none
Scripting for users home folder new subdirectory

    General discussion

  • We have an upcoming archiving project which will
    archive, stub and remove the contents of our users' home folders (U:\ drive).
    The is an option to exclude a private folder. I've been able to create a new
    folder in a users home folder which they cannot rename or remove but they have
    full control of the contents of the new private folder which will not be
    archived.

    The private folder permissions are set as follows:
    • No inheritance
    • Domain Admin = Allow Full Control
    • %username% = Deny everything except "List folder /read data", "Create files
      / write data", "Create folders / append data" and "Delete Subfodlers and files"
      (This folder only)
    • %username% = Allow Full Control (Subfolders and files only)
    I need
    to be able to replicate the creation of this private folder to all of our users
    and lock down the folder so that only the Domain Admins can remove or rename the
    folder from their U:\ drive. The users need to be able to store whatever they do
    not want archived in this folder.

    I'm new to scripting and could use some
    assistance. Can anyone offer any suggestions?
    Thursday, October 31, 2013 8:10 PM

All replies

  • Hi. First this question is more of a scripting than fileserver question. So I suggest the scripting forums instead.. BUT I will try to help you.

    I wrote a small script with a blog entry on my blog.

    ForEach($User in $Users = Get-ADUser -Filter * -Properties homedirectory| ? {$_.homedirectory -ne $Null})
    {
     $ace1 = New-Object System.Security.AccessControl.FileSystemAccessRule ('file.local\Domain Admins', 'FullControl', ('ContainerInherit','ObjectInherit'), 'None','Allow')
     $ace2 = New-Object System.Security.AccessControl.FileSystemAccessRule ($User.SID, 'FullControl', ('ContainerInherit','ObjectInherit'),'InheritOnly','Allow')
     $ace3 = New-Object System.Security.AccessControl.FileSystemAccessRule ($User.SID, 'ReadAndExecute', 'None', 'None','Allow')
     $HomeFolder = ($user.homedirectory+'\Private')
     New-Item -Type Directory $HomeFolder|Out-Null
     $acl = Get-ACL -Path $HomeFolder
     $acl.AddAccessRule($ace1)
     $acl.AddAccessRule($ace2)
     $acl.AddAccessRule($ace3)
     $acl.SetAccessRuleProtection($True, $False)
     Set-Acl -Path $HomeFolder -AclObject $acl
    }





    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Even if you are not the author of a thread you can always help others by voting as Helpful. This can be beneficial to other community members reading the thread.


    Oscar Virot

    Friday, November 01, 2013 3:43 PM
  • Thank you.  I also posted the same query in the Scripting Center.  I wanted to cover my bases by posting in several locations where someone may be able to assist.  I'll try to tweak the script you provided to run in a test environment to see if it will get me what I'm looking for.
    Monday, November 04, 2013 5:00 PM
  • I hope it helps.

    In the future dont cross post to several areas at once.. Link to Scripting center question.. 



    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Even if you are not the author of a thread you can always help others by voting as Helpful. This can be beneficial to other community members reading the thread.


    Oscar Virot

    Monday, November 04, 2013 5:08 PM
  • Hi,

    As Oscar said, it is a script related topic so I suggest to continue discuss in Script Center forum. Thank you for your time!


    If you have any feedback on our support, please send to tnfsl@microsoft.com.

    Wednesday, November 06, 2013 7:44 AM
    Moderator