I need to move the home folders for 100+ users from one AD to another. The samAccountName for each user is the same in both AD’s but the ObjectGUID differs as the users were exported and imported with a CSV file rather than a trust.
The copying is no real problem - I believe I’ve got a working robocopy line, but I’m more worried about setting permissions on the folders after the move. I would like to iterate over each Home-folder and assign ownership and full control to the user whose samAccountName matches the folder name.
However, I’m not entirely comfortable with the Powershell Get-ACL and Set-ACL commands.
If I understand it correctly I need to grab the ACL from a folder into a variable first, then manipulate the permissions on the variable and then apply the correct permissions with Set-ACL.
The way I envision it:
- Get-ACL from a folder to $UserACL
- Get the name of a user folder
- See if I can match a folder name with a samAccountName
- If so add the user permissions to the $UserACL
- Set permissions on the folder by running Set-ACL on the user folder
- If no match, set permissions so only Administrators have access to the folder
Pseudo code:
$baseACL = Get-ACL -Path [ExampleDir] $HomeFolders = Get-ChildItem [RootDir] | Where-Object {$_.PSIsContainer} | Foreach-Object {$_.Name} $ADUsers=Import-csv 'UserCSV.csv' -Delimiter ';' Foreach ($Folder in $HomeFolders) { ForEach ($User in $ADUsers) { if ($Folder -eq $($User.samAccountName)) { # Set properties $useridentity = "[AD]\$Folder" $admidentity = "BUILTIN\Administrators" $fileSystemRights = "FullControl" $type = "Allow" # Create new rule $fileSystemAccessRuleArgumentList = $useridentity, $admidentity, $fileSystemRights, $type $fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList # Apply new rule $baseACL.SetAccessRule($fileSystemAccessRule) Set-Acl -Path "[Path]\$Folder" -AclObject $baseACL } Else { $admidentity = "BUILTIN\Administrators" $fileSystemRights = "FullControl" $type = "Allow" # Create new rule $fileSystemAccessRuleArgumentList = $admidentity, $fileSystemRights, $type $fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList # Apply new rule $baseACL.SetAccessRule($fileSystemAccessRule) Set-Acl -Path "[Path]\$Folder" -AclObject $baseACL } } }
This is only setting permissions not ownership, so I’m not sure if that’s even possible right off the bat with powershell. Or will I need to look at cacls and takeown?