Solved

permissions on user home folders

Posted on 2016-09-12
9
46 Views
Last Modified: 2016-10-07
Dear expert,

Could you please amend this script to add full ntfs permissions for  home folder owner? it is a very helpful script but during home profile path change process, on the target location, it does not add the person who owns the folder with full control over his/her own folder. ( home folder owner is exist on the source location with full access)

if you do this process manually in AD, if the folder already exist on the destination, it asks you if you want to grant the person with full rights to his/her home folder and you need to confirm the warning. however, with this script, it does not do that. So, I need to add owner with permissions to their home folders please.

$HomeRoot = "\\server\share\home"
 $UserList = Import-Csv -Path H:\RBG\export\users.csv -Header DisplayName
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(displayname=$($User.DisplayName))") {
             $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
             "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
       }
 }
0
Comment
Question by:kuzum
  • 5
  • 3
9 Comments
 
LVL 80

Accepted Solution

by:
David Johnson, CD, MVP earned 250 total points (awarded by participants)
ID: 41795375
The script is not designed to do what you want.. Your problem is in how you copy the folders to move the share from one location to another.  use Robocopy and the /SEC switch to keep the ntfs file permissions correct.

$OldRoot = '\\serverx\share\home'
$HomeRoot = '\\server\share\home'
$csvFile = 'H:\RBG\Export\Users.csv' 
 $UserList = Import-Csv -Path $csvfile -Header DisplayName
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(displayname=$($User.DisplayName))") {
         $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
         $OldHomeDirectory = Join-Path -Path $OldRoot -ChildPath $Account.SamAccountName
         "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
             if(test-path -Path $OldHomeDirectory) {
                $ACL = get-acl -Path $OldHomeDirectory
                Set-Acl -AclObject $ACL
                }
       }
 } 

Open in new window

0
 

Author Comment

by:kuzum
ID: 41795482
hi david,

I have the home folders restored to destination location  with backup software and permissions were retained. What exactly happens is this; as the folder now already exist on the destination, script should have grant the owner with full rights or retain the permissions as it is in the destination during profile path change. If you perform this action manually it is clear to see what it misses. ( warning message)

I will check your script and come back. Thanks
0
 

Author Comment

by:kuzum
ID: 41795509
HI David,

it is asking attached parameters to be entered?

regards.
Doc5.docx
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:kuzum
ID: 41797021
Hi David

do you have any idea what that is please? thanks
0
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points (awarded by participants)
ID: 41797116
That would imply to me that Get-ACL is returning a $null value. check for $null and skip set-acl if $acl -eq $null
0
 

Author Comment

by:kuzum
ID: 41797732
Hi David, I tried to understand this but I am new to powershell and could not find where in script I should make this change:(
0
 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 125 total points (awarded by participants)
ID: 41798709
@Kuzum,

Something like this:
             if(test-path -Path $OldHomeDirectory) {
                $ACL = get-acl -Path $OldHomeDirectory
                if ($ACL -ne $null) {Set-Acl -AclObject $ACL}
                }

Open in new window

0
 

Assisted Solution

by:kuzum
kuzum earned 125 total points (awarded by participants)
ID: 41803719
I believe I resolved this by amending the original script, may I please ask you to validate the change?
it was missing : at the end of the code. should not have been just h

I also tried to change it to look for SamAccountName not user display name as I noticed some users have different display name than their logon names. it seems worked but could you please validate the code?

Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
$HomeRoot = "\\server\share\home"
 $UserList = Import-Csv -Path c:\temp \export\userlist.csv -Header SamAccountname
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(samaccountname=$($User.samaccountname))") {
             $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
             "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h:
       }
 }
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 41833328
Seemed the most fair to me
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question