1

I am needing assistance with a script. What I am trying to accomplish is when new users are created in ADUC and their profile path(home folder) is created, it gives the users "Full Control". I am wanting to change that to Modify permissions. My problem is that there are multiple users created weekly, and I want a script that can go through all the home folders and if it finds a user with full control to change it to modify. But also there is a admin security group that has multiple admins in it that have "Full Control on each home directory. I don't want it to look inside the group and take away their full control. What cmdlets do I need to say ignore that group and only change a user that has the "Full Control" to modify permissions. I have a script that changes a specific user from "Full Control" to modify, but don't know the proper way to have it just search just a user account on the folders with "Full Control".

#ChangeACL.ps1
$Right="Modify"

#The possible values for Rights are 
# ListDirectory
# ReadData 
# WriteData 
# CreateFiles 
# CreateDirectories 
# AppendData 
# ReadExtendedAttributes 
# WriteExtendedAttributes 
# Traverse 
# ExecuteFile 
# DeleteSubdirectoriesAndFiles 
# ReadAttributes 
# WriteAttributes 
# Write 
# Delete 
# ReadPermissions 
# Read 
# ReadAndExecute 
# Modify 
# ChangePermissions 
# TakeOwnership 
# Synchronize 
# FullControl

$StartingDir="\\server\Path" #What directory do you want to start at?"
$Principal="domain\user" #What security principal do you want to grant" `


#define a new access rule.

$rule=new-object System.Security.AccessControl.FileSystemAccessRule($Principal,$Right,"ContainerInherit,ObjectInherit", 'None',"Allow")

foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
  $acl=(Get-Item $file.FullName).GetAccessControl('Access')

  #Add this access rule to the ACL
  $acl.SetAccessRule($rule)

  #Write the changes to the object
  #Set-Acl $File.Fullname $acl
  (Get-Item $file.FullName).SetAccessControl($acl)
  }
Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79
Paul
  • 31
  • 1
  • 3
  • 1
    I would challenge your line of thinking. You don't need to look at existing permissions to find the exceptions, you just need to set the perms the way you want. – Jim B May 24 '19 at 14:28
  • Jim thanks for the reply. By default when the users home directory is created through ADUC the user is given full control. – Paul May 24 '19 at 14:41

2 Answers2

1

After some testing I have come up with this script and seems to work:

$HomeFolders = Get-ChildItem \\server\Path -Directory
foreach ($HomeFolder in $HomeFolders) {
    $Path = $HomeFolder.FullName
    $Acl = (Get-Item $Path).GetAccessControl('Access')
    $Username = $HomeFolder.Name
    $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("domain\$Username", 'Modify','ContainerInherit,ObjectInherit', 'None', 'Allow')
    $Acl.SetAccessRule($Ar)
       (Get-Item $HomeFolder.FullName).SetAccessControl($acl)
}
Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79
Paul
  • 31
  • 1
  • 3
1

I have created another one for anyone that may have this same situation. This one will check ACL's and will change if needed.

#set root share to scan 
$HomeFolders = get-childitem \\servername\USERS -Directory

# loop through all folders in root
foreach ($HomeFolder in $HomeFolders) {
    $Path = $HomeFolder.FullName

    #set username based on folder name. Know that this is not going to be 100% accurate 
    # since some user shares may have access granted to other users(ie, managers)
    $Username = $HomeFolder.Name

    # set variable for Username
    $IdentityReferrence = "domain\$Username"

    # create security object specific to user
    $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule($IdentityReferrence, 'Modify', 'ContainerInherit,ObjectInherit', 'None', 'Allow')

    # get acl of folder in loop
    $Acl = (Get-Item $Path).GetAccessControl('Access')

    # look through all access objects
    foreach ($aclitem in $acl.Access) {
        # if a matching userID is found, check the permissions against the new access rule identity reference.
        if ($aclitem.IdentityReference -eq $ar.IdentityReference) {
            # if rights do not match, set the permissions with access rule set before
            if ($aclitem.FileSystemRights -ne $ar.FileSystemRights) { 
                write-host $HomeFolder.FullName "has permission of "$aclitem.FileSystemRights
                $Acl.SetAccessRule($Ar)
                write-host "Correcting permissions on $($homefolder.fullname)"
                (Get-Item $HomeFolder.FullName).SetAccessControl($acl)
            }
        }
    } 
}
Secespitus
  • 111
  • 5
Paul
  • 31
  • 1
  • 3