Re-give users ownership of their mapped home folders via powershell

Question

I changed the user quota on a windows 2008 machine and after that some users reported that they were able to read but not write to their mapped home folders. If I re-enter the Home Folder path in the Server Manager and accept the default prompt of...

"The \\server\folder home folder already exists. Do you want this user to be granted full control on this folder?"

...the issue disappears.

Is there a way to do the same thing with Powershell where the script will check to see if the user has the permissions and if not reassign them?
What about listing the folder permissions along with the owner to identify who doesn't have full permissions? I spent a couple hours on this second question with mixed results.

The following script does not seem to list folders with mismatching permissions.

get-acl "D:\users\*" | select Path -Expand Access | where
{ $_.Identityreference -notcontains 'NT AUTHORITY\SYSTEM' 
-and $_.Identityreference -notcontains 'CREATOR OWNER' 
-and $_.Identityreference -notcontains 'BUILTIN\Administrators' 
-and $_.Identityreference -notcontains 'BUILTIN\Users' 
-and $_.Identityreference -notcontains 'BUILTIN\Account Operators' 
-and $_.Identityreference -notcontains 'BUILTIN\BUILTIN\Users'} | 
select @{Expression={$_.path};Label="Folder"},
@{Expression={$_.IdentityReference};Label="User"},
@{Expression={$_.AccessControlType};Label="Permissions"} |
Format-Table -Wrap -AutoSize

Yes, they are set in AD and the folders themselves reside on the DC. — Bourne, Feb 16 '12 at 22:01

score 2 · Answer 1 · answered Feb 16 '12 at 13:21

2

To check the ownership of a folder or file, you can use the GetOwner method:

$acl = Get-Acl $dir.fullname
$acl.GetOwner([System.Security.Principal.NTAccount])

And set the new owner with:

$objUser = New-Object System.Security.Principal.NTAccount("YourDomain", "YourUser")
$acl.SetOwner($objUser)

answered Feb 16 '12 at 13:21

Sven

51
2

Will this work on multiple user folders? Or would I have to manually specify who the owner should be? – Bourne Feb 20 '12 at 21:11

score 1 · Answer 2 · answered Feb 16 '12 at 16:34

this might help. I had to fix permissions on a shared folder configuration I adopted a while back. Using powershell and subinacl.exe (because changing owner remotely doesn't work often). this was also used to do some cleanup so there is some extra code in here to rename disabled or deleted user account folders. It's an old script also using Quest cmdlets which can be replaced with native AD cmdlet now.

Add-PSSnapin quest*

$dirlist = gci \\server\share | ? { $_.PSIsContainer }

$subinacl = "C:\utils\subinacl.exe"
foreach ($userdir in $dirlist)
        {

#the foldername was a funny format (citrix 2008 profile with .2k8 suffix)
           $username = $userdir.name.Split('.')[0]
            $adaccount = Get-QADUser $username

            If (($adaccount.AccountIsDisabled -eq $TRUE) -or (!$adaccount))
                {
                    write-host "$username is not a current employee"
                    #rename folder to _DEL_originalname
                    $newname = "_DEL_$username"
                    rename-item -path $userdir -newname $newname
                }
            Else
                {
                #get full path            
                Write-Host "$userdir - changing permissions"
                $currentDir = $userdir.FullName # this way you don't duplicate the start folder

                #get ACL of folder
                $acl = Get-Acl $currentDir
                If ($acl.access -notcontains $username) {

                    #variable to set new permissions for username of folder           
                    $permission = "domain\$username",”FullControl”,”ContainerInherit,ObjectInherit”,”None”,”Allow”

                    $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission

                    #actually set the permissions
                    $acl.SetAccessRule($accessRule)
                    Set-Acl $currentDir $acl

                    #use subinacl to set owner at parent level and below
                    $params1 = "/file $currentDir /setowner=domain\$username"
                    $params2 = "/subdirectories $currentDir\*.* /setowner=domain\$username"
                    $params3 = "/subdirectories $currentDir\* /grant=domain\$username"
                    $params4 = "/subdirectories $currentDir\* /grant=domain\administrators=F"
                    Invoke-Expression "$subinacl $params1" | out-null
                    Invoke-Expression "$subinacl $params2" | out-null
                    Invoke-Expression "$subinacl $params3" | out-null
                   }
                }
        }

Thank you for the script. I will give this a try as well. – Bourne Feb 20 '12 at 21:12 — Bourne, Feb 20 '12 at 21:12

score 1 · Accepted Answer · answered Feb 16 '12 at 22:11

Since you are setting the Home folders in AD, why not just re-assign using ADUC and variables?

Let's say your folders are named as your usernames

You can filter the view to only show users who currently have a value set for their home folder.

Select all the users you want to update and go to the Properties of those users, then the Profile tab.

Enter in the path of the home folder as such:

\\<servername>\Home Folders\%USERNAME%

and then hit okay. It will cycle through and reset the permissions for each folder using their individual usernames.

You will need to change the path to match your pathing, but the important part is the %USERNAME%.

Can't believe I didn't think of this. I will give it a shot. Thank you. — Bourne, Feb 20 '12 at 21:10

Re-give users ownership of their mapped home folders via powershell

3 Answers3

Linked