Scripting share security & NTFS settings for AD2003

Question

We will be deploying "dynamic" classrooms using SCCM, and thus will also need to create OU's and matching users and homedirs on the fly. I am currently trying to figure out how to edit the security rights for these homedirs via a script. I've had limited success using google, because a lot looks outdated, so I wanted to see what ServerFault thinks is the best way.

What I need to do: - Create the folder (not quite the problem) - Share it and set permissions to Full Control for Everyone - change NTFS settings to "Change" or "Modify" for a single user, recursively

The other parts of the script are currently done in vbscript, but I can obviously call a different script from within this one if need be. PowerShell could be an option (if it's possible to begin with) but I'm eager to hear other options as well!

Thanks

Answer 1

Here is a PowerShell script that does what you wish.

$Computer = "localhost"
$Class = "Win32_Share"
$Method = "Create"
$name = "foldername$"
$path = "C:\Folderpath"
$description = "This is shared for me to test"
$sd = ([WMIClass] "\\$Computer\root\cimv2:Win32_SecurityDescriptor").CreateInstance()
$ACE = ([WMIClass] "\\$Computer\root\cimv2:Win32_ACE").CreateInstance()
$Trustee = ([WMIClass] "\\$Computer\root\cimv2:Win32_Trustee").CreateInstance()
$Trustee.Name = "EVERYONE"
$Trustee.Domain = $Null
$Trustee.SID = @(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0)
$ace.AccessMask = 2032127
$ace.AceFlags = 3
$ace.AceType = 0

New-Item -type directory -path $path
$Acl = Get-Acl $path
$Ar = New-Object  system.security.accesscontrol.filesystemaccessrule("user\domain","Write","Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $path $Acl
$ACE.Trustee = $Trustee
$sd.DACL += $ACE.psObject.baseobject 
$mc = [WmiClass]"\\$Computer\ROOT\CIMV2:$Class"
$InParams = $mc.psbase.GetMethodParameters($Method)
$InParams.Access = $sd
$InParams.Description = $description
$InParams.MaximumAllowed = $Null
$InParams.Name = $name
$InParams.Password = $Null
$InParams.Path = $path
$InParams.Type = [uint32]0
$R = $mc.PSBase.InvokeMethod($Method, $InParams, $Null)
switch ($($R.ReturnValue))
 {
  0 {Write-Host "Share:$name Path:$path Result:Success"; break}
  2 {Write-Host "Share:$name Path:$path Result:Access Denied" -foregroundcolor red -backgroundcolor yellow;break}
  8 {Write-Host "Share:$name Path:$path Result:Unknown Failure" -foregroundcolor red -backgroundcolor yellow;break}
  9 {Write-Host "Share:$name Path:$path Result:Invalid Name" -foregroundcolor red -backgroundcolor yellow;break}
  10 {Write-Host "Share:$name Path:$path Result:Invalid Level" -foregroundcolor red -backgroundcolor yellow;break}
  21 {Write-Host "Share:$name Path:$path Result:Invalid Parameter" -foregroundcolor red -backgroundcolor yellow;break}
  22 {Write-Host "Share:$name Path:$path Result:Duplicate Share" -foregroundcolor red -backgroundcolor yellow;break}
  23 {Write-Host "Share:$name Path:$path Result:Reedirected Path" -foregroundcolor red -backgroundcolor yellow;break}
  24 {Write-Host "Share:$name Path:$path Result:Unknown Device or Directory" -foregroundcolor red -backgroundcolor yellow;break}
  25 {Write-Host "Share:$name Path:$path Result:Network Name Not Found" -foregroundcolor red -backgroundcolor yellow;break}
  default {Write-Host "Share:$name Path:$path Result:*** Unknown Error ***" -foregroundcolor red -backgroundcolor yellow;break}
 }

I cribbed it and patched it together from a couple of other sites, 1 and 2. It works on my Windows 7 machine. For more information on the filesystemaccessrule object, look here.

Answer 2

I love CMD.EXE... (not really):

mkdir x:\directory\to\make
cacls x:\directory\to\make /e /t /g DOMAIN\user:C
net share sharename=X:\directory\to\make

That makes the directory, adds "DOMAIN\user" with "Change" permissions to the directory (which will inherit to subfolders and files) and shares the directory. The first two commands can be run against UNC paths if you want but the net share must be executed on the server where the shared directory resides. (There was an old rmtshare.exe tool in one of the Windows NT Resource Kit distributions that had roughly the same syntax as net share but could create shares on remote computers.)

Answer 3

Should be able to use the command calcs.