none
How to Set correct permission Home Folder with Powershell

    Question

  • Hi.

    I have for several days now tried to change NTFS permissions on 2 folders without any luck.

    Folder 1: domain\userhomedrive

    Subfolder 2: domain\userhomedrive\personal

    Folder 1 as it is now:

    FileSystemRights : Modify, Synchronize

    AccessControlType : Allow

    IdentityReference : Domain\Username

    IsInherited : False

    InheritanceFlags : ContainerInherit

    PropagationFlags : InheritOnly


    FileSystemRights : FullControl

    AccessControlType : Allow

    IdentityReference : Domain\RDAT_FolderAdmin

    IsInherited : True

    InheritanceFlags : ContainerInherit, ObjectInherit

    PropagationFlags : None


    FileSystemRights : ReadAndExecute, Synchronize

    AccessControlType : Allow

    IdentityReference : Domain\RDAT_AlleFastAnsatte

    IsInherited : True

    InheritanceFlags : ContainerInherit, ObjectInherit

    PropagationFlags : None


    Folder 2 as it is now:

    FileSystemRights : Modify, Synchronize

    AccessControlType : Allow

    IdentityReference : Domain\Username

    IsInherited : True

    InheritanceFlags : ContainerInherit

    PropagationFlags : None


    FileSystemRights : FullControl

    AccessControlType : Allow

    IdentityReference : Domain\RDAT_FolderAdmin

    IsInherited : True

    InheritanceFlags : ContainerInherit, ObjectInherit

    PropagationFlags : None


    FileSystemRights : ReadAndExecute, Synchronize

    AccessControlType : Allow

    IdentityReference : Domain\RDAT_AlleFastAnsatte

    IsInherited : True

    InheritanceFlags : ContainerInherit, ObjectInherit

    PropagationFlags : None


    Folder 1 as it should be:

    FileSystemRights : Modify, Synchronize

    AccessControlType : Allow

    IdentityReference : Domain\username

    IsInherited : False

    InheritanceFlags : ContainerInherit, ObjectInherit

    PropagationFlags : None


    FileSystemRights : FullControl

    AccessControlType : Allow

    IdentityReference : Domain\RDAT_FolderAdmin

    IsInherited : True

    InheritanceFlags : ContainerInherit, ObjectInherit

    PropagationFlags : None


    FileSystemRights : ReadAndExecute, Synchronize

    AccessControlType : Allow

    IdentityReference : Domain\RDAT_AlleFastAnsatte

    IsInherited : True

    InheritanceFlags : ContainerInherit, ObjectInherit

    PropagationFlags : None

    Folder 2 as it should be:


    FileSystemRights : ReadExtendedAttributes, ReadAttributes, ReadPermissions, Synchronize

    AccessControlType : Allow

    IdentityReference : NT AUTHORITY\SYSTEM

    IsInherited : False

    InheritanceFlags : ContainerInherit, ObjectInherit

    PropagationFlags : None


    FileSystemRights : FullControl

    AccessControlType : Allow

    IdentityReference : Domain\RDAT_FolderAdmin

    IsInherited : False

    InheritanceFlags : ContainerInherit, ObjectInherit

    PropagationFlags : None


    FileSystemRights : Modify, Synchronize

    AccessControlType : Allow

    IdentityReference : Domain\username

    IsInherited : False

    InheritanceFlags : ContainerInherit, ObjectInherit

    PropagationFlags : None


    I would be most obliged if anyone could help me out.

    Regards

    CarstenR
    <BR>



    Carsten

    Friday, December 20, 2013 12:32 PM

All replies

  • If you let Group Policy create the folders then the permissions will always set correctly.

    HomeFolder should be "My Documents" redirected by Group Policy.

    When Microsoft setts up a Domain or when an MCSE sets up a domain we always redirect the users folders and set the hoe to the "My Document" redirected folder.


    ¯\_(ツ)_/¯

    Friday, December 20, 2013 12:48 PM
  • Even if you are using script you fail to show your script.

    What is it that you are trying to do. 

    A user needs to be the owner of the home folder set.  It is considered part of the extended profile.

    You can set the owner with $acl.SetOwner(...)

    Here is a discussion on how to set permissions: http://blogs.technet.com/b/josebda/archive/2010/11/12/how-to-handle-ntfs-folder-permissions-security-descriptors-and-acls-in-powershell.aspx


    ¯\_(ツ)_/¯

    Friday, December 20, 2013 12:54 PM
  • Hi.

    Thank you for answering my question. I am new to Powershell so forgive me for mistakes.

    My powershell script look as follows and my intention is to

    a) bulk add users

    b) add additional info to users form csv-file

    c) create 2 folders

    d) set right permissions to 2 folders

    Import-Module ActiveDirectory
    $Users = Import-Csv -Delimiter ";" -Path "c:\ud-sys\scripts\bulkadd\users.csv" 
    foreach ($User in $Users) 

        $OU = "ou=konsulenter,ou=users,dc=domain,dc=corp,dc=company,dc=net"
        $UserRoot= "\\domain\sys\user\"
        $HomeDrive = "H:"
        $HomeDirectory = $UserRoot+$User.SamAccountName
        $ScriptPath = "logon.bat"
        $ProfileRoot= "\Profile_%UD_OS%"
        $ProfilePath= $UserRoot+$User.SamAccountName+$ProfileRoot 
        $Password = $User.password
        $Detailedname = $User.GivenName + " " + $User.Surname
        $UserFirstname = $User.GivenName
       
       
        
    New-ADUser -Name $Detailedname -SamAccountName $User.SamAccountName -UserPrincipalName $User.SamAccountName -DisplayName $Detailedname -GivenName $user.GivenName -Surname $user.SurName -Description $User.Description -Office $User.Office -AccountExpirationDate $User.AccountExpirationDate -Title $User.Title -Department $User.Department -Company $User.Company -Manager $User.Manager -MobilePhone $User.MobilePhone -HomeDrive $HomeDrive -HomeDirectory $HomeDirectory -ProfilePath $Profilepath -Scriptpath $Scriptpath -AccountPassword (ConvertTo-SecureString $User.Password -AsPlainText -Force) -Enabled $true -Path $OU 
    NEW-ITEM –path $HomeDirectory -type directory -force

    Start-Sleep -s 1
    Write-Host -ForegroundColor Green "Følgende attributes bliver sat på usersn $username "

    #PARAM(

    #$Alias

    #)

     
    $PersonligUserRoot=’\\domain\sys\data\medarbejdere\’

    $HomeDirectory=$PersonligUserRoot+$User.SamAccountName

    $Personal=$PersonligUserRoot+$User.SamAccountName+’\Personligt’


    # Create the folder on the root of the common Users Share

     

    NEW-ITEM –path $HomeDirectory -type directory -force

    $Domain=’domain’

    $IdentityReference=$Domain+’\’+$User.SamAccountname

    #pause for 15 seconds for AD
    write-host -foregroundcolor Green '15 Sekunders pause for oprettelse af Home Directory'
    Start-Sleep -s 15


    NEW-ITEM –path $Personal -type directory -force

    $Domain=’domain’

    $IdentityReference=$Domain+’\’+$User.SamAccountname

    #pause for 15 seconds for AD
    write-host -foregroundcolor Green '15 Sekunders pause for oprettelse af mappen Personligt'
    Start-Sleep -s 15


    #NTFS Rettigheder for bruger defineres og sættes på Homefolder og undermappe
    $UserRights = [System.Security.AccessControl.FileSystemRights]"Modify"

    $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
    $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly

    $objType =[System.Security.AccessControl.AccessControlType]::Allow

    $objUser = New-Object System.Security.Principal.NTAccount("$IdentityReference")

    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $UserRights, $InheritanceFlag, $PropagationFlag, $objType)

    $objACL = Get-ACL "$HomeDirectory"
    $objACL.AddAccessRule($objACE)

    Set-ACL "$HomeDirectory" $objACL


    #NTFS Rettigheder RDAT_AlleFastansatte fjernes fra folderen Personligt

    #$PersonligtRights = [System.Security.AccessControl.FileSystemRights]"ReadAndExecute,Synchronize"

    #$InheritanceFlagP = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
    #$PropagationFlagP = [System.Security.AccessControl.PropagationFlags]::None

    #$objTypeP =[System.Security.AccessControl.AccessControlType]::Allow

    #$objUserP = New-Object System.Security.Principal.NTAccount("domain\RDAT_AlleFastAnsatte")

    #$objACEP = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUserP, $PerslonligtRights, $InheritanceFlagP, $PropagationFlagP, $objTypeP)

    #$objACLP = Get-ACL "$Personal"
    #$objACLP.RemoveAccessRule($objACEP)

    #Set-ACL "$Personal" $objACLP

    #NTFS Rettigheder for NT AUTHORITY\SYSTEM defineres og sættes på folderen Personligt

    $NTRights = [System.Security.AccessControl.FileSystemRights]"ReadExtendedAttributes,ReadAttributes,ReadPermissions,Synchronize"

    $InheritanceFlagNT = [System.Security.AccessControl.InheritanceFlags]::"ContainerInherit,ObjectInherit"
    $PropagationFlagNT = [System.Security.AccessControl.PropagationFlags]::None

    $objTypeNT =[System.Security.AccessControl.AccessControlType]::Allow

    $objUserNT = New-Object System.Security.Principal.NTAccount("NT AUTHORITY\SYSTEM")

    $objACENT = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUserNT, $NTRights, $InheritanceFlagNT, $PropagationFlagNT, $objTypeNT)

    $objACLNT = Get-ACL "$Personal"
    $objACLNT.AddAccessRule($objACENT)

    Set-ACL "$Personal" $objACLNT

    }

    Regards

    CarstenR


    Carsten

    Thursday, January 02, 2014 2:18 PM