Last active
May 1, 2019 01:49
-
-
Save darrenjrobinson/7fc0ac3e75e6238b7556 to your computer and use it in GitHub Desktop.
Microsoft Identity Manager Home Drive Provisioning Associated Blog https://blog.darrenjrobinson.com/provisioning-home-directories-for-active-directory-users-with-fim-mim-using-the-granfeldt-powershell-management-agent/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
param ( | |
$Username, | |
$Password | |
) | |
BEGIN | |
{ | |
$DebugFilePath = "C:\PROGRA~1\MICROS~4\2010\SYNCHR~1\EXTENS~2\HomeDir\homefolder\DebugHomeFolderMA.txt" | |
if(!(Test-Path $DebugFilePath)) | |
{$DebugFile = New-Item -Path $DebugFilePath -ItemType File} | |
else | |
{$DebugFile = Get-Item -Path $DebugFilePath} | |
"Starting Export : " + (Get-Date) | Out-File $DebugFile -Append | |
} | |
PROCESS | |
{ | |
#Initialize Parameters | |
$Identifier = $_.Identifier | |
$objectGuid = $_.DN | |
$error.clear() | |
$errorstatus = "success" | |
$ErrorName = "success" | |
$ErrorDetail = $null | |
$date = Get-Date -Format "yyyy-MM-dd" | |
# Get existing values for home directory attributes | |
$curUser = New-Object System.DirectoryServices.DirectoryEntry "LDAP://<GUID=$objectGuid>", $Username, $Password | |
$curHomeDirectory = $curUser.homeDirectory.Value | |
$curHomeDrive = $curUser.homeDrive.Value | |
$account = $curUser.sAMAccountName.Value | |
#Writing curUser to debug file | |
"Processing : " + $_.DN | Out-File $DebugFile -Append | |
"No of Changes : " + $_.ChangedAttributeNames.Count | Out-File $DebugFile -Append | |
### --- FUNCTIONS --- ### | |
#NOTE! Function calls from the script will generate output to the pipeline unless catched by parameter. | |
#This output will be seen as errors when running the MA | |
#Call functions using $catch = FunctionName param1 param2 | |
#Function for adding AccessRule to folder | |
#$A = Account in the format "AccountName" | |
#$F = Folder | |
#$P = Permission to assign. Modify, Read or FullControl typically | |
#Inheritence is added by default. | |
function AddAccessRule($F, $A, $P) | |
{ | |
Try{ | |
$errorstatus = "success" | |
$acl = Get-Acl $F | |
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($A,$P,"ContainerInherit,ObjectInherit","None","Allow") | |
$acl.AddAccessRule($rule) | |
# Assign the permissions one level up as when we did the create of the home directory we also created the hdrive subdirectory. | |
Set-Acl -Path $F.Parent.FullName -AclObject $acl -errorvariable $err | |
if ( $err ) {throw $err} | |
} | |
Catch [exception] | |
{ | |
"Error in AddAccessRule" | Out-File $DebugFile -Append | |
$ErrorName = "Script Error" | |
$errordetail = $error[0].exception | |
} | |
} | |
#Function for setting homeDirectory and homeDrive attribute on user in AD | |
#Dir = Full homeDirectory path in the format \\server\share\username | |
#Drive = The drive letter to use, H: | |
function UpdateUser($Dir,$Drive) | |
{ | |
If($Dir) | |
{ | |
$curUser.homeDirectory.Value = $Dir | |
$curUser.homeDrive.Value = $Drive | |
} | |
else | |
{ | |
$curUser.homeDirectory.Value = $null | |
$curUser.homeDrive.Value = $null | |
} | |
$curUser.SetInfo() | |
} | |
### --- End of FUNCTIONS --- ### | |
### --- MAIN SCRIPT --- ### | |
#Loop through changes and update parameters | |
foreach ($can in $_.ChangedAttributeNames) | |
{ | |
foreach ($ValueChange in $_.AttributeChanges[$can].ValueChanges) | |
{ | |
if ( $can -eq 'homeFolderPath' ){$homeFolderPath = $ValueChange.Value} | |
if ( $can -eq 'homeDrive' ){$homeDrive = $ValueChange.Value} | |
} | |
} | |
#Verify changetype. | |
if ($_.ObjectModificationType -eq 'Add') | |
{ | |
# adds are caught by importing new objects from Active Directory (see import script) | |
# and joining these to existing user objects on the metaverse | |
throw "Add modification are not supported" | |
} | |
if ($_.ObjectModificationType -eq 'Delete') | |
{ | |
# deletes are caught by importing deleted objects (isDeleted) from Active | |
# Directory (see import script). This way we clear up the CS | |
throw "Delete modification are not supported" | |
} | |
#Supported ChangeType is Replace | |
if ($_.ObjectModificationType -match 'Replace') | |
{ | |
# Create homedirectory for brand new users only. | |
if(-not($curHomeDirectory) -and $homeFolderPath -and $homeDrive) | |
{ | |
#NewHomeDir | |
#Check if folder already Exists | |
$exists = Test-Path $homeFolderPath | |
if(!$exists) | |
{ | |
#Check if Deleted or Moved folder Exists | |
$parent = Get-Item $homeFolderPath.Substring(0,$homeFolderPath.LastIndexOf("\")) | |
$existingFolder = Get-ChildItem $parent -Filter *$account | |
if(!$existingFolder) | |
{ | |
"Creating new homefolder at " + $homeFolderPath + " for : $account" | Out-File $DebugFile -Append | |
$folder = New-Item $homeFolderPath -Type Directory | |
$catch = AddAccessRule $folder $account "Modify" | |
$catch = UpdateUser $homeFolderPath $homeDrive | |
} | |
} | |
else | |
{ | |
#Folder already exists! | |
# Update user and permissions | |
"Found Existing folder, adding access rule and updating user" | Out-File $DebugFile -Append | |
$folder = Get-Item $homeFolderPath | |
$catch = AddAccessRule $folder $account "Modify" | |
$catch = UpdateUser $homeFolderPath $homeDrive | |
} | |
} | |
} | |
#Return the result to the MA | |
$obj = @{} | |
$obj.Add("[Identifier]",$Identifier) | |
$obj.Add("[ErrorName]",$ErrorName) | |
if($ErrorDetail){$obj.Add("[ErrorDetail]",$ErrorDetail)} | |
$obj | |
} | |
END | |
{#Writing close tag in debugfile | |
"Ending Export : " + (Get-Date) | Out-File $DebugFile -Append | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment