I have PowerShell a script to create a new user's home drive and I am using below command:
Set-ADUser $User -HomeDrive $driveLetter -HomeDirectory $fullPath
It's creating the home drive for the user but the user isn't able to access it.
One more thing, I can copying the created home drive manually from AD console and again pasting it and clicking on apply then it works fine.
Set-ADUser will only modify the user object in ActiveDirectory; security permissions on the folder itself is an additional step.
FileSystemRights Enumeration: MSDN
It is not sufficient to simply use Set-ADUser, expecting full end to end creation of a fully functioning home directory; we must set permissions on the folder in question, including any inheritance flags.
There's a few steps to accomplish this, but simply stated:
We need to get the current access control list (ACL)
We need to add our desired permissions to said ACL
We need to write the new ACL, combining both the pre-existing and new permissions.
As you may have guessed:
Get-ACL
Set-ACL
We can so something like this:
Set-ADUser $User -HomeDrive $driveLetter -HomeDirectory $fullPath -ea Stop
$homeShare = New-Item -path $fullPath -ItemType Directory -force -ea Stop
$acl = Get-Acl $homeShare
$FileSystemRights = [System.Security.AccessControl.FileSystemRights]"Modify"
$AccessControlType = [System.Security.AccessControl.AccessControlType]::Allow
$InheritanceFlags = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlags = [System.Security.AccessControl.PropagationFlags]"InheritOnly"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule ($User.SID, $FileSystemRights, $InheritanceFlags, $PropagationFlags, $AccessControlType)
$acl.AddAccessRule($AccessRule)
Set-Acl -Path $homeShare -AclObject $acl -ea Stop
If you're feeling creative, you can also combine some of the flags into an array:
$InheritanceFlag = #('ContainerInherit','ObjectInherit')
Please note this code is NOT tested and to validate before executing in any environment.
Related
Sorry everyone, for bothering you. Currently I have a command line to enforce user permissions already working on the specified directory but I need your help on how to be able to see the higher level directory when the user accesses it. Because now, when the user accesses normally, he will not see a higher-level directory to access, he must access the available path, so it is very inconvenient. I just need to see the folders to access without editing or see another subfolder inside.
$acl = Get-Acl 'D:\TEST'
$path = "D:\TEST"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("test.ktdv","write","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("test.ktnb","read","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
Get-ChildItem -Path "$Path" -Recurse -Force |
Where-Object { ($_.Name -eq 'New Folder' -or $_.Name -eq 'B') } |
Set-Acl -Aclobject $acl -Verbose
I am trying to modify folder ACL through Powershell with following code. First i want to clear ACL and stop inheritance and then add only specific users to it.
This seem working fine, but if i trying to open that folder it gives following error.
What is wrong with the script?
$acl = Get-ACL -Path "c:\mydata"
$acl.SetAccessRuleProtection($True, $False)
$acl | Set-Acl -Path "c:\mydata"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DBUSER","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("ADMIN","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$acl | Set-Acl -Path "c:\mydata"
You are setting an empty ACL, then trying to make changes when you no longer have permissions. Normally, you should be getting an error on the second Set-ACL
$acl | Set-Acl $path
Set-Acl : The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.
Instead, try setting the ACL only once:
$path = 'c:\mydata'
$acl = Get-ACL $path
$rule1 = [System.Security.AccessControl.FileSystemAccessRule]::new(
"DBUSER","FullControl","ContainerInherit,ObjectInherit","None","Allow" )
$rule2 = [System.Security.AccessControl.FileSystemAccessRule]::new(
"ADMIN","FullControl","ContainerInherit,ObjectInherit","None","Allow" )
$acl.AddAccessRule($rule1)
$acl.AddAccessRule($rule2)
# Flush the inherited permissions, and protect your new rules from overwriting by inheritance
$acl.SetAccessRuleProtection($True, $False)
# Output what the new access rules actually look like:
$acl.Access | ft
$acl | Set-Acl $path
If you need to keep the existing permissions, then use $acl.SetAccessRuleProtection($True, $True) instead.
