Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

permissions on user home folders

Posted on 2016-09-12
9
Medium Priority
?
56 Views
Last Modified: 2016-10-07
Dear expert,

Could you please amend this script to add full ntfs permissions for  home folder owner? it is a very helpful script but during home profile path change process, on the target location, it does not add the person who owns the folder with full control over his/her own folder. ( home folder owner is exist on the source location with full access)

if you do this process manually in AD, if the folder already exist on the destination, it asks you if you want to grant the person with full rights to his/her home folder and you need to confirm the warning. however, with this script, it does not do that. So, I need to add owner with permissions to their home folders please.

$HomeRoot = "\\server\share\home"
 $UserList = Import-Csv -Path H:\RBG\export\users.csv -Header DisplayName
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(displayname=$($User.DisplayName))") {
             $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
             "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
       }
 }
0
Comment
Question by:kuzum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 83

Accepted Solution

by:
David Johnson, CD, MVP earned 1000 total points (awarded by participants)
ID: 41795375
The script is not designed to do what you want.. Your problem is in how you copy the folders to move the share from one location to another.  use Robocopy and the /SEC switch to keep the ntfs file permissions correct.

$OldRoot = '\\serverx\share\home'
$HomeRoot = '\\server\share\home'
$csvFile = 'H:\RBG\Export\Users.csv' 
 $UserList = Import-Csv -Path $csvfile -Header DisplayName
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(displayname=$($User.DisplayName))") {
         $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
         $OldHomeDirectory = Join-Path -Path $OldRoot -ChildPath $Account.SamAccountName
         "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
             if(test-path -Path $OldHomeDirectory) {
                $ACL = get-acl -Path $OldHomeDirectory
                Set-Acl -AclObject $ACL
                }
       }
 } 

Open in new window

0
 

Author Comment

by:kuzum
ID: 41795482
hi david,

I have the home folders restored to destination location  with backup software and permissions were retained. What exactly happens is this; as the folder now already exist on the destination, script should have grant the owner with full rights or retain the permissions as it is in the destination during profile path change. If you perform this action manually it is clear to see what it misses. ( warning message)

I will check your script and come back. Thanks
0
 

Author Comment

by:kuzum
ID: 41795509
HI David,

it is asking attached parameters to be entered?

regards.
Doc5.docx
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:kuzum
ID: 41797021
Hi David

do you have any idea what that is please? thanks
0
 
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 1000 total points (awarded by participants)
ID: 41797116
That would imply to me that Get-ACL is returning a $null value. check for $null and skip set-acl if $acl -eq $null
0
 

Author Comment

by:kuzum
ID: 41797732
Hi David, I tried to understand this but I am new to powershell and could not find where in script I should make this change:(
0
 
LVL 13

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 500 total points (awarded by participants)
ID: 41798709
@Kuzum,

Something like this:
             if(test-path -Path $OldHomeDirectory) {
                $ACL = get-acl -Path $OldHomeDirectory
                if ($ACL -ne $null) {Set-Acl -AclObject $ACL}
                }

Open in new window

0
 

Assisted Solution

by:kuzum
kuzum earned 500 total points (awarded by participants)
ID: 41803719
I believe I resolved this by amending the original script, may I please ask you to validate the change?
it was missing : at the end of the code. should not have been just h

I also tried to change it to look for SamAccountName not user display name as I noticed some users have different display name than their logon names. it seems worked but could you please validate the code?

Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
$HomeRoot = "\\server\share\home"
 $UserList = Import-Csv -Path c:\temp \export\userlist.csv -Header SamAccountname
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(samaccountname=$($User.samaccountname))") {
             $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
             "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h:
       }
 }
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 41833328
Seemed the most fair to me
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question