?
Solved

permissions on user home folders

Posted on 2016-09-12
9
Medium Priority
?
55 Views
Last Modified: 2016-10-07
Dear expert,

Could you please amend this script to add full ntfs permissions for  home folder owner? it is a very helpful script but during home profile path change process, on the target location, it does not add the person who owns the folder with full control over his/her own folder. ( home folder owner is exist on the source location with full access)

if you do this process manually in AD, if the folder already exist on the destination, it asks you if you want to grant the person with full rights to his/her home folder and you need to confirm the warning. however, with this script, it does not do that. So, I need to add owner with permissions to their home folders please.

$HomeRoot = "\\server\share\home"
 $UserList = Import-Csv -Path H:\RBG\export\users.csv -Header DisplayName
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(displayname=$($User.DisplayName))") {
             $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
             "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
       }
 }
0
Comment
Question by:kuzum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 82

Accepted Solution

by:
David Johnson, CD, MVP earned 1000 total points (awarded by participants)
ID: 41795375
The script is not designed to do what you want.. Your problem is in how you copy the folders to move the share from one location to another.  use Robocopy and the /SEC switch to keep the ntfs file permissions correct.

$OldRoot = '\\serverx\share\home'
$HomeRoot = '\\server\share\home'
$csvFile = 'H:\RBG\Export\Users.csv' 
 $UserList = Import-Csv -Path $csvfile -Header DisplayName
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(displayname=$($User.DisplayName))") {
         $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
         $OldHomeDirectory = Join-Path -Path $OldRoot -ChildPath $Account.SamAccountName
         "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
             if(test-path -Path $OldHomeDirectory) {
                $ACL = get-acl -Path $OldHomeDirectory
                Set-Acl -AclObject $ACL
                }
       }
 } 

Open in new window

0
 

Author Comment

by:kuzum
ID: 41795482
hi david,

I have the home folders restored to destination location  with backup software and permissions were retained. What exactly happens is this; as the folder now already exist on the destination, script should have grant the owner with full rights or retain the permissions as it is in the destination during profile path change. If you perform this action manually it is clear to see what it misses. ( warning message)

I will check your script and come back. Thanks
0
 

Author Comment

by:kuzum
ID: 41795509
HI David,

it is asking attached parameters to be entered?

regards.
Doc5.docx
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 

Author Comment

by:kuzum
ID: 41797021
Hi David

do you have any idea what that is please? thanks
0
 
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 1000 total points (awarded by participants)
ID: 41797116
That would imply to me that Get-ACL is returning a $null value. check for $null and skip set-acl if $acl -eq $null
0
 

Author Comment

by:kuzum
ID: 41797732
Hi David, I tried to understand this but I am new to powershell and could not find where in script I should make this change:(
0
 
LVL 13

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 500 total points (awarded by participants)
ID: 41798709
@Kuzum,

Something like this:
             if(test-path -Path $OldHomeDirectory) {
                $ACL = get-acl -Path $OldHomeDirectory
                if ($ACL -ne $null) {Set-Acl -AclObject $ACL}
                }

Open in new window

0
 

Assisted Solution

by:kuzum
kuzum earned 500 total points (awarded by participants)
ID: 41803719
I believe I resolved this by amending the original script, may I please ask you to validate the change?
it was missing : at the end of the code. should not have been just h

I also tried to change it to look for SamAccountName not user display name as I noticed some users have different display name than their logon names. it seems worked but could you please validate the code?

Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
$HomeRoot = "\\server\share\home"
 $UserList = Import-Csv -Path c:\temp \export\userlist.csv -Header SamAccountname
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(samaccountname=$($User.samaccountname))") {
             $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
             "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h:
       }
 }
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 41833328
Seemed the most fair to me
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question