Finally, make sure you're actually logged in as either DBUSER or ADMIN when testing access to the folder.
Trying to add Full Control to a few users to a folder in Powershell have the following, runs with no errors but only adds the last "rule" to the folder. What am I doing wrong?
$acl = Get-Acl E:\MyFolder
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\john.smith","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\Domain Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\Folder-Admins","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
(Get-Item E:\MyFolder).SetAccessControl($acl)
I tried running the exact same code as you like so :
$acl = Get-Acl C:\temp
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("some_user","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("other_user","FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
(Get-Item C:\Temp).SetAccessControl($acl)
And it added both to my folder so it doesn't seem to be an issue with the code itself, have you checked if maybe the domain and names were correct and that you are authorized to assign such permissions to that user/group?
For references i'm using Powershell version : 5.1.17763.771, and I ran those lines with local accounts and not domain accounts as I don't have access to a domain right now.
You might try the NTFS PowerShell module, it makes things much easier and is quite capable.
A command to add full access would look something like:
Add-NTFSAccess -Path <path> -Account <Account> -AccessRights FullControl -AccessType Allow
So this might be a little complicated.... I have created a script which generates lists of all the people that have Security permissions on a share. The issue is that the share permission to a share will be different than the security permissions. I want to remove all share permissions and set the share permissions to the same people with the same full control as the security permissions.
I need to run this on four different servers so I need a script that will change that. Any ideas or resources?
Edit: After discussion with my colleagues the objective has slightly changed. Now I want to use Set-Acl to basically remove full control from all users EXCEPT one specific group. This shouldn't be too difficult right? I would simply throw a for each share - for each user- if user not in specific group then set acl to remove full control.
How does one remove permissions? I see commands for setting FC but not for removing.
As per your reply, this way removes all the bugs from GET-ACL and SET-ACL so can be used in earlier versions of PowerShell. Once it's removed, you can change this (reference $PERM) to add back on the group you want to retain access. Let me know if you need it tweaking.
$folderpath = "Somefolderpath"
write-Output "Removing inheritance "
$acl = Get-Acl $Folderpath
$acl.SetAccessRuleProtection($True, $True)
$acl | Set-Acl
$acl = Get-Acl $Folderpath
$acl.Access |where {$_.IdentityReference -eq "NT AUTHORITY\Authenticated
Users"} |%{$acl.RemoveAccessRule($_)}
$acl | Set-Acl
If ($?){
Write-Output "Inheritance Removed"
}
write-Output "Set permissions"
$acl = Get-Acl $Folderpath
$perm = "AddGroupHere","FullControl","Allow"
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule
$perm
$acl.AddAccessRule($accessRule)
$acl | Set-Acl
If ($?){
Write-Output "ACL set"
}
I am attempting to Set-Acl on a Computer Object in AD. Firstly I get the ACL using:
$acl = (Get-Acl AD:\'CN=Tester1,OU=Ou1,OU=OU2,OU=OU3,DC=Contoso,DC=com').Access
Which gives me all the ACL for that computer object. I then use:
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Computername","FullControl")))
Any pointers in the right direction would be helpful. My aim is to add a computer object to the computer object 'Tester1' and give it Full Access permissions.
ActiveDirectory isn't a filesystem. You must create a new ACE for an AD object as an ActiveDirectoryAccessRule.
$path = "AD:\CN=Tester1,OU=Ou1,OU=OU2,OU=OU3,DC=Contoso,DC=com"
$acl = Get-Acl -Path $path
$ace = New-Object Security.AccessControl.ActiveDirectoryAccessRule('DOMAIN\Computername','FullControl')
$acl.AddAccessRule($ace)
Set-Acl -Path $path -AclObject $acl
ACE for AD objects you must create with System.DirectoryServices.ActiveDirectoryAccessRule object instead of System.Security.AccessControl.FileSystemAccessRule.
Good description and example is here: Add Object Specific ACEs using Active Directory Powershell