2

I tried to automatically map drive to users using a PowerShell script.

The script create the user with the command:

New-ADUser -Name $userName -GivenName $userName -Surname $userName -DisplayName $userName -Path "OU=Eng,DC=lovely,DC=Local" -SamAccountName $userName -AccountPassword (ConvertTo-SecureString $pass -AsPlainText -Force) -UserPrincipalName ($userName + '@lovely.local') -Enable $true -HomeDrive 'H:' -HomeDirectory "\\DC01\Private\$userName"

the user is created, but when I log on to the user account the drive isn't mapped, the user folder inside the "private" share isn't created.

Then I tried to manually map it from the client and I get this error message:

The mapped drive could not be created because the following error has occurred: The specified network resource or drive is no longer available

So I created the user folder in the server (path: C:\Private\user1) and I can map it manually.

So I disconnected the drive, and opened the user profile tab (AD Users and Computers → OU → user1 → profile) and manually typed again the same path:

\\DC01\Private\user1

and the drive is mapped once I log on again!

Why is that happening?

  • The server (2016 standard) is installed as VM on VirtualBox, the client is Windows 8, also a VM.
  • Windows firewall is disabled, also Windows Defender.
  • The Windows 8 machine is a member in the domain.

  • The "Private" share properties:

    Share permissions "\DC01\Private": Authenticated Users (Full Control)

    NTFS permissions "C:\Private": SYSTEM (Full Control), Administrators (Full Control), CREATOR OWNER (Full Control, subfolders and files only), Authenticated Users (Full Control)

And again, when I create a new user manually the mapping process is working just fine.

The complete Script: 

Import-Module ActiveDirectory

#-----------------#
# Global Var
#-----------------#
$pass = 'Pa$$w0rd'
$drive_letter = 'H:'
$dir_path = '\\DC01\Private'

#-----------------#
# Eng department
#-----------------#
$totalusers = 9
$uname = "Eng"
$ou = "Eng"

for ($i=0; $i -lt $totalusers; $i++) {
    $userID = "{0:00}" -f ($i + 1)
    $userName = "$uname$userID"
    Write-Host "Creating AD user" ($i + 1) "of" $totalusers ":" $userName
    New-ADUser -Name $userName -DisplayName $userName -Path "OU=$ou,DC=lovely,DC=Local" -SamAccountName $userName -AccountPassword (ConvertTo-SecureString $pass -AsPlainText -Force) -UserPrincipalName ($userName + '@lovely.local') -HomeDrive $drive_letter -HomeDirectory "$dir_path\$userName" -Enable $true
}
Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
ic205
  • 131
  • 1
  • 9
  • It sounds like you just need to create the folder to make it work. – eckes Sep 24 '17 at 21:50
  • Maybe, but you are not using the tab, isn't that what's your question is about? – eckes Sep 24 '17 at 22:02
  • 1
    Related? https://stackoverflow.com/questions/26592223/powershell-homedirectory-not-created-on-fileserver-filesystem – David Brabant Sep 25 '17 at 06:12
  • 2
    AD GUI has a function in the background to create and provision access to the homedrive shares. That is not the case when it is done through PS CmdLet. The shares need to be created and provisioned by your code. – Sid Sep 25 '17 at 06:51
  • I created the share before executing the script. Is there some extra settings i need to set in my code? – ic205 Sep 25 '17 at 08:29
  • You're confusing the **share** (`\\DC01\Private`) with the user folder **inside the share** (`\\DC01\Private\user1`). Either have your PowerShell script create the folder `C:\Private\user1` on DC01 along with the account, or use a logon script to create a missing home directory. Personally, I prefer the latter. – Ansgar Wiechers Sep 25 '17 at 09:35
  • As a side-note: you most definitely do **NOT** want to grant full access on `C:\Private` to the group "Authenticated Users". [See here](https://blogs.technet.microsoft.com/askds/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders/) for appropriate permission settings. – Ansgar Wiechers Sep 25 '17 at 09:42
  • i know. i set it to full-access only for troubleshooting. each user can only access is directory. – ic205 Sep 25 '17 at 10:22

1 Answers1

1

As Rohin Sidharth and eckes wrote in the comment the problem solved when i created the directory for each user within my script. the GUI have some function that create the folder once the user is logging for the first time.

and now each user that logs on can see his home folder automatically

EDIT:

i added a for loop to create each department directory. now each user have access only to his directory, inside a directory with is department name (and only the department users have access to the directory) .

foreach ($o in $ous){

Write-Host "Creating OU: " $o
NEW-ADOrganizationalUnit $o

Write-Host "Create Group $o"
New-ADGroup -Name "$o" -SamAccountName $o -GroupCategory Security -GroupScope Global -DisplayName "$o" -Path "CN=Users,DC=lovely,DC=local" -Description "$o department"  

# Create department dir
New-Item -Path "$dir\$o" -ItemType Directory   

$colRights = [System.Security.AccessControl.FileSystemRights]"Read, Write,Traverse"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None 
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly 
$objType =[System.Security.AccessControl.AccessControlType]::Allow 
$objUser = New-Object System.Security.Principal.NTAccount("$o") 
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) 
$objACL = Get-ACL "$dir\$o" 
$objACL.AddAccessRule($objACE) 
Set-ACL "$dir\$o" $objACL

}

Here i create the users in one department for example:

$totalusers = 6
$uname = "Manager"
$ou = "Projects"
for ($i=0; $i -lt $totalusers; $i++) 
 { 
 $userID = "{0:00}" -f ($i + 1)
 $userName = "$uname$userID"
Write-Host "Creating AD user" ($i + 1) "of" $totalusers ":" $userName

# create user folder inside the share
CreateUserHomeDir -dir $dir -ou $ou -userName $userName 
New-ADUser -Name $userName -DisplayName $userName -Path "OU=$ou,DC=lovely,DC=Local" -SamAccountName $userName -AccountPassword (ConvertTo-SecureString $pass -AsPlainText -Force) `
-userPrincipalName ($userName + '@lovely.local') -Enable $true -HomeDrive $drive_letter -HomeDirectory "$dir_path\$ou\$userName"


SetDirPermissions -ou $ou -userName $userName -dir $dir 

# add to group
AddToGroup -groupName $ou -userName $userName
}

Functions: 

function AddToGroup ($groupName, $userName)
 {
 Add-ADGroupMember $groupName $userName
}
function CreateUserHomeDir ($dir, $ou, $userName) {

New-Item -Path "$dir\$ou\$userName" -ItemType Directory
}

function SetDirPermissions ($ou,$userName,$dir) {
    $colRights = [System.Security.AccessControl.FileSystemRights]"Read, Write,Traverse"
    $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None 
    $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly 
    $objType =[System.Security.AccessControl.AccessControlType]::Allow 
    $objUser = New-Object System.Security.Principal.NTAccount("$userName") 
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) 
    $objACL = Get-ACL "$dir\$ou\$userName" 
    $objACL.AddAccessRule($objACE) 
    Set-ACL "$dir\$ou\$userName" $objACL

}
ic205
  • 131
  • 1
  • 9
  • You can accept your own answer (and it's a shame you said no to my comment which actually solved your problem, I would have made an answer out of it) – eckes Sep 28 '17 at 23:58
  • and i said 'no' on your second comment – ic205 Sep 29 '17 at 04:16