I have a below powerShell script that creates homedrive for user,
Import-Module ActiveDirectory 2>&1 | Write-Host;
if($?)
{
$homeDir = "\\CORP.com\HOME\Jdoe";
$user = "jdoe";
$domain = "Corp";
New-Item "$homeDir" -type directory;
$acl = Get-Acl "$homeDir";
$permission = "$domain\$user","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow";
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission;
$acl.SetAccessRule($accessRule);
$acl | Set-Acl "$homeDir";
}
Values within $homeDir and $User will be passed on runtime basis.
How to execute above script along with pass runtime values in $homeDir and $User attribute.
I have tried to execute,
. 'C:\hd.ps1' $homeDir = "\\CORP.com\HOME\test" $user = "test" ; without success.
Can anyone guide, what i am doing incorrect.
Put
param(
$homeDir,
$user
)
At the top of the script and call using
Powershell -File "C:\hd.ps1" -homeDir "\\CORP.com\HOME\test" -user "test"
Why are you doing this?
Import-Module ActiveDirectory 2>&1 | Write-Host;
If you are on the DC doing this or if you have the RSAT tools on your workstation, if you are on PowerShell v3+ or higher, this gets auto loaded the moment you use an AD cmdlet.
Also never user Write-Host for anything that you plan to need later. It empties / clears the buffer. Write-Host is only good for text coloring or other formatting needs in s
Make this a collection from a file for example and just read it in. I'm just using a list here:
$UserFile = #'
Property,Value
homeDir,\\CORP.com\HOME\Jdoe
user,jdoe
Targetdomain,Corp
'# | ConvertFrom-Csv
# Results
Property Value
-------- -----
homeDir \\CORP.com\HOME\Jdoe
user jdoe
Targetdomain Corp
If you are doing this from a remote machine, then you cannot use local varibles in a remote session unless you set its scope.
Get-Help about_remote_variables -Full
About Remote Variables
LONG DESCRIPTION
You can use variables in commands that you run on remote
computers.Simply assign a value to the variable and then use the
variable inplace of the value.
By default, the variables in remote commands are assumed to be
definedin the session in which the command runs. You can also use
variablesthat are defined in the local session, but you must identify
them aslocal variables in the command.
USING LOCAL VARIABLES
You can also use local variables in remote commands, but you
mustindicate that the variable is defined in the local session.
Beginning in Windows PowerShell 3.0, you can use the Using
scopemodifier to identify a local variable in a remote command.
The semi-colons are not needed in PowerShell, unless the items are on the same line.
You cannot call this code this way...
'C:\hd.ps1' $homeDir = "\\CORP.com\HOME\test" $user = "test"
... since you did not specify any params in your code.
So, something like this...
Note: I am not in a position to test this... please do only in a test environment
So this is off the cuff...
ForEach($UserLine in $UserFile)
{
New-Item $UserLine.homeDir -type directory
$acl = Get-Acl $UserLine.homeDir
$permission = ($Using:UserLine.Targetdomain + '\' + $Using:UserLine.user),'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $Using:UserLine.homeDir
}
If you want this to be a parameterized function, then this.,.
Function New-ADUserHomeDirSettings
{
[cmdletbinding()]
Param
(
[string]$homeDir,
[string]$user,
[string]$Targetdomain
)
$acl = Get-Acl $UserLine.homeDir
$permission = ($Using:UserLine.Targetdomain + '\' + $Using:UserLine.user),'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $Using:UserLine.homeDir
}
New-ADUserHomeDirSettings -homeDir '' -user '' -Targetdomain ''
Related
I know that this subject was already discussed here but solutions here and on other sites seem not to work for me.
I want to add to CNO: "CLUSTER" permission on OU to Create Computer Object.
More or less all solution are based on following idea:
$ou = 'OU=sql,OU=prod,DC=ssd,DC=xxx,DC=net'
$cno = 'CLUSTER1'
$sid = [System.Security.Principal.SecurityIdentifier](Get-ADComputer -Filter "name -eq `"$cno`"").SID
$acl = get-acl $ou
$objectGUID = New-Object guid bf967a86-0de6-11d0-a285-00aa003049e2
$guidNull = New-Object guid 00000000-0000-0000-0000-000000000000
$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"ReadProperty,GenericExecute","Allow",$guidNull,"None",$guidNull
$acl.AddAccessRule($ace1)
$ace2 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"CreateChild","Allow",$ObjectGUID,"None",$guidNull
$acl.AddAccessRule($ace2)
set-acl -aclobject $acl $ou
I am getting following error:
Set-Acl : This security ID may not be assigned as the owner of this object
At line:1 char:8
+ set-acl <<<< -aclobject $acl $ou
+ CategoryInfo : NotSpecified: (OU=sql,OU=ssd...=xxx,DC=net:String) [Set-Acl], ADException
+ FullyQualifiedErrorId : ADProvider:SetSecurityDescriptor:ADError,Microsoft.PowerShell.Commands.SetAclCommand
Any idea what can be wrong?
I've seen this error on file systems when using Get-Acl/Set-Acl. Get-Acl retrieves the entire ACL even though you don't want it. You only want the DACL. Set-Acl then attempts to write the entire ACL which fails because Microsoft. Try changing the Get-Acl call to:
$acl = (get-acl $ou).Access
This should only get you the access rules which you are trying to append to.
EDIT
Apologies for the misinformation, on a filesystem this works but AD is "special". The underlying issue is the same, Get-Acl pulls everything and Set-Acl chokes when it attempts to set the owner. Try running the above command in an powershell window run as admin under a domain administrator's context. This may allow you to force past it. Instead I would try using the ADSI accelerator.
$ou = 'OU=sql,OU=prod,DC=ssd,DC=xxx,DC=net'
$cno = 'CLUSTER1'
$sid = [System.Security.Principal.SecurityIdentifier](Get-ADComputer -Filter "name -eq `"$cno`"").SID
$ouObject = [ADSI]("LDAP://$OU")
$objectGUID = New-Object guid bf967a86-0de6-11d0-a285-00aa003049e2
$guidNull = New-Object guid 00000000-0000-0000-0000-000000000000
$ace1 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"ReadProperty,GenericExecute","Allow",$guidNull,"None",$guidNull
$ouObject.psbase.ObjectSecurity.AddAccessRule($ace1)
$ace2 = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"CreateChild","Allow",$ObjectGUID,"None",$guidNull
$ouObject.psbase.ObjectSecurity.AddAccessRule($ace2)
$ouObject.psbase.CommitChanges()
Another option would be to try working around it with dsacls, you'll need to figure out exactly which permissions syntax you want to use though. Please test before running on a live OU.
$ou = 'OU=sql,OU=prod,DC=ssd,DC=xxx,DC=net'
$cno = 'CLUSTER1'
$sid = [System.Security.Principal.SecurityIdentifier](Get-ADComputer -Filter "name -eq `"$cno`"").SID
#should grant the SID Generic Execute, Read Property, Create Children
dsacls $ou /G $sid:GERPCC
seems to be working on any AD object, including DNS records via DN:
dsacls $DistinguishedName /G "NT AUTHORITY\Authenticated Users:GW"
I have a PowerShell function that will enable auditing on the Perflogs folder. The function works just fine on a Windows PC with an English installation language. But when I use it on a Danish version it fails because "Everyone" doesnt exit on a Danish installation. On a Danish installation "Everyone" is called "Alle"
So instead of using everyone, then I would like to use the SID "S-1-1-0"
S-1-1-0 = Everyone/World link
But for some reason this also does not work. Does anyone have a clue about this and why I can’t do this?
function AddAuditToFile {
param
(
[Parameter(Mandatory=$true)]
[string]$path
)
Get-Acl $path -Audit | Format-List Path,AuditToString | Out-File -FilePath 'file_before.txt' -Width 200 -Append
$File_ACL = Get-Acl $path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule("S-1-1-0","CreateFiles,Modify,AppendData”,"none","none",”Success")
$File_ACL.AddAuditRule($AccessRule)
$File_ACL | Set-Acl $path
Get-Acl $path -Audit | Format-List Path,AuditToString | Out-File -FilePath 'file_after.txt' -Width 200 -Append}
I call the function like this:
AddAuditToFile "C:\Perflogs"
Use the SecurityIdentifier class to translate the SID:
$everyoneSid= New-Object System.Security.Principal.SecurityIdentifier "S-1-1-0"
$everyoneSidName= $everyoneSid.Translate([System.Security.Principal.NTAccount])
$everyoneSidName.Value
This will output the actual everyone group name depending on the actual machine.
