Author Posts

January 20, 2017 at 9:24 am

Hi Guys,

I'm running into a problem. With the code below I'm creating a new user, creating a new home directory and setting the correct ACL for the user.
When the script is done, the user is created, the folder is created and I can see the user having full permissions on the folder. However the user is not able to access the folder.
When I remove the permissions through the gui and apply them again, it does work.
Does any of you have any ideas? Thanks in advance.

Below is not the complete code, but I think it should be sufficient to identify the problem.

Function Create-User
{
	
	param ($username = $x_username.Text,
		$password = $x_password.Text,
		$firstname = $x_firstname.Text,
		$lastname = $x_lastname.Text,
		$administratie = $x_administratie.Text,
		$company = $x_company.Text,
		$radar = $x_radar.Text
	);
	
	$error.clear()
	try { $userexists = Get-ADUser -Identity $username }
	catch
	{
		
		$password = ConvertTo-SecureString $password -AsPlainText -Force
		$HomeDirectory = "\\servername\HomeFolderName\$username"
		NEW-ITEM –path $HomeDirectory -type directory -force
		Set-ItemProperty $HomeDirectory -name IsReadOnly -value $false
		New-ADUser -Name $username -SamAccountName $username -Path "OU=***,OU=***,DC=***,DC=***" -GivenName $firstname -Surname $lastname -DisplayName "$firstname $lastname" -AccountPassword $password -Enabled $true -PasswordNeverExpires $true -Description "$administratie – $radar" -Company $company -HomeDrive "H:" -HomeDirectory $HomeDirectory
		$Acl = Get-Acl $HomeDirectory
		$Ar = New-Object system.Security.AccessControl.FileSystemAccessRule($username, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
		$Acl.Setaccessrule($Ar)
		Set-Acl $HomeFolder $Acl

January 20, 2017 at 12:50 pm

Well, I cobbled together something crude to do the same thing several months ago. I'm so green I have to walk through my own creations a cmdlet at a time to recall what each step does, and this is the first time I've attempted to reply to someone's problem. With those disclaimers out of the way, here's how I'm handling user rights. I've wacked this down to just the lines that pertain to the home directory. I hope this helps.

#
# Prompt for the user data.
#
$SAMAccountName = Read-Host 'Enter account name (last6fm)'
$HomeDirectory = $SAMAccountName
#
# Create home directory.  Copy inherited permissions and remove future inheritance
#
New-Item "\\server.domain.com\Users\$HomeDirectory" -ItemType Directory
icacls \\server.domain.com\users\$HomeDirectory /inheritance:d
#
# Rights for the user require a modified command to handle the variable
#
&icacls \\server.domain.com\$($HomeDirectory) /grant domain.com\$($SAMAccountName):"(oi)(ci)m"

January 20, 2017 at 1:16 pm

Hi Charlie,

Thanks a lot for your input, I managed to get it working by using the icacls command. The weird thing is that it applies the same permissions now as when I used the set-acl command, only it's working now.
Thanks for saving my day! Great job for your first post!

January 20, 2017 at 1:47 pm

Now that you mention it, I recall trading posts with Don Jones on the very subject of SET_ACL vs. ICACLS. Since I can't find it here, it must have been another forum.

I recall his advice boiled down to "SET_ACL is such a pain to get working properly that you should use it only if you absolutely have to. Use ICACLS instead. Don't feel compelled to do everything with PS cmdlets if there are other tools that are equally effective and easier to use.