Last active
October 17, 2023 06:45
-
-
Save zbalkan/45daaa72f17ba109a4488b9b57f254eb to your computer and use it in GitHub Desktop.
A script that creates user folders on a shared folder -preferably on a file server- according to a prepared schema. No RSAT or AD module is needed. https://www.reddit.com/r/PowerShell/comments/orki1b/a_simple_and_verbose_script_for_home_folder/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Requires -Version 3 | |
# In this scenario, it is assumed that each user will have a home folder, including 3 sub-folders as a template. | |
# The tree can be visualized like below: | |
# | |
# Home | |
# |_ user1 | |
# |_ user2 | |
# |_ user3 | |
# |_ user4 | |
# |_ Documents | |
# |_ Outlook | |
# |_ Personal | |
# | |
# The scenaro includes one home folder where user can not delete, modify or add anything other than the predefined template folders. | |
# For the sake of simplicity, Domain Admins are used instead of a Tier 1 File Server Admin group. | |
# The template folders are specified as below. User cannot delete or rename this folder. But can add, modify or remove child items: | |
# Documents: Work related documents are hold here. | |
# Outlook: A folder for OST and PST files for cached Exchange mode on Outlook. | |
# Personal: Users can add their work related personal documents, such as official requests, drafts for future stuff. | |
# VARIABLES | |
$RootPath = "\\serverName\share$\" | |
$UserListFileName = "users.txt" | |
### DO NOT TOUCH THE CODE BELOW ### | |
$ErrorActionPreference = 'Stop' | |
$StartTime = Get-Date | |
Write-Output "Process Started At: $(Get-Date -Format u)" | |
# Set script's working folder, so that the script can be run on a network share, any powershell session etc. | |
if ($psise) { | |
$scriptRoot = Split-Path $psise.CurrentFile.FullPath | |
} | |
else { | |
$scriptRoot = $global:PSScriptRoot | |
} | |
# Validate user list | |
$UserListFileName = Join-Path -Path $scriptRoot -ChildPath $UserListFileName | |
if(-not (Test-Path $UserListFileName)) | |
{ | |
Write-Error "No user list file found." | |
} | |
# Utilizing the object for the sake of defensive programming. | |
# If there is a problem acccessing the object, it ould throw an error before starting to read. | |
$UserListFile = Get-Item -Path $UserListFileName | |
# Validate against empty or invalid entries | |
$UserList = (@(Get-Content -Path $UserListFile.FullName) -notmatch '\W') -match '\S' | |
if($UserList.Count -eq 0) | |
{ | |
Write-Error "Users list is empty." | |
} | |
# Count users | |
Write-Output "$($UserList.Count) valid user names are found." | |
# This counter will display the number of successfully created folders | |
$successCounter = 0 | |
# Get Domain name | |
$Domain = $env:USERDOMAIN | |
# Get current user | |
$Current = [System.Security.Principal.WindowsIdentity]::GetCurrent() | |
# Get Domain Admin Account object, even if it is renamed | |
$DomainAdministrator = [System.Security.Principal.NTAccount]::new($Domain, ((New-Object System.Security.Principal.SecurityIdentifier ($Current.User.AccountDomainSid.Value + "-500")).Translate( [System.Security.Principal.NTAccount]).Value)) | |
#Start creation loop | |
foreach($UserName in $UserList) | |
{ | |
# Check if user exists | |
if(([adsisearcher]"(&(objectCategory=user) (samaccountname=$UserName))").FindAll().Count -eq 0) | |
{ | |
Write-Warning "User `'$UserName`' does not exist. Skipping." | |
continue; | |
} | |
# Create User Home folder | |
$UserHome = Join-Path -Path $RootPath -ChildPath $UserName | |
if(Test-Path -Path $UserHome) | |
{ | |
Write-Host "Folder `'$UserHome`' exists. Skipping." | |
continue; | |
} | |
New-Item -ItemType Directory -Force -Path $UserHome | Out-Null | |
# Set permissions for user folder | |
$ACLObject = (Get-Item -Path $UserHome).GetAccessControl('Access') | |
#Set owner as current user. Required for next phases | |
$ACLObject.SetOwner($Current.User) | |
Set-Acl -Path $userhome -AclObject $ACLObject | |
# Disable inheritance | |
$BlockInheritance = $true | |
$RetainInheritedPermissions = $false | |
$ACLObject.SetAccessRuleProtection($BlockInheritance, $RetainInheritedPermissions) | |
# Add Current user permissions: Full Control | |
$accessRuleCurrent1 = [System.Security.AccessControl.FileSystemAccessRule]::new($Current.Name, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleCurrent1) | |
$accessRuleCurrent2 = [System.Security.AccessControl.FileSystemAccessRule]::new($Current.Name, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleCurrent2) | |
Set-Acl -Path $UserHome -AclObject $ACLObject | |
# Add Domain Admin user and group, SYSTEM account: Full Control | |
$accessRuleAdministrator1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$($DomainAdministrator.Value)", [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleAdministrator1) | |
$accessRuleAdministrator2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$($DomainAdministrator.Value)", [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleAdministrator2) | |
$accessRuleDomainAdmins1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\Domain Admins", [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleDomainAdmins1) | |
$accessRuleDomainAdmins2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\Domain Admins", [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleDomainAdmins2) | |
