Solved

permissions on user home folders

Posted on 2016-09-12
9
42 Views
Last Modified: 2016-10-07
Dear expert,

Could you please amend this script to add full ntfs permissions for  home folder owner? it is a very helpful script but during home profile path change process, on the target location, it does not add the person who owns the folder with full control over his/her own folder. ( home folder owner is exist on the source location with full access)

if you do this process manually in AD, if the folder already exist on the destination, it asks you if you want to grant the person with full rights to his/her home folder and you need to confirm the warning. however, with this script, it does not do that. So, I need to add owner with permissions to their home folders please.

$HomeRoot = "\\server\share\home"
 $UserList = Import-Csv -Path H:\RBG\export\users.csv -Header DisplayName
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(displayname=$($User.DisplayName))") {
             $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
             "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
       }
 }
0
Comment
Question by:kuzum
  • 5
  • 3
9 Comments
 
LVL 79

Accepted Solution

by:
David Johnson, CD, MVP earned 250 total points (awarded by participants)
ID: 41795375
The script is not designed to do what you want.. Your problem is in how you copy the folders to move the share from one location to another.  use Robocopy and the /SEC switch to keep the ntfs file permissions correct.

$OldRoot = '\\serverx\share\home'
$HomeRoot = '\\server\share\home'
$csvFile = 'H:\RBG\Export\Users.csv' 
 $UserList = Import-Csv -Path $csvfile -Header DisplayName
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(displayname=$($User.DisplayName))") {
         $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
         $OldHomeDirectory = Join-Path -Path $OldRoot -ChildPath $Account.SamAccountName
         "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
             if(test-path -Path $OldHomeDirectory) {
                $ACL = get-acl -Path $OldHomeDirectory
                Set-Acl -AclObject $ACL
                }
       }
 } 

Open in new window

0
 

Author Comment

by:kuzum
ID: 41795482
hi david,

I have the home folders restored to destination location  with backup software and permissions were retained. What exactly happens is this; as the folder now already exist on the destination, script should have grant the owner with full rights or retain the permissions as it is in the destination during profile path change. If you perform this action manually it is clear to see what it misses. ( warning message)

I will check your script and come back. Thanks
0
 

Author Comment

by:kuzum
ID: 41795509
HI David,

it is asking attached parameters to be entered?

regards.
Doc5.docx
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:kuzum
ID: 41797021
Hi David

do you have any idea what that is please? thanks
0
 
LVL 79

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points (awarded by participants)
ID: 41797116
That would imply to me that Get-ACL is returning a $null value. check for $null and skip set-acl if $acl -eq $null
0
 

Author Comment

by:kuzum
ID: 41797732
Hi David, I tried to understand this but I am new to powershell and could not find where in script I should make this change:(
0
 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 125 total points (awarded by participants)
ID: 41798709
@Kuzum,

Something like this:
             if(test-path -Path $OldHomeDirectory) {
                $ACL = get-acl -Path $OldHomeDirectory
                if ($ACL -ne $null) {Set-Acl -AclObject $ACL}
                }

Open in new window

0
 

Assisted Solution

by:kuzum
kuzum earned 125 total points (awarded by participants)
ID: 41803719
I believe I resolved this by amending the original script, may I please ask you to validate the change?
it was missing : at the end of the code. should not have been just h

I also tried to change it to look for SamAccountName not user display name as I noticed some users have different display name than their logon names. it seems worked but could you please validate the code?

Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h
$HomeRoot = "\\server\share\home"
 $UserList = Import-Csv -Path c:\temp \export\userlist.csv -Header SamAccountname
 ForEach ($User in $UserList) {
       If ($Account = Get-ADUser -LDAPFilter "(samaccountname=$($User.samaccountname))") {
             $HomeDirectory = Join-Path -Path $HomeRoot -ChildPath $Account.SamAccountName
             "Processing $($User.DisplayName) ($($Account.SamAccountName)): new home '$($HomeDirectory)'"
             Set-ADuser -Identity $Account.SamAccountName -HomeDirectory $HomeDirectory -HomeDrive h:
       }
 }
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 41833328
Seemed the most fair to me
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question