Home / server / Questions / 33861
Accepted
Daniel A. White
Asked: 2009-07-01 06:42:20 +0800 CST

PowerShell/Command Prompt - Create folders from AD group members

  • 772

Is there a simple script I can use to give a destination folder and the AD group I want to use and it would generate a set of folders with the members of that AD group and delegate the proper permissions to those folders?

I have gotten as far as dsget group "FQN" -members and it returns a list of FQN's.

Here is an example of what I am looking for...

SomeADGroup
  member1
  member2
  ...
  memberN


Root Folder - has permission for SomeADGroup (already set up)
    member1 - member1 has modify; other SomeADGroup members, no permissions
    member2 - member2 has modify; other SomeADGroup members, no permissions
    ...
    memberN - memberN has modify; other SomeADGroup members, no permissions
windows powershell command-line-interface active-directory

2 Answers

  1. Best Answer

    Here-- have at.

    Option Explicit

' DOMAIN\Group to process
Const DOMAIN = "DOMAIN"
Const GROUP = "Human Resources Department"

' Destination path - Do not append a "\"
Const DESTINATION_PATH = "C:\Test"

' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1

Dim objNameTranslate, objGroup, strUser, objShell

Set objNameTranslate = CreateObject("NameTranslate")
objNameTranslate.Init ADS_NAME_INITTYPE_GC, ""
objNameTranslate.Set ADS_NAME_TYPE_NT4, DOMAIN & "\" & GROUP
Set objGroup = GetObject("LDAP://" & Replace(objNameTranslate.Get(ADS_NAME_TYPE_1779), "/", "\/")) 

set objShell = CreateObject("Wscript.Shell")

For Each strUser in objGroup.Members
    objShell.Run "%COMSPEC% /c mkdir " & DESTINATION_PATH & "\" & strUser.samAccountName
    objShell.Run "CACLS " & DESTINATION_PATH & "\" & strUser.samAccountName & " /E /G " & DOMAIN & "\" & strUser.samAccountName & ":F"
Next ' strUser

    A quick tour:

    Set the DOMAIN, GROUP, and DESTINATION_PATH. Obviously, you'll have to be logged-on as a user with rights to make directories and set permission under the DESTINATION_PATH when you run this.

    I could've probably done this more efficient in PowerShell, except that I can't stand PowerShell and haven't wanted to be bothered to get more in-depth with it. >smile< Likewise, I could've probably done the directory-making with the FileSystemObject, but this was faster for me to write. I could've done something fancier instead of the CACLS but, hey, it works.

    • 1

  2. You can use powershell to do both. Depending on the size and depth of your folders it could take some recursion to get working.

    You can create a folder simply

    New-Item c:\scripts\Windows PowerShell -type directory

    Then the easiest way to set permissions is probably using a if statements or something like that.

    In powershell you use the two commandlets get-acl and set-acl to change permissions. So get the permission set from a predifined folder with the correct permissions, and set them to the folder you are working on.

    Or define the permissions into a variable and just use set-acl depending on if you want the same permissions per folder.

    Then use a couple of IF statements or soemthing to specify permissions based on folder name.

    foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
  $acl=get-acl $file.FullName

  #Add this access rule to the ACL
  $acl.SetAccessRule($rule)

  #Write the changes to the object
  set-acl $File.Fullname $acl
  }
    • 0