$accessRulesystem1 = [System.Security.AccessControl.FileSystemAccessRule]::new("NT AUTHORITY\SYSTEM", [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRulesystem1) | |
$accessRulesystem2 = [System.Security.AccessControl.FileSystemAccessRule]::new("NT AUTHORITY\SYSTEM", [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRulesystem2) | |
# User permissions: ReadAndExecute, ReadAttributes, ListDirectory, ReadPermissions, ReadExtendedAttributes, Traverse | |
$accessRuleUserReadAndExecute1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadAndExecute, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadAndExecute1) | |
$accessRuleUserReadAndExecute2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadAndExecute, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadAndExecute2) | |
$accessRuleUserReadAttr1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadAttributes, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadAttr1) | |
$accessRuleUserReadAttr2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadAttributes, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadAttr2) | |
$accessRuleUserListDir1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ListDirectory, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserListDir1) | |
$accessRuleUserListDir2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ListDirectory, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserListDir2) | |
$accessRuleUserReadPerm1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadPermissions, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadPerm1) | |
$accessRuleUserReadPerm2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadPermissions, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadPerm2) | |
$accessRuleUserReadExtended1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadExtendedAttributes, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadExtended1) | |
$accessRuleUserReadExtended2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadExtendedAttributes, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadExtended2) | |
$accessRuleUserTraverse1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::Traverse, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserTraverse1) | |
$accessRuleUserTraverse2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::Traverse, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserTraverse2) | |
#Set owner as administrator | |
$ACLObject.SetOwner($DomainAdministrator) | |
# Remove Current user permissions | |
$ACLObject.RemoveAccessRule($accessRuleCurrent1) | Out-Null | |
$ACLObject.RemoveAccessRule($accessRuleCurrent2) | Out-Null | |
# Apply new settings | |
Set-Acl -Path $UserHome -AclObject $ACLObject | |
# Create Child folders | |
$UserDocuments = Join-Path -Path $UserHome -ChildPath "Documents" | |
if((Test-Path -Path $UserDocuments) -eq $false) | |
{ | |
New-Item -ItemType Directory -Force -Path $UserDocuments | Out-Null | |
} | |
$UserPersonal = Join-Path -Path $UserHome -ChildPath "Personal" | |
if((Test-Path -Path $UserPersonal) -eq $false) | |
{ | |
New-Item -ItemType Directory -Force -Path $UserPersonal | Out-Null | |
} | |
$UserOutlook = Join-Path -Path $UserHome -ChildPath "Outlook" | |
if((Test-Path -Path $UserOutlook) -eq $false) | |
{ | |
New-Item -ItemType Directory -Force -Path $UserOutlook | Out-Null | |
} | |
# Set permissions for the child folders | |
$ChildFolders = Get-ChildItem -Path $UserHome -Directory | |
foreach ($Folder in $ChildFolders) | |
{ | |
$ACLObject = (Get-Item -Path $Folder.FullName).GetAccessControl('Access') | |
#Set owner as current user | |
$ACLObject.SetOwner($Current.User) | |
Set-Acl -Path $Folder.FullName -AclObject $ACLObject | |
# Disable inheritance | |
$BlockInheritance = $true | |
$RetainInheritedPermissions = $false | |
$ACLObject.SetAccessRuleProtection($BlockInheritance, $RetainInheritedPermissions) | |
# Current user; Full Control | |
$accessRuleCurrent1 = [System.Security.AccessControl.FileSystemAccessRule]::new($Current.Name, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleCurrent1) | |
$accessRuleCurrent2 = [System.Security.AccessControl.FileSystemAccessRule]::new($Current.Name, [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleCurrent2) | |
Set-Acl -Path $Folder.FullName -AclObject $ACLObject | |
# Domain Admin user and group, SYSTEM account; Full Control | |
$accessRuleAdministrator1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$($DomainAdministrator.Value)", [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleAdministrator1) | |
$accessRuleAdministrator2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$($DomainAdministrator.Value)", [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleAdministrator2) | |
$accessRuleDomainAdmins1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\Domain Admins", [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleDomainAdmins1) | |
$accessRuleDomainAdmins2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\Domain Admins", [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleDomainAdmins2) | |
$accessRulesystem1 = [System.Security.AccessControl.FileSystemAccessRule]::new("NT AUTHORITY\SYSTEM", [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRulesystem1) | |
$accessRulesystem2 = [System.Security.AccessControl.FileSystemAccessRule]::new("NT AUTHORITY\SYSTEM", [System.Security.AccessControl.FileSystemRights]::FullControl, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRulesystem2) | |
# User rights ReadAndExecute, ReadAttributes, ListDirectory, ReadPermissions, ReadExtendedAttributes, Traverse, CreateFiles, CreateDirectories, WriteAttributes, WriteExtendedAttributes, DeleteSubdirectoriesAndFiles | |
$accessRuleUserReadAndExecute1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadAndExecute, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadAndExecute1) | |
$accessRuleUserReadAndExecute2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadAndExecute, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadAndExecute2) | |
$accessRuleUserReadAttr1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadAttributes, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadAttr1) | |
$accessRuleUserReadAttr2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadAttributes, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadAttr2) | |
$accessRuleUserListDir1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ListDirectory, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserListDir1) | |
$accessRuleUserListDir2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ListDirectory, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserListDir2) | |
$accessRuleUserReadPerm1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadPermissions, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadPerm1) | |
$accessRuleUserReadPerm2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadPermissions, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadPerm2) | |
$accessRuleUserReadExtended1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadExtendedAttributes, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadExtended1) | |
$accessRuleUserReadExtended2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::ReadExtendedAttributes, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserReadExtended2) | |
$accessRuleUserTraverse1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::Traverse, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserTraverse1) | |
$accessRuleUserTraverse2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::Traverse, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserTraverse2) | |
$accessRuleUserCreateFiles1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::CreateFiles, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserCreateFiles1) | |
$accessRuleUserCreateFiles2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::CreateFiles, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserCreateFiles2) | |
$accessRuleUserCreateDirectories1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::CreateDirectories, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserCreateDirectories1) | |
$accessRuleUserCreateDirectories2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::CreateDirectories, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserCreateDirectories2) | |
$accessRuleUserWriteAttributes1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::WriteAttributes, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserWriteAttributes1) | |
$accessRuleUserWriteAttributes2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::WriteAttributes, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserWriteAttributes2) | |
$accessRuleUserWriteExtendedAttributes1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::WriteExtendedAttributes, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserWriteExtendedAttributes1) | |
$accessRuleUserWriteExtendedAttributes2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::WriteExtendedAttributes, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserWriteExtendedAttributes2) | |
$accessRuleUserDeleteSubdirectoriesAndFiles1 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::DeleteSubdirectoriesAndFiles, [System.Security.AccessControl.InheritanceFlags]::ContainerInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserDeleteSubdirectoriesAndFiles1) | |
$accessRuleUserDeleteSubdirectoriesAndFiles2 = [System.Security.AccessControl.FileSystemAccessRule]::new("$Domain\$UserName", [System.Security.AccessControl.FileSystemRights]::DeleteSubdirectoriesAndFiles, [System.Security.AccessControl.InheritanceFlags]::ObjectInherit, [System.Security.AccessControl.PropagationFlags]::None, [System.Security.AccessControl.AccessControlType]::Allow) | |
$ACLObject.AddAccessRule($accessRuleUserDeleteSubdirectoriesAndFiles2) | |
#Set owner as administrator | |
$ACLObject.SetOwner($DomainAdministrator) | |
# Remove Current user permissions | |
$ACLObject.RemoveAccessRule($accessRuleCurrent1) | Out-Null | |
$ACLObject.RemoveAccessRule($accessRuleCurrent2) | Out-Null | |
# Apply new settings | |
Set-Acl -Path $Folder.FullName -AclObject $ACLObject | |
} | |
$successCounter += 1; | |
Write-Output "User `'$UserName`' folders are created with required permissions." | |
} | |
Write-Output "$successCounter user folder(s) created." | |
$FinishTime = Get-Date | |
Write-Output "Process Finished At: $(Get-Date -Format u)" | |
$Timespan = New-TimeSpan -Start $StartTime -End $FinishTime | |
Write-Output "Total time: $Timespan" | |
Read-Host -Prompt "Press ENTER to exit" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment