Last active
October 13, 2018 03:46
-
-
Save tylerapplebaum/f0452aff05c76c49eb2fcf2190ecea1a to your computer and use it in GitHub Desktop.
Sets the Remote Desktop Services profile path for a user account in Active Directory. Also creates that folder in a share and sets NTFS permissions.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CmdletBinding()] | |
| param ( | |
| [Parameter(HelpMessage="Specify the username")] | |
| [string]$Username, | |
| [Parameter(HelpMessage="Specify the profile root directory")] | |
| [string]$ProfileRoot, | |
| [Parameter(HelpMessage="Specify the full path to log output to")] | |
| [string]$LogPath = "C:\Automate\Set-TSProfilePath-log.txt", | |
| [Parameter(HelpMessage="Specify the Active Directory domain")] | |
| [string]$DomainName, | |
| [Parameter(HelpMessage="Specify the Active Directory service account running the script")] | |
| [string]$ServiceAccount | |
| ) | |
| Function script:Set-TSProfilePath { | |
| Try { #AD module import try/catch | |
| Import-Module ActiveDirectory -ErrorAction Stop -Verbose:$False | |
| } | |
| Catch [Exception] { | |
| Return $_.Exception.Message | |
| } | |
| Try { #Accounts for username not existing in AD case | |
| $User = Get-ADUser -identity $Username -Properties * -ErrorAction Stop -ErrorVariable GetUserError | |
| $LDAPUser = [ADSI]"LDAP://$User" | |
| $LDAPUser.psbase.InvokeSet("TerminalServicesProfilePath","$ProfileRoot\$Username") | |
| } | |
| Catch [Exception] { | |
| $GetUserError | Out-File $LogPath -Encoding UTF8 -Append | |
| Write-Verbose $GetUserError.Message | |
| } | |
| If ($User) { | |
| Try { #Accounts for access denied to OU case | |
| $LDAPUser.SetInfo() | |
| $ProfilePath = $LDAPUser.psbase.InvokeGet("TerminalServicesProfilePath") | |
| $ProfilePath | Out-File $LogPath -Encoding UTF8 -Append | |
| Write-Verbose $ProfilePath | |
| } | |
| Catch [System.Management.Automation.MethodInvocationException] { | |
| $SetInfoErrorMessage = "Access Denied for user $User; check permissions on OU for $ServiceAccount account." | |
| $SetInfoErrorMessage | Out-File $LogPath -Encoding UTF8 -Append | |
| Write-Verbose $SetInfoErrorMessage | |
| } | |
| Catch { #Catch-all for SetInfo problems | |
| $UnknownErrorMessage = "Unknown error. $Username may not exist in Active Directory. Omar comin'." | |
| $UnknownErrorMessage | Out-File $LogPath -Encoding UTF8 -Append | |
| Write-Verbose $UnknownErrorMessage | |
| } | |
| } | |
| Else { | |
| $UserBlankError = "User LDAP information not found for $Username" | |
| Write-Verbose $UserBlankError | |
| } | |
| } #End Set-TSProfilePath | |
| Function script:Create-TSProfileFolder { | |
| $ReadWrite = [System.Security.AccessControl.FileSystemRights]"Modify" | |
| $FullControl = [System.Security.AccessControl.FileSystemRights]"FullControl" | |
| $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit" | |
| $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None | |
| $UserRW = New-Object System.Security.Principal.NTAccount("$DomainName\$Username") | |
| $SvcUserRW = New-Object System.Security.Principal.NTAccount("$DomainName\$ServiceAccount") | |
| $Type = [System.Security.AccessControl.AccessControlType]::Allow | |
| #Construct the NTFS ACL we want to use for the user | |
| $AccessControlEntryRW = New-Object System.Security.AccessControl.FileSystemAccessRule @($UserRW, $readWrite, $inheritanceFlag, $propagationFlag, $type) | |
| #Construct the NTFS ACL we want to use for the service account | |
| $AccessControlEntrySvcUserRW = New-Object System.Security.AccessControl.FileSystemAccessRule @($SvcUserRW, $readWrite, $inheritanceFlag, $propagationFlag, $type) | |
| #Construct the NTFS ACL we want to remove - in this particular case, the share root unfortunately has NTFS permissions for Everyone with Full Control | |
| $AccessControlEntryDefault = New-Object System.Security.AccessControl.FileSystemAccessRule @("Everyone", $FullControl, $inheritanceFlag, $propagationFlag, $type) | |
| $FolderCreation = New-Item -ItemType Directory -Path $ProfileRoot\$Username | Out-File $LogPath -Encoding UTF8 -Append #Create the folder | |
| $FolderInheritance = icacls $ProfileRoot\$Username /inheritance:d | Out-File $LogPath -Encoding UTF8 -Append #Disable inheritance from parent folder | |
| $ObjACL = Get-ACL $ProfileRoot\$Username | |
| $ObjACL.RemoveAccessRuleAll($AccessControlEntryDefault) | |
| $ObjACL.AddAccessRule($AccessControlEntryRW) | |
| $ObjACL.AddAccessRule($AccessControlEntrySvcUserRW) | |
| (Get-Item $ProfileRoot\$Username).SetAccessControl($ObjACL) #Apply the NTFS ACL changes | |
| } | |
| "$(Get-Date) $Username" | Out-File $LogPath -Encoding UTF8 -Append | |
| . Set-TSProfilePath | |
| If ($ProfilePath -match $Username) { | |
| . Create-TSProfileFolder | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment