Tuesday, February 26, 2013 7:36 PM
Powershell newbie here.
We are trying to automate the creation and permissioning of user folders, so that our techs do not have to do this manually.
I would like to create a PS script which will:
1. Create a directory based on a tech's input of the file path and the name of the directory.
2. Permission that directory based on the tech's input of the NAME, with inheritance from the parent and full control to the NAME that is input by the tech.
The user runs the script. It asks where the directory should be created (tech inputs location), and then it asks for the directory name (tech inputs name). The name will be the same as the user's AD account name.
So far, I have figured out the creation part of the script:
new-item -Path (Read-Host -Prompt "Folder Path") -name (Read-Host -Prompt "Username") -ItemType directory .
This works fine, and creates the folder with inheritance. I am having a hard time trying to figure out how to set permissions based on the input of the NAME though.
I tried to create some variables that might help, but to no avail, as I cannot figure out how to set "Username" (above) to get full control.
These are the variables I attempted...
$directory=not sure how to set this based on the input
$username=also not sure on this one
$acl = Get-Acl $directory
$Ar = New-item system.security.accesscontrol.filesystemaccessrule($username,"FullControl","Allow")
Set-Acl $directory $Acl
Any help is greatly appreciated. Thanks!
Tuesday, February 26, 2013 9:47 PM
Just use it this way:
$directory='c:\test' $username='domain\userid' $NTPrinciple=[system.security.principal.ntaccount]$username $ace=New-Object system.security.accesscontrol.filesystemaccessrule($NTPrinciple,'FullControl','Allow',$true,$true) $acl = Get-Acl $directory $acl.SetAccessRule($ace) Set-Acl $directory $acl
- Edited by jrvMicrosoft Community Contributor Tuesday, February 26, 2013 9:49 PM
- Marked As Answer by Bill_StewartMicrosoft Community Contributor, Moderator Thursday, March 28, 2013 5:58 PM
Tuesday, February 26, 2013 10:44 PM
Thanks for the reply, but I am not sure how that will work for our set up.
The first 2 variables are using predefined values, yes?.
In our case, the $directory will be dynamic. We cannot pre-populate the script with a path. The string input will dictate the path.
The $username will be based on another string input, the name of the user. The domain is never referenced in the script.
The script would depend on the input of the username being 100% correct, or it would not work. if the username was off by a letter, the system would not know which account should be allowed/denied, etc. Example: If the directory is supposed to be called "John Doe" (a valid AD account), but it is accidentally input as "Jon Doe" (not a valid AD account), I would think the script would error out, as it does not know who "Jon Doe" is...
I am beginning to wonder if this is not possible without referencing AD in some way, so that the script knows that the $username is a valid AD account. If this is the case, how can I do that without having to set predifined variables? This script needs to be "universal", so to speak.
- Edited by J7WB Tuesday, February 26, 2013 10:45 PM
Tuesday, February 26, 2013 11:10 PMModerator
Why not use script parameters instead of requesting typed input? In this way the script can be automated by reading input from another file, for example.
To answer your other question, yes it is possible to check whether a user account already exists in AD. Get-ADUser or Get-ADObject (among other things) can tell you that.
Tuesday, February 26, 2013 11:41 PM
Unfortunately, something like a .csv will not work for us. The script needs to completely stand alone. We are trying to get our techs away from the GUI, and only use the scripts. There can be no maintenance as users, etc change, hence the need for the string input.
I think I may do the creation piece this way -
$directory = Read-Host "Enter Path"
$username = read-Host "Enter Username"
#Create and name directory
new-item -Path $directory -name $username -ItemType directory
I am wondering if I am on the right track by then setting permissions in the following way (from reply above)..?
$NTPrinciple=[system.security.principal.ntaccount]$username $ace=New-Object system.security.accesscontrol.filesystemaccessrule($NTPrinciple,'FullControl','Allow',$true,$true) $acl = Get-Acl $directory $acl.SetAccessRule($ace) Set-Acl $directory $aclAlthough, I am not sure about the $NTPrinciple variable. In the reply above, the example is using a domain account (domain\userid) to equal $NTPrincipal. That seems like a static value, which I cannot use.
Wednesday, February 27, 2013 12:26 AM
You are well onto the right track however the NTPrincipal MUST be domain\userid form or it will not resolve correctly except when executed on a domain controller.
You can get the current domain and add it after the operator enters the user ID. You might also like to validate the name.
... do work
... user not valid