
So I want a script that will look at the folder for each home directory, take the name of the directory and use it as the user name and set ACLs so that user name can have full access to the folder.
folder path:
\\san\home\joesmith
set ACL on the folder so that user joesmith has read/write access
any ideas are appreciated!
What about this PowerShell script, using Quest AD cmdlets:
dir \\server\share\* | %{
$acl = get-acl -Path $_.fullname
$user = (Get-QADUser $_.name -IncludedProperties "msDS-PrincipalName").("msDS-PrincipalName")
$entry = New-Object System.Security.AccessControl.FileSystemAccessRule($user,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($entry)
Set-Acl -Path $_.fullname -AclObject $acl
}ASKER
I had that idea after posting this question to just let ADUC do the job for me. So I've been testing this. If I pre-create the new user directory on the SAN, then I edit the user's home folder path and put in the new path on the SAN, I get the prompt saying that the folder already exists. Do you want this user to be granted full control of this folder?
when I click YES, then login as the user, that does it! the user has full control of their new home directory, and I didn't have to edit the ACLS...
The question now is how I can do this for everyone. I've used 'PowerGUI' before to do some powershell type things, so I went into PowerGUI, I can edit the home directory in there for the user, and that works, but it doesn't do the job of setting the security (i.e. it doesn't grant full control over the folder for the user)
I've never used icacls before, is that the way to go?
when I click YES, then login as the user, that does it! the user has full control of their new home directory, and I didn't have to edit the ACLS...
The question now is how I can do this for everyone. I've used 'PowerGUI' before to do some powershell type things, so I went into PowerGUI, I can edit the home directory in there for the user, and that works, but it doesn't do the job of setting the security (i.e. it doesn't grant full control over the folder for the user)
I've never used icacls before, is that the way to go?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just to be precise, a little typo is there. Here is the corrected one:
$domainname = "domain"
dir \\san\home\* | %{
$acl = get-acl -Path $_.fullname
$user = "$domainname\$($_.name)"
$entry = New-Object System.Security.AccessControl.FileSystemAccessRule($user,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($entry)
Set-Acl -Path $_.fullname -AclObject $acl
}ASKER
Hi soostibi--if I wanted to NOT grant full control to the user over their home directory, but instead just allow the modify ACL, is that possible?
Yes, replace the "FullControl" to "Modify, Synchronize". I have not tried, but probably will work. Get back if not.
That said, you may be able use cacls or icacls or xcacls in a script to set the ownership. I'd test one first to see if that eliminates the message.