Ping a Specific Port

Question

Bourne

Asked: 2012-02-16 15:04:08 +0800 CST2012-02-16 15:04:08 +0800 CST 2012-02-16 15:04:08 +0800 CST

Re-give users ownership of their mapped home folders via powershell

772

I changed the user quota on a windows 2008 machine and after that some users reported that they were able to read but not write to their mapped home folders. If I re-enter the Home Folder path in the Server Manager and accept the default prompt of...

"The \\server\folder home folder already exists. Do you want this user to be granted full control on this folder?"

...the issue disappears.

Is there a way to do the same thing with Powershell where the script will check to see if the user has the permissions and if not reassign them?
What about listing the folder permissions along with the owner to identify who doesn't have full permissions? I spent a couple hours on this second question with mixed results.

The following script does not seem to list folders with mismatching permissions.

get-acl "D:\users\*" | select Path -Expand Access | where
{ $_.Identityreference -notcontains 'NT AUTHORITY\SYSTEM' 
-and $_.Identityreference -notcontains 'CREATOR OWNER' 
-and $_.Identityreference -notcontains 'BUILTIN\Administrators' 
-and $_.Identityreference -notcontains 'BUILTIN\Users' 
-and $_.Identityreference -notcontains 'BUILTIN\Account Operators' 
-and $_.Identityreference -notcontains 'BUILTIN\BUILTIN\Users'} | 
select @{Expression={$_.path};Label="Folder"},
@{Expression={$_.IdentityReference};Label="User"},
@{Expression={$_.AccessControlType};Label="Permissions"} |
Format-Table -Wrap -AutoSize

3 Answers

Voted

Sven · Answer 1 · 2012-02-17T05:21:59+08:00

Sven

2012-02-17T05:21:59+08:002012-02-17T05:21:59+08:00

To check the ownership of a folder or file, you can use the GetOwner method:

$acl = Get-Acl $dir.fullname
$acl.GetOwner([System.Security.Principal.NTAccount])

And set the new owner with:

$objUser = New-Object System.Security.Principal.NTAccount("YourDomain", "YourUser")
$acl.SetOwner($objUser)

2

Jordan W. · Answer 2 · 2012-02-17T08:34:09+08:00

this might help. I had to fix permissions on a shared folder configuration I adopted a while back. Using powershell and subinacl.exe (because changing owner remotely doesn't work often). this was also used to do some cleanup so there is some extra code in here to rename disabled or deleted user account folders. It's an old script also using Quest cmdlets which can be replaced with native AD cmdlet now.

Add-PSSnapin quest*

$dirlist = gci \\server\share | ? { $_.PSIsContainer }

$subinacl = "C:\utils\subinacl.exe"
foreach ($userdir in $dirlist)
        {

#the foldername was a funny format (citrix 2008 profile with .2k8 suffix)
           $username = $userdir.name.Split('.')[0]
            $adaccount = Get-QADUser $username

            If (($adaccount.AccountIsDisabled -eq $TRUE) -or (!$adaccount))
                {
                    write-host "$username is not a current employee"
                    #rename folder to _DEL_originalname
                    $newname = "_DEL_$username"
                    rename-item -path $userdir -newname $newname
                }
            Else
                {
                #get full path            
                Write-Host "$userdir - changing permissions"
                $currentDir = $userdir.FullName # this way you don't duplicate the start folder

                #get ACL of folder
                $acl = Get-Acl $currentDir
                If ($acl.access -notcontains $username) {

                    #variable to set new permissions for username of folder           
                    $permission = "domain\$username",”FullControl”,”ContainerInherit,ObjectInherit”,”None”,”Allow”

                    $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission

                    #actually set the permissions
                    $acl.SetAccessRule($accessRule)
                    Set-Acl $currentDir $acl

                    #use subinacl to set owner at parent level and below
                    $params1 = "/file $currentDir /setowner=domain\$username"
                    $params2 = "/subdirectories $currentDir\*.* /setowner=domain\$username"
                    $params3 = "/subdirectories $currentDir\* /grant=domain\$username"
                    $params4 = "/subdirectories $currentDir\* /grant=domain\administrators=F"
                    Invoke-Expression "$subinacl $params1" | out-null
                    Invoke-Expression "$subinacl $params2" | out-null
                    Invoke-Expression "$subinacl $params3" | out-null
                   }
                }
        }

HostBits · Answer 3 · 2012-02-17T14:11:52+08:00

Best Answer

HostBits

2012-02-17T14:11:52+08:002012-02-17T14:11:52+08:00

Since you are setting the Home folders in AD, why not just re-assign using ADUC and variables?

Let's say your folders are named as your usernames

You can filter the view to only show users who currently have a value set for their home folder.

Select all the users you want to update and go to the Properties of those users, then the Profile tab.

Enter in the path of the home folder as such:

\\<servername>\Home Folders\%USERNAME%

and then hit okay. It will cycle through and reset the permissions for each folder using their individual usernames.

You will need to change the path to match your pathing, but the important part is the %USERNAME%.

1

Re-give users ownership of their mapped home folders via powershell

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?