LDAP Query profile path & take ownership of network folders/files script
Posted on 2013-12-04
I'm trying to take ownership of many files & folders for a client. The file and folders are located on a File server, these folders are automatically created when the user John Doe logs into the domain for the 1st time. The folders are generated from the profile tab in Active Directory, so think \\SERV-01\profiles\johndoe
This works great, John Doe logs into the domain and the folder is automatically created on the file server. John Doe is able to access, read & write into the folder. Problem is the local Admin account (or any other account) does not have access to this folder. The only way to gain admin access is to take ownership of the files, and then give admin and user John Doe access to his files. Easy if you had one or two folders/users but unfortunately I have thousands to deal with.
Now onto the tricky part; bear with me here.
Say John Doe leaves, the admins delete his account but keep the \\SERV-01\profiles\johndoe folder. 1 year later John Doe comes back into the company, the user is recreated in Active Directory and this is where problems arise. John Doe logs into the domain with his new account with \\SERV-01\profiles\johndoe set as his profile path. He notices upon logging into the domain he does not have access to \\SERV-01\profiles\johndoe, in order to "fix" this issue his profile path in active directory is changed to \\SERV-01\profiles\johndoe2 (note the 2 at the end). He now logs back into the domain and voila, he has a new folder he can access at \\SERV-01\profiles\johndoe2. The reason why he cannot access the old path is due to UID mismatch, the old path has the UID of the first John Doe account, the returning John Doe account has a new UID.
This is where I'm called in. I need to be able to do two of the following things in 1 script:
1) Gain admin access to \\SERV-01\profiles\johndoe via taking ownership and adding the local built-in admin group into the ACL with full permission
2) Somehow add the new John Doe UID account onto the old \\SERV-01\profiles\johndoe folder. I assume this requires an ldap query onto the "users" OU, dumping the results and trying to match the \\SERV-01\profiles\johndoe folder to John Doe.
I'm assuming a VBS/BAT script of sorts can pull this magic off, but I'm open to any other method to achieve my solution. Any takers?