This script set the access list on all user home folders (user home folders name = user name) located on the network share \\server\homeroot. The script tasks are the following :
- list user home folders
- check if the username exists in AD
- get current access list
- remove the security right Everyone Full Control
- add builtin administrators with Full Control
- add the user with Modify right and set the ownership on their folders
The reference table flags of the object System.Security.AccessControl.FileSystemAccessRule is :
Subfolders and Files only | InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly |
This Folder, Subfolders and Files | InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.None |
This Folder, Subfolders and Files | InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.NoPropagateInherit |
This folder and subfolders | InheritanceFlags.ContainerInherit, PropagationFlags.None |
Subfolders only | InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly |
This folder and files | InheritanceFlags.ObjectInherit, PropagationFlags.None |
This folder and files | InheritanceFlags.ObjectInherit, PropagationFlags.NoPropagateInherit |
Script (with Microsoft Active Directory module loaded : import-module activedirectory) :
$rootfolder = Get-ChildItem -Path \\server\homeroot foreach ($userfolder in $rootfolder) { $userfolder.FullName If (get-aduser "$userfolder") { Get-Acl $userfolder.FullName | Format-List $acl_var = Get-Acl $userfolder.FullName $acl_var.SetAccessRuleProtection($True, $False) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") $acl_var.RemoveAccessRuleAll($rule) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") $acl_var.AddAccessRule($rule) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userfolder.Name,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow") $acl_var.AddAccessRule($rule) $acct=New-Object System.Security.Principal.NTAccount("DOMAINNAME",$userfolder.name) $acl_var.SetOwner($acct) Set-Acl $userfolder.FullName $acl_var Get-Acl $userfolder.FullName | Format-List } }
Script (with Quest Active Directory module) :
$rootfolder = Get-ChildItem -Path \\server\homeroot foreach ($userfolder in $rootfolder) { $userfolder.FullName If (get-qaduser "DOMAINNAME\$userfolder") { Get-Acl $userfolder.FullName | Format-List $acl_var = Get-Acl $userfolder.FullName $acl_var.SetAccessRuleProtection($True, $False) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") $acl_var.RemoveAccessRuleAll($rule) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") $acl_var.AddAccessRule($rule) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userfolder.Name,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow") $acl_var.AddAccessRule($rule) $acct=New-Object System.Security.Principal.NTAccount("DOMAINNAME",$userfolder.name) $acl_var.SetOwner($acct) Set-Acl $userfolder.FullName $acl_var Get-Acl $userfolder.FullName | Format-List } }
Set folders ACL (owner and NTFS rights)