0

I am trying to create the user folder for each AD Users. For each folder, I want the folder only accessed by that AD users only.

The finally result I want:
FolderName: "UserAFolder"
Goal: only UserA in "UserAFolder"

But the result is
FolderName: "UserAFolder"
UserA, UserB, UserC ... are all in "UserAFolder"

    $folderpath = "\\san\Shares\UserFolders\"
    $ulist =import-csv -Path C:\aduserlist.csv 
    foreach($list in $ulist)
    {
        $users = $list.username
        $newpath = $folderpath+$users
        New-Item -ItemType Directory -Path $folderpath -Name $users 
        $rights = "Modify"
        $inheritanceFlag = "ContainerInherit,ObjectInherit"
        $propagationFlag = "None"
        $type = "Allow"
        $objACL = Get-Acl $newpath 
        $entries = $users, $rights,$inheritanceFlag,$propagationFlag,$type
        $rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $entries
        $objACL.SetAccessRule($rule)
        $objACL | Set-Acl -Path $newpath 
    }
stackprotector
  • 10,498
  • 4
  • 35
  • 64
learnerpowershell
  • 1
  • 1
  • Consider using: NTFSSecurity module https://learn.microsoft.com/en-us/archive/blogs/fieldcoding/ntfssecurity-tutorial-1-getting-adding-and-removing-permissions – Ivan Mirchev Jun 05 '20 at 10:58
  • I think you need to also consider allowing the domain admins to have full control. Besides that, the new folder you create for the user inherits permissions from the `\\san\Shares\UserFolders` share. You need to break that inheritance on the new folder first, then remove all permission that are set on the user folder and after that set the new permissions. Have a look at the answers [here](https://stackoverflow.com/questions/6573308/removing-all-acl-on-folder-with-powershell) – Theo Jun 05 '20 at 11:29
  • I figured it out, the code is working properly. Just the Parent folder, all the users are added into the parent folder and it inherited to subfolders. That's is why I create the folder then the subfolders got all the users. Thank you, I am trying to use the NTFSSecurity, it is more shorter code and simple format. – learnerpowershell Jun 05 '20 at 11:48
  • @learnerpowershell That's great! You should post an answer and accept it! :) – Mathias R. Jessen Jun 05 '20 at 11:56

1 Answers1

0

The original Code of ACL is work. Just Parent Folder inheritance issue. The NTFS Security

$folderpath = "\\san\Shares\UserFolders\" 
$ulist =import-csv -Path C:\aduserlist.csv

foreach($list in $ulist){
    $users = $list.username
    $newpath = $folderpath+$users
    New-Item -ItemType Directory -Path $folderpath -Name $users
    $users = $list.username
    $ADUser = $list.email
    $newpath = $folderpath+$users
    Add-NTFSAccess $newpath -Account $ADUser -AccessRights Modify -PassThru

}
learnerpowershell
  • 1
  • 1