Create Active Directory Users Home Folder and Assign Permissions with PowerShell

The following function is a work in progress, but I thought I would go ahead and share it.

This function requires a module named PowerShellAccessControl that was created by Rohn Edwards which is downloadable from the TechNet Script Repository. The version 3.0 beta revision of his module which is also downloadable on that same page is what was used to test the examples shown in this blog article.

 1#Requires -Version 3.0
 2#Requires -Modules ActiveDirectory, PowerShellAccessControl
 3
 4function Create-MrUserFolder {
 5
 6<#
 7.SYNOPSIS
 8    Creates an Active Directory user's home folders and assigns modify permission
 9    to the user and read permission to their manager.
10
11.DESCRIPTION
12    Create-MrUserFolder is a function that is designed to create an Active Directory
13    user's home folder and assign full permissions to administrators and system,
14    modify to the user and read access to the user's manager.
15
16.PARAMETER UserName
17    The Active Directory user account object for the user to create a folder for.
18
19.PARAMETER Path
20    The root path location where to create the user folder.
21
22.EXAMPLE
23     Get-ADUser -Identity MikeFRobbins -Properties Manager |
24     Create-MrUserFolder -Path 'S:\Users'
25
26.INPUTS
27    Microsoft.ActiveDirectory.Management.ADAccount
28
29.OUTPUTS
30    System.IO.DirectoryInfo
31
32.NOTES
33    Author:  Mike F Robbins
34    Website: http://mikefrobbins.com
35    Twitter: @mikefrobbins
36#>
37
38    [CmdletBinding()]
39    param (
40        [ValidateScript({Test-Path -Path $_ -PathType Container})]
41        [string]$Path,
42
43        [Parameter(Mandatory,
44                   ValueFromPipeline)]
45        [Microsoft.ActiveDirectory.Management.ADAccount[]]$UserName
46    )
47
48    BEGIN {
49        $DefaultUsers = "$env:COMPUTERNAME\Administrators", 'System'
50    }
51
52    PROCESS {
53
54        foreach ($u in $UserName) {
55
56            $UserPath = Join-Path -Path $Path -ChildPath $u.SamAccountName
57
58            if (-not(Test-Path $UserPath -PathType Container)) {
59                New-Item -Path $UserPath -ItemType Directory
60            }
61            else {
62                Write-Warning -Message "'$UserPath' already exists."
63            }
64
65            $SecurityDescriptor = Get-SecurityDescriptor -Path $UserPath
66
67            foreach ($d in $DefaultUsers) {
68                $SecurityDescriptor | Add-AccessControlEntry -Principal $d -FolderRights FullControl -Apply -Force
69            }
70
71            $SecurityDescriptor | Add-AccessControlEntry -Principal $($u.UserPrincipalName) -FolderRights Modify -Apply -Force
72
73            if ($($u.Manager)) {
74                $SecurityDescriptor | Add-AccessControlEntry -Principal $((Get-ADUser -Identity $u.Manager).UserPrincipalName) -FolderRights ReadAndExecute -Apply -Force
75            }
76
77            Disable-AclInheritance -Path $UserPath -Force
78
79        }
80    }
81}

The following example demonstrates creating home folders and assigning permissions to those folders for all of the users in the Northwind organizational unit in my test Active Directory environment:

1Invoke-Command -ComputerName DC01 {
2    Get-ADUser -Filter * -SearchBase 'OU=Northwind Users,OU=Users,OU=Test,DC=mikefrobbins,DC=com' -Properties Manager |
3    Create-MrUserFolder -Path 'S:\Users'
4}

homefolder1.jpg

Now to see if the permissions are correct, once again using a function from Rohn's module:

1Get-ChildItem -Path S:\Users | Get-AccessControlEntry | Format-Table -AutoSize

homefolder2.jpg

They look correct based on the previous information and verifying it against who each user's manager is in Active Directory:

1Get-ADUser -Filter * -SearchBase 'OU=Northwind Users,OU=Users,OU=Test,DC=mikefrobbins,DC=com' -Properties Manager, Title |
2Select-Object -Property Name, Title, @{label='Manager';expression={$_.manager -replace '^CN=|\,.*$'}} |
3Sort-Object -Property Manager, Name

homefolder3.jpg

Did you notice the regular expression that I used in the previous example to extract the managers name from the distinguished name that is returned by default?

The cool thing is you can actually create an Active Directory user account, create their home directory, and assign the proper permissions all in one command when the PassThru parameter of Get-ADUser is used to pass the user information to my function:

1Invoke-Command -ComputerName DC01 {
2    New-ADUser -Name 'John Doe' -SamAccountName 'jdoe' -UserPrincipalName 'jdoe@mikefrobbins.com' -PassThru |
3    Create-MrUserFolder -Path 'S:\Users'
4}

homefolder4.jpg

And to validate the permissions on the users folder were set correctly:

1Get-AccessControlEntry S:\Users\jdoe

homefolder5.jpg

µ