Solved

permissions on user home folders

Posted on 2016-09-12
9
45 Views
Last Modified: 2016-10-07
Dear expert,

Could you please amend this script to add full ntfs permissions for  home folder owner? it is a very helpful script but during home profile path change process, on the target location, it does not add the person who owns the folder with full control over his/her own folder. ( home folder owner is exist on the source location with full access)

if you do this process manually in AD, if the folder already exist on the destination, it asks you if you want to grant the person with full rights to his/her home folder and you need to confirm the warning. however, with this script, it does not do that. So, I need to add owner with permissions to their home folders please.

$HomeRoot = "\\server\share\home"
 $UserList = Import-Csv -Path H:\RBG\export\users.csv -Header DisplayName
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(displayname=$($User.DisplayName))") {
             $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
             "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
       }
 }
0
Comment
Question by:kuzum
  • 5
  • 3
9 Comments
 
LVL 80

Accepted Solution

by:
David Johnson, CD, MVP earned 250 total points (awarded by participants)
ID: 41795375
The script is not designed to do what you want.. Your problem is in how you copy the folders to move the share from one location to another.  use Robocopy and the /SEC switch to keep the ntfs file permissions correct.

$OldRoot = '\\serverx\share\home'
$HomeRoot = '\\server\share\home'
$csvFile = 'H:\RBG\Export\Users.csv' 
 $UserList = Import-Csv -Path $csvfile -Header DisplayName
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(displayname=$($User.DisplayName))") {
         $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
         $OldHomeDirectory = Join-Path -Path $OldRoot -ChildPath $Account.SamAccountName
         "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
             if(test-path -Path $OldHomeDirectory) {
                $ACL = get-acl -Path $OldHomeDirectory
                Set-Acl -AclObject $ACL
                }
       }
 } 

Open in new window

0
 

Author Comment

by:kuzum
ID: 41795482
hi david,

I have the home folders restored to destination location  with backup software and permissions were retained. What exactly happens is this; as the folder now already exist on the destination, script should have grant the owner with full rights or retain the permissions as it is in the destination during profile path change. If you perform this action manually it is clear to see what it misses. ( warning message)

I will check your script and come back. Thanks
0
 

Author Comment

by:kuzum
ID: 41795509
HI David,

it is asking attached parameters to be entered?

regards.
Doc5.docx
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:kuzum
ID: 41797021
Hi David

do you have any idea what that is please? thanks
0
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points (awarded by participants)
ID: 41797116
That would imply to me that Get-ACL is returning a $null value. check for $null and skip set-acl if $acl -eq $null
0
 

Author Comment

by:kuzum
ID: 41797732
Hi David, I tried to understand this but I am new to powershell and could not find where in script I should make this change:(
0
 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 125 total points (awarded by participants)
ID: 41798709
@Kuzum,

Something like this:
             if(test-path -Path $OldHomeDirectory) {
                $ACL = get-acl -Path $OldHomeDirectory
                if ($ACL -ne $null) {Set-Acl -AclObject $ACL}
                }

Open in new window

0
 

Assisted Solution

by:kuzum
kuzum earned 125 total points (awarded by participants)
ID: 41803719
I believe I resolved this by amending the original script, may I please ask you to validate the change?
it was missing : at the end of the code. should not have been just h

I also tried to change it to look for SamAccountName not user display name as I noticed some users have different display name than their logon names. it seems worked but could you please validate the code?

Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
$HomeRoot = "\\server\share\home"
 $UserList = Import-Csv -Path c:\temp \export\userlist.csv -Header SamAccountname
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(samaccountname=$($User.samaccountname))") {
             $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
             "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h:
       }
 }
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 41833328
Seemed the most fair to me
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question