Gungnir from Spiceworks found the solution.
I had to translate the SID and make a variable and then use the variable
$AccountSID = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList 'S-1-1-0'
$AccountName = $AccountSID.Translate([System.Security.Principal.NTAccount]).Value
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule -ArgumentList ($AccountName,'CreateFiles,Modify,AppendData','none','none','Success')
I have a CSV file that containts a Folder Name (first 6 characters) and a User Name (rest of characters).
I have to give Full Control Access to each User in His Folder. So I wrote the:
$Doc = import-csv "C:\Temp\ListOfUsers.csv"
foreach ($x in $Doc)
{
$x = ""+ $x
$CPayID = $x.SubString(10,6)
$UserName = $x.SubString(17, $x.Length-18)
$UserPath = "C:\XPAY_FTP_CUST\"+$CPayID
$Acl = Get-Acl $UserPath
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$Username","FullControl","ContainerInherit, ObjectInherit","None","Allow")
$Acl.SetAccessRule($Rule)
Set-Acl $UserPath $Acl
}
But I received the following Error for Each User:
Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
The Users exist and are locals, I am local administrator, and when I ask for echo the $Username, the $UserPath, and the $Acl I receive correct data.
Please, I need any help.
You might have to specify the username as DOMAIN\user. In case of local users, DOMAIN will be the computer name:
$UserReference = New-Object System.Security.Principal.NTAccount $env:ComputerName,$Username
$Rule = New-Object System.Security.AccessControl.FileSystemAccessRule($UserReference,"FullControl","ContainerInherit, ObjectInherit","None","Allow")
Mathias is much, much smarter than I am at this, but I noticed this in your code:
($UserReference,"FullControl","ContainerInherit, ObjectInherit","None","Allow")
Should "ContainerInherit, ObjectInherit" instead be "ContainerInherit", "ObjectInherit"?
I have a question about Get-Acl in Powershell. I keep getting the error message, "Access to the path is denied". I want to change the owner of the folder to myself and then give myself full permissions to the folder using Powershell. Here's the line of code giving me the error:
$acl = Get-Acl "C:\SomeFolder"
I am using Windows Explorer to set the permissions on "SomeFolder" before running the script. They are as follows:
no entries in the access control list
owner is not myself
I do not receive the error message if I make myself the owner using the Windows Explorer GUI before running the Powershell script. I don't understand why I am allowed to change the owner with Windows Explorer but not using Powershell? I have full admin rights on this machine. Windows 7, Powershell 2.0, .NET 3.5.
I'm assuming the only way to change the owner is to use Get-Acl, set owner on the ACL, then use Set-Acl to write it back to the folder. If there is another way, please let me know? How can I change the owner of the folder using Powershell?
Windows Vista and up include a command-line tool named takeown.exe which can be used from an elevated command prompt (or elevated powershell console) to change the ownership of a file system object.
takeown /F "C:\SomeFolder" /R /D Y
should give you ownership on C:\SomeFolder and the file system objects it contains.
I have some system configuration scripts from our build guy and I recall a note about the Get-Acl command "not working well on certain paths".
# NOTE: This method does not work well?
#$acl = Get-Acl -Path $Path
The kinds of paths we were setting permissions on were empty folders created by an administrator user later captured in a disk image. This is the PowerShell command that we used instead.
$acl = (Get-Item $path).GetAccessControl("Access")
Oh, and it gets real obscure once you have an ACL object. I don't know if this is the best way to do it, but it's a snippet from the same script I refer to above.
