Powershell script creating home folder for user and setting permissions

Question

I am doing a powershell script which creates new domain user accounts in AD, and also creating home directories in the file server with relevant permissions.

My problem is I cannot get the permissions set.

In the code below, my_fileServer is the file server name; sso means single-sign-on id, which in the test code below is set to "user9999".

Any help is greatly appreciated!

Set-Variable homeDir -option Constant -value "\\my_fileServer\Users"
Set-Variable sso -option Constant -value "user9999"

# If the folder for the user does not exist, make a new one and set the correct permissions.
if ( (Test-Path "$homeDir\$sso") -eq $false)
{
    try 
    {
        $NewFolder = New-Item -Path $homeDir -Name $sso -ItemType "Directory"
        $Rights = [System.Security.AccessControl.FileSystemRights]"FullControl,Modify,ReadAndExecute,ListDirectory,Read,Write"
        $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
        $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
        $objType =[System.Security.AccessControl.AccessControlType]::Allow
        $objUser = New-Object System.Security.Principal.NTAccount "my_full_domain_name\$sso"
        $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
                ($objUser, $Rights, $InheritanceFlag, $PropagationFlag, $objType)
        $ACL = get-acl -Path $NewFolder
        $ACL.AddAccessRule($objACE)
        $objReturn = Set-ACL -Path "$homeDir\$sso" -AclObject $ACL
    $objReturn
    }
    catch
    {
        $msg = $_
        $msg
    }
}

The home folder gets created OK, but when I check the permissions for the user, no box is ticked.

Answer 1

The problem is your inhertiance. You are not allowing the permission to be inherited on subfolders and files(items he owns in his folder). That's why you don't see the permissions(only "Special Permission") in the basic security window. If you open "Advanced Security Settings" you will see that the user has full control OVER THIS folder, and not the contents. As long as you add permissions(with inheritance) for CREATOR OWNER so the owner get's access on to items, I think you'll be fine. However, you could fix it already now like this:

$InheritanceFlag = @([System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.InheritanceFlags]::ObjectInherit)

Unless there are special requirements, you should give users complete access over his folder(full inheritance). Full solution with fixed inheritance (I also cleaned up your Set-ACL path and removed unnecessary returnobject):

try 
{
    $NewFolder = New-Item -Path $homeDir -Name $sso -ItemType "Directory"
    $Rights = [System.Security.AccessControl.FileSystemRights]"FullControl,Modify,ReadAndExecute,ListDirectory,Read,Write"
    $InheritanceFlag = @([System.Security.AccessControl.InheritanceFlags]::ContainerInherit,[System.Security.AccessControl.InheritanceFlags]::ObjectInherit)
    $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
    $objType =[System.Security.AccessControl.AccessControlType]::Allow
    $objUser = New-Object System.Security.Principal.NTAccount "my_full_domain_name\$sso"
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
            ($objUser, $Rights, $InheritanceFlag, $PropagationFlag, $objType)
    $ACL = Get-Acl -Path $NewFolder
    $ACL.AddAccessRule($objACE)
    Set-ACL -Path $NewFolder.FullName -AclObject $ACL
}

Answer 2

I sadly can't vote up, but I agree with both answers above(Graimer and C.B.), the actual answer is a combination of both.
- You need to check permissions in the "advanced" window
- Even though your code "works", without inheritance your users won't be able to do much in the folder you assign them.

Answer 3

All the permissions are correctly set as 'Special Permmissions', you can check clicking on Advanced and look at 'Authorization' tab.

Answer 4

Keep it simple, do it with less... What you missed is the SetAccessRuleProtection function.

Here's the code that will give you the ticks that you want.

if (-not (Test-Path "$homeDir\$sso"))
{
    $acl = Get-Acl (New-Item -Path $homedir -Name $sso -ItemType Directory)

    # Make sure access rules inherited from parent folders.
    $acl.SetAccessRuleProtection($false, $true)

    $ace = "$domain\$sso","FullControl", "ContainerInherit,ObjectInherit","None","Allow"
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($ace)
    $acl.AddAccessRule($objACE)
    Set-ACL -Path "$homeDir\$sso" -AclObject $acl

}