Hello,
I have a script (below) that we wish to use to:
- Change the owner of a folder
- Add the ad user svc_account as read only to the folder
- include this change to sub folders and files from the root ammended folder
- change ownwerof the folder back to the original
#v1.0
#run as administrator and as Domain Admin
#Script requires Active Directory and NTFSSecurity powershell modules
#todo
#acl change for directories we need to take ownership of
clear
#$ErrorActionPreference = “silentlycontinue”
cd c:\Scripts\HomedirACL
ipmo activedirectory
ipmo NTFSSecurity
$userList=“exeit5.txt” #plaintext list of user account in scope
$server = “MCRFS02” #set this to the CIFS server the homedirs are on - MCRFS02?
$root="z:\home" #map the root of the homedir share to Z:\ (\mcrfs02\isadhomes01$ etc)
$serviceAccount=“ISAD\svc_account” #service account to add to ACL
$timeStamp = get-date -Format “yyyyMMddHHmmss” #timestape to use on logfiles
$outputLog = “logs\output_$timeStamp.log” #general output log file
$orphanedprofilesLog = “logs\orphanedprofiles_$timeStamp.log” #profiles that do not have a corresponding AD account
$errorLog = “logs\error_$timeStamp.log” #error logfile
$successLog = “logs\success_$timeStamp.log” #success logfile
function Check-ConnectedUser($profile) {
#check if users have an active SMB session on $server, return true of false
$activeUsers = @()
$shares = [ADSI]“WinNT://$server/lanmanserver” #get shares in SMB server
$shares.psbase.children | select @{n=“ShareName”;e={$.properties.name}},@{n=“LocalPath”;e={$.properties.path}}
$shares.Invoke(“Resources”) | foreach {
$activeUsers+= $.GetType().InvokeMember(“User”, ‘GetProperty’, $null, $, $null) #get active sessions
}
$activeUsers = $activeUsers | select -Unique #reduce list down to unique entries as accounts can be listed more than once
write-host $activeUsers
if ($activeUsers -match $profile) {
Write-Host $true
return $true
}
else {
Write-Host $false
return $false
}
}
function Test-ACL($profilePath) {
#test if $serviceAccount is on the users U: drive, return true of false
$testAcl = Get-NTFSAccess $profilePath
if ($testAcl.account -contains $serviceAccount) {
#Write-Host $true
return $true
}
else {
#Write-Host $false
return $false
}
}
#Main loop
#Loop through profiles in $userList and cross reference against AD. if the AD account exists, perform actions
enable-Privileges
$profiles = Get-content $userList
$totalProfiles = $profiles.Count
$output = “$totalProfiles profiles in total”
write-host $output
foreach ($profile in $profiles) {
#test if user exists in AD and skip if they don’t
$User = $null
$User = Get-ADUser -Identity $profile -ErrorAction SilentlyContinue
If ($User -eq $Null) {
$output = “$profile does not exist in AD. Skipping`n”</code>
<code>write-host $output</code>
<code>$output |out-file -FilePath .$orphanedprofilesLog -append</code>
<code>}</code>
<code>Else {</code>
<code>$profilePath = $root + $profile #build homedir path</code>
<code>$profilePathTest = $root + $profile + ‘*’ #build homedir path for ACL test</code>
<code>#test if user exists in the currently mapped ISADHomes share and skip if they don’t</code>
<code>if (Test-Path $profilePath){</code>
<code>#test if we can access their home directory, if we can then add the service account. if we cannot then take ownership and reapply the ACL</code>
<code>If (Test-Path $profilePathTest) {</code>
<code>$output = “$profile found in AD, $profilePath access successful. Adding $serviceAccount to ACL”</code>
<code>write-host $output</code>
<code>$output |out-file -FilePath .$outputLog -append</code>
<code>Add-NTFSAccess -path $profilePath -Account $serviceAccount -AccessRights ReadAndExecute</code>
<code>If (Test-ACL $profilePath) {</code>
<code>$output = “$profile permission change completed n"</code> <code>Write-Host $output</code> <code>$output |out-file -FilePath .\$outputLog -append</code> <code>$output |out-file -FilePath .\$successLog -append </code> <code>}</code> <code>else {</code> <code>$output = "$profile permission change failed
n”</code>
<code>Write-Host $output</code>
<code>$output |out-file -FilePath .$outputLog -append</code>
<code>$output |out-file -FilePath .$errorLog -append</code>
<code>}</code>
<code>}</code>
<code>else {</code>
<code>$output = “$profile found in AD, $profilePath access Failed”</code>
<code>write-host $output</code>
<code>$output |out-file -FilePath .$outputLog -append</code>
<code>$isUserConnected = Check-ConnectedUser($profile)</code>
<code>#test if user has an active SMB session on $server and skip if they do</code>
<code>if ($isUserConnected -eq $true) {</code>
<code>$output = “$profile is connected to their U: drive. Skipping`n”
Write-Host $output
$output |out-file -FilePath .$outputLog -append
$output |out-file -FilePath .$errorLog -append
}
else {
#no active session so take ownership and reapply ACL
$output = “$profile is not connected to their U: drive. Taking ownership of $profilePath (This part of the script is commented out as its untested)”
Write-Host $output
$output |out-file -FilePath .$outputLog -append
# Set-NTFSOwner $profile -Account ‘ISAD\Domain Admins’ -whatif
$output = “re-adding ACL to $profilePath”
write-Host $output
$output |out-file -FilePath .$outputLog -append
#Add-NTFSAccess -path $profilePath -Account ‘ISAD\Domain Admins’ -AccessRights FullControl
#Add-NTFSAccess -path $profilePath -Account $profile -AccessRights FullControl
#Add-NTFSAccess -path $profilePath -Account $serviceAccount -AccessRights ReadAndExecute
If (Test-ACL $profilePath) {
$output = “$profile permission change completed (or it will be when uncommented and tested…)
n"</code> <code>Write-Host $output</code> <code>$output |out-file -FilePath .\$outputLog -append</code> <code>$output |out-file -FilePath .\$successLog -append </code> <code>}</code> <code>else {</code> <code>$output = "$profile permission change failed
n”
Write-Host $output
$output |out-file -FilePath .$outputLog -append
$output |out-file -FilePath .$errorLog -append
}
$output = “$profile complete `n”</code>
<code>Write-Host $output</code>
<code>$output |out-file -FilePath .$outputLog -append</code>
<code>}</code>
<code>#add section to check if user is connected, take ownership and blat correct acl</code>
<code>}</code>
<code>}</code>
<code>else {</code>
<code>$output = “$profile does not exist in $root. Skipping`n”
write-host $output
$output |out-file -FilePath .$errorLog -append
}
}
Read-Host ‘Press Enter to continue…’ | Out-Null
}
disable-Privileges
note:
this was previously asked on 243362, but when ive gone back to edit it seems ta have been removed, so i have raised it again.
Thanks