?
Solved

Powershell creating users folders and permissions

Posted on 2015-01-26
4
Medium Priority
?
442 Views
Last Modified: 2015-02-01
Hi All,

This is relating to a question i've recently put up and have been helped with. http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_28601627.html 

I have a script (below) which does exactly what I want it to do. The only thing is missing is that the Administrator/System permissions are also set to Modify. I need those to be Full Access and the user to only be modify. Is someone able to assist?

param
(
      [String]$Path,
      [String]$UserList,
      [String[]]$FullControlMember
)

$Users=@()
$Results=@()
Import-Module ActiveDirectory
if (-not (Test-Path $Path))
{
      write-error      -Message "Cannot find path '$Path' because it does not exist."
      return
}
if (-not (Test-Path $UserList))
{
      write-error      -Message "Cannot find  '$UserList' because it does not exist."
      return
}
else
{
      $Users=Get-Content $UserList
}
#Check whether the input AD member is correct
if ($FullControlMember)
{
      $FullControlMember|ForEach-Object {
            if (-not(Get-ADObject -Filter 'Name -Like $_')){
                  $FullControlMember= $FullControlMember -notmatch $_; Write-Error -Message "Cannot find an object with name:'$_'"
            }
      }
}
$FullControlMember+="NT AUTHORITY\SYSTEM","BUILTIN\Administrators"

foreach($User in $Users)
{      
      $HomeFolderACL=Get-Acl $Path
      $HomeFolderACL.SetAccessRuleProtection($true,$false)
      $Result=New-Object PSObject
      $Result|Add-Member -MemberType NoteProperty -Name "Name" -Value $User
      if (Get-ADUser -Filter 'Name -Like $User')
      {
            New-Item -ItemType directory -Path "$Path\$User"|Out-Null
            #set acl to folder
            $FCList=$FullControlMember+$User
            #$FCList|ForEach-Object {
            #$ACL=New-Object System.Security.AccessControl.FileSystemAccessRule($_,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
            #                                    $HomeFolderACL.AddAccessRule($ACL)
            #                                    }
            $FCList|ForEach-Object {
            $ACL=New-Object System.Security.AccessControl.FileSystemAccessRule($_,"Modify","ContainerInherit,ObjectInherit","None","Allow")
                                                $HomeFolderACL.AddAccessRule($ACL)
                                                }
            Set-Acl -Path "$Path\$User" $HomeFolderACL
            $Result|Add-Member -MemberType NoteProperty -Name "IsCreated" -Value "Yes"
            $Result|Add-Member -MemberType NoteProperty -Name "Remark" -Value "N/A"
      }
      else
      {
            $Result|Add-Member -MemberType NoteProperty -Name "IsCreated" -Value "No"
            $Result|Add-Member -MemberType NoteProperty -Name "Remark" -Value "Cannot fine an object with name:'$User'"
      }
      $Results+=$Result
}
#Generate a report
$Results|Export-Csv -NoTypeInformation -Path "$Path\Report.csv"
if ($?) {Write-Host "Please check the report for detail: '$Path\Report.csv'"}
0
Comment
Question by:N00b2015
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40571843
<#
The sample scripts are not supported under any Microsoft standard support 
program or service. The sample scripts are provided AS IS without warranty  
of any kind. Microsoft further disclaims all implied warranties including,  
without limitation, any implied warranties of merchantability or of fitness for 
a particular purpose. The entire risk arising out of the use or performance of  
the sample scripts and documentation remains with you. In no event shall 
Microsoft, its authors, or anyone else involved in the creation, production, or 
delivery of the scripts be liable for any damages whatsoever (including, 
without limitation, damages for loss of business profits, business interruption, 
loss of business information, or other pecuniary loss) arising out of the use 
of or inability to use the sample scripts or documentation, even if Microsoft 
has been advised of the possibility of such damages.
#> 

#requires -Version 2

<#
.SYNOPSIS 
    This Script can help you to create several folders, and assign appropriate permission to each folder.
.DESCRIPTION
	This Script can help you to create several folders, and assign appropriate permission to each folder.
.PARAMETER  Path
	Indicate the location, where these folders will be created.
.PARAMETER  UserList
	Indicate a TXT file, which contain a name list of several users, one Name each line. Script will create folder for these users.
.PARAMETER	FullControlMember
	Indicate the users or groups, who have the permission to access each user’s folder. 
	Domain admins and system account will be the default value, whatever -FullControlMember be chosen or not. This parameter is optional.
.EXAMPLE
    .\CreateHomeFolder.ps1 -Path "c:\test" -UserList "c:\list.txt” -FullControlMember "file admin","fileadmins"
	
