by SusXT at 2012-08-22 11:00:53
SOLUTION on page3!by DonJ at 2012-08-22 11:04:08
I’m totaly new into Powershell.
I have found a script to create usermaps. As administrator I want to be the owner and the user must have all permissions.
My question is : how does the users.txt file looks like?
$Users = Get-Content "C:\Users.txt"
ForEach ($user in $users)
{
$newPath = Join-Path "\myserver\Users$" -childpath $user
New-Item $newPath -type directory
$acl = Get-Acl $newpath
$permission = "mydomain$user","FullControl","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $newpath
}
So, my guess is that it’s one username per line. Given how it seems to be used.by SusXT at 2012-08-22 11:11:52
So the file is like this?by JeffH at 2012-08-22 11:22:42
rpatterson
tjohnson
mhawkins
And what if there is other content in the TXTfile? Like the name of the departement?
rpatterson r&d
tjohnson personel
mhawkins engineering
How will PS know what’s the username and what’s the departement?
If there is other information, then you need some way to delimit it or identify each line. This also assumes the file is structured and consistent. The easiest approach is to use Import-CSV specifying some sort of delimiter if other than a comma. But that also requires you to specify a header or one isn’t in the file. An alternative is go through each line and parse out the data you need.by DonJ at 2012-08-22 13:17:25
You can get specific guidance here once you let us know the file format.
Based on what your existing script is doing, yes it would be as you typed it. Jeff’s point about using a CSV file is dead-on - although you’ll have to do some re-writing of your script to deal with that different data format.by SusXT at 2012-08-22 13:26:41
[quote="JeffH"]by JeffH at 2012-08-22 15:36:07
You can get specific guidance here once you let us know the file format.[/quote]
It’s still an XLS.
I had a reply but now I don’t see it. Can you save the XLS sheet as a CSV file? That would make life much easier.by SusXT at 2012-08-23 00:52:24
Yep, that’s the easiest part for meby JeffH at 2012-08-23 05:43:17
This is what de CVS looks like:
Name;Firstname;Username;Password;Password Coaccount;
AlonsoSanchez;Yacintha;AlonsoSanchezYacintha;yhjkkjMD;M;1A1x;r7ZJ3E8;zZMG4T6
Appermont;Emmy;AppermontEmmy;e7jklmjk;M;1A1x;d68E2V6;v65W264
What do I have to do so PS knows what’s the mapname? (=username)
Edit : I run the script with only the username in the TXT file. He reads the name so that works.
We are making progress. The folders with usernames are created. But the script doesn’t run properly. He supposed to setup permissions, but fails. (See underlined)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 23/08/2012 14:33 testleerling
Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At C:\Users\Administrator\testscript.ps1:10 char:19
+ $acl.SetAccessRule <<<< ($accessRule)
+ CategoryInfo : NotSpecified: (, MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
AccessDenied is obviously a permissions issue. PowerShell can’t help you if you don’t have permission. This is most likely an NTFS permission issue.by SusXT at 2012-08-23 06:12:36
If this is a user’s home folder I can see where this might be an issue. What you might want to do is use Test-Path to verify it exists, and if not, then create it.
We are making progress.by JeffH at 2012-08-23 06:24:00
I allready created Users and set the permissions, but after removing the Users-folder, it works.
The folders with usernames are created. But the script doesn’t run properly. He supposed to setup permissions, but fails. (See underlined) He supposed to give all permissions to the specefied user. So only Testleerling must have permissions to the folder, not other users. The must have permissions to theire own folder. The administrator must be owner of all userfolders so I can make backups through synchronisation.
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 23/08/2012 14:33 testleerling
Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At C:\Users\Administrator\testscript.ps1:10 char:19
+ $acl.SetAccessRule <<<< ($accessRule)
+ CategoryInfo : NotSpecified: (
+ FullyQualifiedErrorId : DotNetMethodException
You may not have the right object types.by SusXT at 2012-08-23 06:31:28
[System.Security.Principal.NTAccount]$principal="domain$user"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $principal,"FullControl","Allow"
Hmm… the user does not exist yet. Think that may be the problem…ofcourse.by SusXT at 2012-08-23 07:13:36
[quote="SusXT"]Hmm… the user does not exist yet. Think that may be the problem…ofcourse.[/quote]by JeffH at 2012-08-23 07:31:31
Nope, still doesn’t work af adding the user.
