This script set the access list on all user home folders (user home folders name = user name) located on the network share \\server\homeroot. The script tasks are the following :

  • list user home folders
  • check if the username exists in AD
  • get current access list
  • remove the security right Everyone Full Control
  • add builtin administrators with Full Control
  • add the user with Modify right and set the ownership on their folders

The reference table flags of the object System.Security.AccessControl.FileSystemAccessRule is :

Subfolders and Files only InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly
This Folder, Subfolders and Files    InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.None
This Folder, Subfolders and Files InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.NoPropagateInherit
This folder and subfolders InheritanceFlags.ContainerInherit, PropagationFlags.None
Subfolders only InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly
This folder and files InheritanceFlags.ObjectInherit, PropagationFlags.None
This folder and files InheritanceFlags.ObjectInherit, PropagationFlags.NoPropagateInherit

Script (with Microsoft Active Directory module loaded : import-module activedirectory) :

$rootfolder = Get-ChildItem -Path \\server\homeroot
foreach ($userfolder in $rootfolder) {
	$userfolder.FullName
	If (get-aduser "$userfolder") {
		Get-Acl $userfolder.FullName | Format-List
		$acl_var = Get-Acl $userfolder.FullName
		$acl_var.SetAccessRuleProtection($True, $False)
		$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
		$acl_var.RemoveAccessRuleAll($rule)
		$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
		$acl_var.AddAccessRule($rule)
		$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userfolder.Name,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
		$acl_var.AddAccessRule($rule)
		$acct=New-Object System.Security.Principal.NTAccount("DOMAINNAME",$userfolder.name)
		$acl_var.SetOwner($acct)
		Set-Acl $userfolder.FullName $acl_var
		Get-Acl $userfolder.FullName | Format-List
	}
}

Script (with Quest Active Directory module) :

$rootfolder = Get-ChildItem -Path \\server\homeroot
foreach ($userfolder in $rootfolder) {
	$userfolder.FullName
	If (get-qaduser "DOMAINNAME\$userfolder") {
		Get-Acl $userfolder.FullName | Format-List
		$acl_var = Get-Acl $userfolder.FullName
		$acl_var.SetAccessRuleProtection($True, $False)
		$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
		$acl_var.RemoveAccessRuleAll($rule)
		$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
		$acl_var.AddAccessRule($rule)
		$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userfolder.Name,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
		$acl_var.AddAccessRule($rule)
		$acct=New-Object System.Security.Principal.NTAccount("DOMAINNAME",$userfolder.name)
		$acl_var.SetOwner($acct)
		Set-Acl $userfolder.FullName $acl_var
		Get-Acl $userfolder.FullName | Format-List
	}
}
Set folders ACL (owner and NTFS rights)

Leave a Reply

Your email address will not be published. Required fields are marked *