execute as domainadmin

by Hybo_ICT at 2012-10-25 04:03:54


I wrote a ps script that creates a folderstructure to store all data in it. Obviously I put some security groups on it to avoid some access.

When I let a user execute the script, the script is not executing. When I execute the script as domainadmin, everything works fine.

Can someone let me now how to change the script so that a simple user can execute the script without errors.

Best regards,


#region Initialiseren van de variabelen
[String] $sPath = "path to server"
[String] $sClient = Read-Host -Prompt ‘Client’
[String] $sCity = Read-Host -Prompt ‘City’
[String] $sType = Read-Host -Prompt ‘Type’
[String] $sCode = Read-Host -Prompt ‘Code’

[String] $sType2 = $sType.ToUpper()
$sFoldercode = $sClient2 + "" + $sCity2 + "" + $sType2 + "_" + $sCode
$sFullPath = $sPath + "" + $sFoldercode

if ($sClient.Length -cge "30")
$sClient2 = $sClient.Substring(0,30)
$sClient2 = $sClient

if ($sCity.Length -cge "9")
$sCity2 = $sCity.Substring(0,9)
$sCity2 = $sCity

$colRights_FC = [System.Security.AccessControl.FileSystemRights]"Read, Write, ListDirectory, modify, readandexecute, DeleteSubdirectoriesAndFiles, ExecuteFile"
$colRights_RO = [System.Security.AccessControl.FileSystemRights]"Read, ListDirectory"

$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$InheritanceFlag2 = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
$InheritanceFlag3 = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit

$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$PropagationFlag2 = [System.Security.AccessControl.PropagationFlags]::NoPropagateInherit
$PropagationFlag3 = [System.Security.AccessControl.PropagationFlags]::None

$objType =[System.Security.AccessControl.AccessControlType]::Allow

$FileExists = Test-Path $sFullPath
If ($FileExists -eq $true)
Write-Host -ForegroundColor Red -BackgroundColor Black "Sorry, the folder already exists."
Start-Sleep -Seconds "7"
#start creating folders
New-Item "$sPath$sFoldercode" -type directory
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ("Hyboma\LO_DOSS_WOKL_RO", $colRights_RO, $InheritanceFlag, $PropagationFlag, $objType)
$objACL = Get-ACL "$sPath$sFoldercode"
Set-ACL "$sPath$sFoldercode" $objACL

$objACE2 = New-Object System.Security.AccessControl.FileSystemAccessRule ("Hyboma\LO_DOSS_WOKL_FC", $colRights_FC, $InheritanceFlag, $PropagationFlag, $objType)
$objACL2 = Get-ACL "$sPath$sFoldercode"
Set-ACL "$sPath$sFoldercode" $objACL
by Klaas at 2012-10-25 04:16:27
[quote="Hybo_ICT"]When I let a user execute the script, the script is not executing.[/quote]
What do you mean? Do you receive an error? What is the message?

Have you changed the executionpolicy?
Has the user the required NTFS rights on the "path to server"?
by Hybo_ICT at 2012-10-25 04:23:00
Yes, the user can reach the path of the server. However, the user that creates the folderstructure may not see all the folders below. That’s why it needs to be created by a domainadmin-account. Any advice?
by dsf3g at 2012-11-11 11:24:40
The user account under which this script runs needs to have modify NTFS permissions to the parent directory. It will then be able to create the subfolders it needs. If the script also ACLs the child directories then the user account will need FULL permissions.