 	This command will to create home folders for several users. Grant the exact user, 
	user “File Admin” and group “FileAdmins” Full control permission to this folders. 
.LINK
	http://msdn.microsoft.com/en-us/library/ms147785(v=vs.90).aspx
#>
param
(
[Parameter(Mandatory=$true)][String]$Path,
[Parameter(Mandatory=$true)][String]$UserList,
[Parameter(Mandatory=$false)][String[]]$FullControlMember
)

$Users=@()
$Results=@()
Import-Module ActiveDirectory
if (-not (Test-Path $Path))
{
	write-error	-Message "Cannot find path '$Path' because it does not exist."
	return
}
if (-not (Test-Path $UserList))
{
	write-error	-Message "Cannot find  '$UserList' because it does not exist."
	return
}
else
{
	$Users=Get-Content $UserList
}
#Check whether the input AD member is correct
if ($FullControlMember)
{
	$FullControlMember|ForEach-Object {
		if (-not(Get-ADObject -Filter 'Name -Like $_')){
			$FullControlMember= $FullControlMember -notmatch $_; Write-Error -Message "Cannot find an object with name:'$_'"
		}
	}
}
$FullControlMembers+="NT AUTHORITY\SYSTEM","BUILTIN\Administrators"
foreach($User in $Users)
{	
	$HomeFolderACL=Get-Acl $Path
	$HomeFolderACL.SetAccessRuleProtection($true,$true)
	$Result=New-Object PSObject
	$Result|Add-Member -MemberType NoteProperty -Name "Name" -Value $User
	if (Get-ADUser -Filter "SamAccountName -eq '$User'")
	{
	New-Item -ItemType directory -Path "$Path\$User"|Out-Null
	#set acl to folder
	$FCList=$FullControlMember+$User
	$FCList|ForEach-Object 
        {
		$ACL=New-Object System.Security.AccessControl.FileSystemAccessRule($_,"Modify","ContainerInherit,ObjectInherit","None","Allow")
		$HomeFolderACL.AddAccessRule($ACL)
		}
	Set-Acl -Path "$Path\$User" $HomeFolderACL
	$Result|Add-Member -MemberType NoteProperty -Name "IsCreated" -Value "Yes"
	$Result|Add-Member -MemberType NoteProperty -Name "Remark" -Value "N/A"
    foreach($FullControlMember in $FullControlMembers)
        {
        $ACL=New-Object System.Security.AccessControl.FileSystemAccessRule($_,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
        $HomeFolderACL.AddAccessRule($ACL)
        }
        Set-Acl -Path "$Path\$User" $HomeFolderACL
  
	}
	else
	{
		$Result|Add-Member -MemberType NoteProperty -Name "IsCreated" -Value "No"
		$Result|Add-Member -MemberType NoteProperty -Name "Remark" -Value "Cannot find an object with name:'$User'"
	}
	$Results+=$Result
}
#Generate a report
$Results|Export-Csv -NoTypeInformation -Path "$Path\Report.csv"
if ($?) {Write-Host "Please check the report for details: '$Path\Report.csv'"
}                                  

Open in new window

0
 

Author Comment

by:N00b2015
ID: 40572428
Still not working I'm afraid.

I am now getting the below

"cmdlet ForEach-Object at command pipeline position 1
Supply values for the following parameters:
Process[0]:"
0
 

Accepted Solution

by:
N00b2015 earned 0 total points
ID: 40572480
I've managed to solve this.

I created a new line containing using full control without the +$USer. All is now working as it should.

            $FCList=$FullControlMember+$User
            $FCList|ForEach-Object {
            $ACL=New-Object System.Security.AccessControl.FileSystemAccessRule($_,"Modify","ContainerInherit,ObjectInherit","None","Allow")
                                                $HomeFolderACL.AddAccessRule($ACL)
                                                }
       $FCList=$FullControlMember            
        $FCList|ForEach-Object {
            $ACL=New-Object System.Security.AccessControl.FileSystemAccessRule($_,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
                                                $HomeFolderACL.AddAccessRule($ACL)
0
 

Author Closing Comment

by:N00b2015
ID: 40582266
All fixed
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question