Creating a new user and setting an ACL

This topic contains 3 replies, has 2 voices, and was last updated by  Charlie Spencer 9 months ago.

  • Author
    Posts
  • #62214

    Bas
    Participant

    Hi Guys,

    I'm running into a problem. With the code below I'm creating a new user, creating a new home directory and setting the correct ACL for the user.
    When the script is done, the user is created, the folder is created and I can see the user having full permissions on the folder. However the user is not able to access the folder.
    When I remove the permissions through the gui and apply them again, it does work.
    Does any of you have any ideas? Thanks in advance.

    Below is not the complete code, but I think it should be sufficient to identify the problem.

    Function Create-User
    {
    	
    	param ($username = $x_username.Text,
    		$password = $x_password.Text,
    		$firstname = $x_firstname.Text,
    		$lastname = $x_lastname.Text,
    		$administratie = $x_administratie.Text,
    		$company = $x_company.Text,
    		$radar = $x_radar.Text
    	);
    	
    	$error.clear()
    	try { $userexists = Get-ADUser -Identity $username }
    	catch
    	{
    		
    		$password = ConvertTo-SecureString $password -AsPlainText -Force
    		$HomeDirectory = "\\servername\HomeFolderName\$username"
    		NEW-ITEM –path $HomeDirectory -type directory -force
    		Set-ItemProperty $HomeDirectory -name IsReadOnly -value $false
    		New-ADUser -Name $username -SamAccountName $username -Path "OU=***,OU=***,DC=***,DC=***" -GivenName $firstname -Surname $lastname -DisplayName "$firstname $lastname" -AccountPassword $password -Enabled $true -PasswordNeverExpires $true -Description "$administratie – $radar" -Company $company -HomeDrive "H:" -HomeDirectory $HomeDirectory
    		$Acl = Get-Acl $HomeDirectory
    		$Ar = New-Object system.Security.AccessControl.FileSystemAccessRule($username, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    		$Acl.Setaccessrule($Ar)
    		Set-Acl $HomeFolder $Acl
    
    
  • #62223

    Charlie Spencer
    Participant

    Well, I cobbled together something crude to do the same thing several months ago. I'm so green I have to walk through my own creations a cmdlet at a time to recall what each step does, and this is the first time I've attempted to reply to someone's problem. With those disclaimers out of the way, here's how I'm handling user rights. I've wacked this down to just the lines that pertain to the home directory. I hope this helps.

    #
    # Prompt for the user data.
    #
    $SAMAccountName = Read-Host 'Enter account name (last6fm)'
    $HomeDirectory = $SAMAccountName
    #
    # Create home directory.  Copy inherited permissions and remove future inheritance
    #
    New-Item "\\server.domain.com\Users\$HomeDirectory" -ItemType Directory
    icacls \\server.domain.com\users\$HomeDirectory /inheritance:d
    #
    # Rights for the user require a modified command to handle the variable
    #
    &icacls \\server.domain.com\$($HomeDirectory) /grant domain.com\$($SAMAccountName):"(oi)(ci)m"
    
    • #62224

      Bas
      Participant

      Hi Charlie,

      Thanks a lot for your input, I managed to get it working by using the icacls command. The weird thing is that it applies the same permissions now as when I used the set-acl command, only it's working now.
      Thanks for saving my day! Great job for your first post!

    • #62232

      Charlie Spencer
      Participant

      Now that you mention it, I recall trading posts with Don Jones on the very subject of SET_ACL vs. ICACLS. Since I can't find it here, it must have been another forum.

      I recall his advice boiled down to "SET_ACL is such a pain to get working properly that you should use it only if you absolutely have to. Use ICACLS instead. Don't feel compelled to do everything with PS cmdlets if there are other tools that are equally effective and easier to use.

You must be logged in to reply to this topic.