locked
Powershell New User and Home Folder Permissions RRS feed

  • Question

  • I am working on a new user script that will create a network account, home drive (with permissions). But the account will be created on one domain controller on the network. The Home folder will be created on a file server with a different domain controller. 

    The issue I am having is when the permissions set the account is not recognised as it is not on the local domain to the file server. 

    Do you know how to resolve this as I would like to automate this entire process. 

    Many thanks in advance. 

    Thursday, September 20, 2018 6:28 PM

All replies

  • Not enough information.

    To use a second domain for file storage (resource domain) you need to have the domains set up correctly and you will have to have admin access to the remote domain.

    Use Group Policy to set the home drive and path and this shouldn't be an issue if you have a correct trust.


    \_(ツ)_/

    Thursday, September 20, 2018 6:32 PM
  • Sorry for the little information. I am creating a network account on one domain. PowerShell below.            

    Then using invoke command to connect to the remote file server to create the home folder, set the acl permissions and share permissions. When I have tested this the script errors saying no mapping can be done for the folder. I think this will be because the new network account has not replicated over to the domain controller which is on the site for the home directory. Script below. 


    Function New-BVStandardUser

    {
            Param (
                $FirstName,
                $LastName,
                $CallRef,
                $SiteName,
                $EmployeeID,
                $ExpiryDate,
                $InternetAccess,
                $ExternalEmailAccess
            )

            $ImportGroups = Import-Csv -Path "\\UKSP-FS01\Lawsonja$\Scripts\New-ADUser\SiteGroups.csv" -Delimiter ","
            $ImportServers = Import-Csv -Path "\\UKSP-FS01\Lawsonja$\Scripts\New-ADUser\SiteServers.csv" -Delimiter ","
            $ImportOUs = Import-Csv -Path "\\UKSP-FS01\Lawsonja$\Scripts\New-ADUser\SiteOUs.csv" -Delimiter ","

            # Convert the first and last name so it does not have special characters for the email address/ UPN
            $LastNameEdit = $LastName -replace '[^a-zA-Z]', ''
            $FirstNameEdit = $FirstName -replace '[^a-zA-Z]', ''

            # Fetch a free username from AD based on the provided first and last name from the user
            $Username = Get-ADUsername -FirstName $FirstNameEdit -LastName $LastNameEdit

            # Generate a random password using the imported module
            $Password = Get-Randompassword  

            # Create the AD account based on the inputted fields
            $Params = @{
                DisplayName = "$($LastName), $($FirstName)"
                DirectoryName = "$($LastName), $($FirstName)"
                SamAccountName = "$Username"
                UserPrincipalName = "$FirstNameEdit.$LastNameEdit@Bakkavor.com"
                Comment = "Created $($env:USERNAME) - $(Get-Date -Format dd/MM/yy) - $($CallRef)"
                GivenName = "$FirstNameEdit"
                Surname = "$LastNameEdit"
                Description = "$($SiteName) User"
                Enabled = $true
                ChangePasswordAtLogon = $true
                Path = "$ImportOUs.$($SiteName)"
                HomeDirectory = "\\$ImportServers.$($SiteName)\$Username$"
                HomeDrive = "U"
                AccountPassword = (ConvertTo-SecureString $Password -AsPlainText -Force)
            }

            try
            {
                New-ADUser @Params -ErrorAction Stop
                Write-Verbose -Verbose "Network Account Created"
            }
            catch
            {
                Write-Warning "Error creating network account. Error: $($_.Exception.Message)"
                break
            }


    Function New-BVUDrive
    {
        Param
        (
            $Username,
            $Server
        )

        # Connect to the relevant server in CSV, create new folder, create new SMB Share for the user and add share/ NTFS permissions
            Invoke-Command -ComputerName $Server -ArgumentList $Username -ErrorAction Stop -ScriptBlock 
            {
                param($Username)  

                $FindShare = (Get-SmbShare -Name Users$).Path

                if($FindShare -eq $true)
                {

                    try
                    {
                        New-Item -ItemType Directory -Path "$FindShare\$Username" -ErrorAction Stop
                        New-SmbShare -Name "$Username$" -Path "$FindShare\$Username" -FullAccess "AD\Server Admins", "AD\Domain Admins" -ChangeAccess "AD\$Username" -ErrorAction Stop

                        $Acl = Get-Acl "$FindShare\$Username"

                        foreach($Rule in $Acl.Access) 
                        {        
                            $Acl.RemoveAccessRule($Rule)
                        }

                        $Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("Everyone","FullControl","Allow") 
                        $Acl.SetAccessRule($Ar)

                        $Acl.SetAccessRuleProtection($false, $true)

                        Set-Acl "$FindShare\$Username" $Acl -ErrorAction Stop
                    }
                    catch
                    {
                        Write-Warning "U drive failed to create. Error: $($_.Exception.Message)"
                    }
                }
                else
                {
                    Write-Warning "Users$ share not found on server"
                }
            }
    }


    • Edited by Firefrazzzy Thursday, September 20, 2018 6:40 PM
    Thursday, September 20, 2018 6:39 PM
  • Your have still failed to state the issue or error.

    As I noted before.  Use Group Policy to create folders.


    \_(ツ)_/

    Thursday, September 20, 2018 6:45 PM
  • Why not create the account on the DC in the same AD site that the file server lives in? Use the -Server parameter on the New-ADUser cmdlet.

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Thursday, September 20, 2018 6:58 PM
  • Why not create the account on the DC in the same AD site that the file server lives in? Use the -Server parameter on the New-ADUser cmdlet.

    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    This is normal when AD is set up with "resource domains".  "Resources domains" never host user accounts.  "Account domains" or "security domains" as they are sometimes called never host resources.


    \_(ツ)_/

    Thursday, September 20, 2018 7:01 PM