Need help in setting ACL during user account migration.

Hi guys,

I have to migrate just over 4000 pc’s onto a brand new domaine. I have been working on a script that renames a local pc with a new name, then joins it to the domain without a reboot, via GUI.Rob Simmers was to kind as to help me populate some info for my GUI, and it works 100%. I found a script on the MS gallery that migrates the current users profile, to the newly created domain user account, but there are some issues with this part of the script. I have created the GUI to capture the user info, and I am trying to use the PowerShell to automate the process in the background. I have modified it so that it is much shorter.

The problem comes in when I am trying to run the last two paragraphs of the scripts, that changes the access permissions of the new user, to the access of the current user. This is on a Windows 10 Enterprise VM.

Does anyone perhaps have a better option to do this?

function Get-SID ([string]$env:USERNAME)
{
$objUser = New-Object System.Security.Principal.NTAccount($env:USERNAME)
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
}

#### Existing Domain user info used to create new user on local PC

$DomainName='microsoft.com'
$OU = 'New Computers, DC=microsoft, DC=com'
$UserName = 'joe.soap' 
$Password = 'Password@1' | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList @($UserName, $Password) 
$NewUser = ($Credential.Username)
$NewSPN_Name = $NewUser+'@'+$DomainName	

$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList @($NewSPN_Name, $Credential.Password)

$CurrentUser = [Environment]::UserName
$CurrentUserSID = Get-SID $CurrentUser
$NewUserSID = Get-SID $NewSPN_Name

$ACL = (Get-Item $home).GetAccessControl('Access')
$ACL.SetAccessRuleProtection($true, $false)
$permission1 = ($NewUser,"FullControl","Allow")
$AR = new-object System.Security.AccessControl.FileSystemAccessRule($permission1)
$ACl.SetAccessRule($AR)
$ACL | Set-Acl -path $HOME

Set-Content $home\UserSID.txt "SID of $CurrentUser `r`n$CurrentUserSID`r`n`r`nSID of $NewSPN_Name `r`n$NewUserSID"

$Acl = Get-Acl "Registry::HKU\$CurrentUserSID"
$permission = ($NewUserSID,"FullControl","Allow")
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ($permission)
$Acl.SetAccessRule($rule)
$Acl |Set-Acl -Path "Registry::HKU\$NewUserSID"

$Acl = Get-Acl "Registry::HKU\($CurrentUserSID)_Classes"
$permission = ($NewUserSID,"FullControl","Allow")
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ($permission)
$Acl.SetAccessRule($rule)
$Acl |Set-Acl -Path "Registry::HKU\($NewUserSID)_Classes"

An exact diagnosis is a bit tricky, there’s a lot of moving parts here, but in general - don’t reassign variables in the same scope, which you’ve done here quite a bit. ($acl, $permission, $rule) . Make them unique and descriptive.

 

Once that is done, if you still get an error, a copy of the error received would be helpful as well.

Hi Nathaniel,

I am very new to powershell, and have taken on the challenge to create something similar to Provwiz.exe. I have succeeded in creating the GUI to capture the info for renaming the PC, and to create the new user name, which is actually an existing user on our new Active Directory server.

I am trying to replace the current user’s permissions, with that of the Domain Account of the new user. There is a manual way of doing that in Windows 10 using the GUI’s, but if I can get this done using Powershell, then I will have created a tool that may even be better than Profwiz.exe

 

Here is the link to the website of what I am trying to achieve through Powershell:

https://blogs.technet.microsoft.com/canitpro/2014/09/02/step-by-step-adding-domain-user-access-to-a-local-users-profile/