$acl = (Get-Item $path).GetAccessControl("Access")
# Setup the access rule.
$allInherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit", "ObjectInherit"
$allPropagation = [System.Security.AccessControl.PropagationFlags]"None"
$AR = New-Object System.Security.AccessControl.FileSystemAccessRule $user, $permissions, $allInherit, $allPropagation, "Allow"
# Check if Access already exists.
if ($acl.Access | Where { $_.IdentityReference -eq $User})
{
$accessModification = New-Object System.Security.AccessControl.AccessControlModification
$accessModification.value__ = 2
$modification = $false
$acl.ModifyAccessRule($accessModification, $AR, [ref]$modification) | Out-Null
}
else
{
$acl.AddAccessRule($AR)
}
Set-Acl -AclObject $acl -Path $Path
the above code worked great. wanted to post a tweak for recursively going through directory and filling in some "missing"
$HomeFolders = Get-ChildItem "put your directory root here" -Directory -recurse
foreach ($HomeFolder in $HomeFolders) {
$Path = $HomeFolder.FullName
$acl = (Get-Item $Path).GetAccessControl('Access')
$allInherit = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit", "ObjectInherit"
$allPropagation = [System.Security.AccessControl.PropagationFlags]"None"
$permissions = "FullControl"
$Username = "<put your name here>"
$AR = New-Object System.Security.AccessControl.FileSystemAccessRule($Username, $permissions, $allInherit, $allPropagation, "Allow")
if ($acl.Access | Where { $_.IdentityReference -eq $Username})
{
$accessModification = New-Object System.Security.AccessControl.AccessControlModification
$accessModification.value__ = 2
$modification = $false
$acl.ModifyAccessRule($accessModification, $AR, [ref]$modification) | Out-Null
}
else
{
$acl.AddAccessRule($AR)
}
Set-Acl -path $Path -AclObject $Acl
}
I would like to change the ACL of the C: drive. What im trying to do is remove the permission that a user can create a folder directly on the drive. I tested the script on another folder while writing it. It worked without a problem. After completion i tried the script in our test envoirnment on the actual drive. I get an error that i cant figure out. If i remove the permission manualy it works without a problem. Anyone got an idea?
$path = "C:\"
$colRights = [System.Security.AccessControl.FileSystemRights]"CreateDirectories"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount("Authenticated Users")
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-ACL $path
$objACL.RemoveAccessRule($objACE)
Set-ACL $path $objACL
The error is:
Set-Acl : The security identifier is not allowed to be the owner of this object.
At C:\Users\mhodler\Desktop\Remove Permission.ps1:57 char:8
+ Set-ACL <<<< $path $objACL
+ CategoryInfo : InvalidOperation: (C:\:String) [Set-Acl], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.SetAclCommand
I found the answer. Microsoft says
Unfortunately Get-Acl is missing some features. It always reads the full security descriptor even if you just want to modify the DACL. That’s why Set-ACL also wants to write the owner even if you have not changed it. Using the GetAccessControl method allows you to specify what part of the security descriptor you want to read.
Replace the Get-Acl call with
$acl = (Get-Item $path).GetAccessControl('Access')
You need the SeRestorePrivilege to set the owner. I used Lee Holmes' script from the URL below to elevate my process with this additional priv and was able to set the owner to someone other than myself.
http://www.leeholmes.com/blog/2010/09/24/adjusting-token-privileges-in-powershell/
I tried the (get-item $path).getaccesscontrol("access") method but still got the same error since my process didn't have the SeRestorePrivilege.
The below code works for me:
$ApplicationPoolIdentity = "everyone"
function SetACL()
{
param (
[Parameter(Mandatory=$true)]
[string] $Path
)
$Acl = (Get-Item $Path).GetAccessControl('Access')
Write-Host "Path:" $Path "ID:" $ApplicationPoolIdentity
$Ar = New-Object system.security.accesscontrol.filesystemaccessrule($ApplicationPoolIdentity,"Write","Allow")
$Acl.SetAccessRule($Ar)
Write-Host $Acl
$Acl | Set-Acl $Path
}
SetACL "C:\Test\"
People may find this easier:
icacls c:\ /remove "authenticated users"
$Acl = (Get-Item $Path).GetAccessControl('Access')
Worked for me.
I run my PS Script from CMD and in this PS Script i run another PS Script everything works fine as long as i do it with my own User. When i use different User i get the same Error:
Set-Acl : The security identifier is not allowed to be the owner of this object.
Just changed Get-ACL to that Line above and it worked fine.
Thanks again.