Are you specifically creating a security principal object? Your list of names is just a the samaccountname, right? Is everything in the same domain? Could there be replication delays between domain controllers for the new account?by SusXT at 2012-08-23 08:24:49
[quote="JeffH"]Are you specifically creating a security principal object? Yes, if i understand you correctly.by SusXT at 2012-08-23 08:47:07
Your list of names is just a the samaccountname, right? Yes
Is everything in the same domain? yes
Could there be replication delays between domain controllers for the new account? No, I’m only testing virtual.
[/quote]
[quote="JeffH"]You may not have the right object types.by JeffH at 2012-08-23 09:00:40
[System.Security.Principal.NTAccount]$principal="domain$user"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $principal,"FullControl","Allow"[/quote]
Add these lines to the script? Where?
I looked at your original post. I don’t know what code you are using now.by JeffH at 2012-08-23 09:02:18
Could the existing access rule have entries that can’t be resolved?by SusXT at 2012-08-23 09:39:59
[quote="JeffH"]I looked at your original post. I don’t know what code you are using now.[/quote]by JeffH at 2012-08-23 10:37:56
$Users = Get-Content "C:\Users.txt"
ForEach ($user in $users)
{
$newPath = Join-Path "\myserver\Users$" -childpath $user
New-Item $newPath -type directory
$acl = Get-Acl $newpath
$permission = "mydomain$user","FullControl","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $newpath
}
[quote="JeffH"]Could the existing access rule have entries that can’t be resolved?[/quote][quote="JeffH"]Could the existing access rule have entries that can’t be resolved?[/quote]
The script generates the access rules. I’ll check later if he get access rules from above.
I would replace these 2 linesby SusXT at 2012-08-23 12:13:27
$permission = "mydomain$user","FullControl","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
with
[System.Security.Principal.NTAccount]$principal="mydomain$user"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $principal,"FullControl","Allow"
Thanks for the suggestion, but still the same result.by SusXT at 2012-08-24 05:32:08
When searching Google I find that the users do not exist. I’ll try running the script on our real server tomorow at work.
It works almost. The domainname wasn’t correct. But another problem. The user has rights to this "usernamefolder" only, not the subfolders. What do I have to add to the script so the user has rights for this usernamefolder and subfolders?by poshoholic at 2012-08-24 09:06:31
This is what I’ve found, but I don’t know where to put it in the script : icacls.exe $folder /grant ‘$domain$user:(OI)(CI)(M)’
This is my script so far :
$Users = Get-Content "d:\DeelmapAdmin\scripts\users.txt"
ForEach ($user in $users)
{
$newPath = Join-Path "d:\LLhome\b" -childpath $user
New-Item $newPath -type directory
$acl = Get-Acl $newpath
[System.Security.Principal.NTAccount]$principal="MSM.local$user"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $principal,"FullControl","Allow"
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $newpath
}
Just FYI, there is another discussion going on (still in progress) that is related to this, over here: http://powershell.org/discuss/viewtopic.php?f=5&t=102. You might want to take a look at that discussion and see if you can compare with your approach, identify the issue.by JeffH at 2012-08-24 09:08:32
Permissions are just plain difficult to manage with a script. If you can solve the problem with a command line tool like icacls then I say get it done and move on.by SusXT at 2012-08-24 09:41:33
It thought an icacls was a commandline in a PSscript. Powershell is new. Icacls is totaly new. I’ll google it right away. Thanks.by SusXT at 2012-08-28 05:06:46
SOLUTIONby poshoholic at 2012-08-28 05:25:01
It works! Folders by username are created. Administrator is Owner and the user has All Persmissions on This folder, Subfolders and Files.
$Users = Get-Content "d:\users.txt"
ForEach ($user in $users)
{
$newPath = Join-Path "d:\FOLDERNAME" -childpath $user
New-Item $newPath -type directory
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$acl = Get-Acl $newpath
[System.Security.Principal.NTAccount]$principal="MYDOMAIN$user"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $principal,"FullControl", $inherit, $propagation,"Allow"
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $newpath
}
Excellent! Thanks for letting us know you worked it out!