Help adjusting privileges for a home folder on a network drive so only folder owner can access/view folder, while admin permissions are inherited upwards.

I’m trying to create home folders for AD users, which it pulls from a .txt file I was able to export, and their Network ID is the folder name and only they have access to the folder, and admin privileges for network admins inherit upwards, and it will export a report on if the folder has been created. I’ve got the creation and the permissions down, but I can’t figure out how to remove LOCAL admins from having view access. It will be stored on a network drive, but I’m testing it out on local machines first to verify the finished product before I run the command for some 150 employees.

Here is my script:

param ( [String]$Path, [String]$UserList, )

$Users=@() $Results=@() Import-Module ActiveDirectory if (-not (Test-Path $Path)) { write-error -Message “Cannot find path ‘$Path’ because it does not exist.” return } if (-not (Test-Path $UserList)) { write-error -Message “Cannot find ‘$UserList’ because it does not exist.” return } else { $Users=Get-Content $UserList }

Check whether the input AD member is correct

if ($FullControlMember) { $FullControlMember|ForEach-Object { if (-not(Get-ADObject -Filter ‘Name -Like $‘)){ $FullControlMember= $FullControlMember -notmatch $; Write-Error ->Message “Cannot find an object with name:’$_'” } } } $FullControlMember+=”NT AUTHORITYSYSTEM”

foreach($User in $Users) {
$HomeFolderACL=Get-Acl $Path $HomeFolderACL.SetAccessRuleProtection($true,$false) $Result=New-Object PSObject $Result|Add-Member -MemberType NoteProperty -Name “Name” -Value $User if (Get-ADUser -Filter ‘Name -Like $User’) { New-Item -ItemType directory -Path “$Path$User”|Out-Null #set acl to folder $FCList=$User $FCList|ForEach-Object { $ACL=New-Object >System.Security.AccessControl.FileSystemAccessRule($_,”FullControl”,”ContainerInherit,Obje>ctInherit”,”None”,”Allow”) $HomeFolderACL.AddAccessRule($ACL) } Set-Acl -Path “$Path$User” $HomeFolderACL $Result|Add-Member -MemberType NoteProperty -Name “IsCreated” -Value “Yes” $Result|Add-Member -MemberType NoteProperty -Name “Remark” -Value >”Completed” } else { $Result|Add-Member -MemberType NoteProperty -Name “IsCreated” -Value “No” $Result|Add-Member -MemberType NoteProperty -Name “Remark” -Value “Cannot >find an object with name:’$User'” } $Results+=$Result }

Define Variables

$Users=@() $Results=@()

Generate a report

$Results|Export-Csv -NoTypeInformation -Path “$PathReport.csv” if ($?) {Write-Host “Please check the report for detail: ‘$PathReport.csv'”}

The command I run is C:CreateHomeFolder.ps1 -Path “C:….” -UserList “C:….”

Can anyone find out what I’m doing wrong in my powershell coding to remove local admins and just have the folders owner be able to access it?

submitted by /u/JBurlison92
[link] [comments]

Leave a Reply