Modifying permissions and owners on folders, including childfolders and files

Welcome Forums General PowerShell Q&A Modifying permissions and owners on folders, including childfolders and files

Viewing 1 reply thread
  • Author
    • #243623
      Topics: 5
      Replies: 6
      Points: 55
      Rank: Member



      I have a script (below) that we wish to use to:

      1. Change the owner of a folder
      2. Add the ad user svc_account as read only to the folder
      3. include this change to sub folders and files from the root ammended folder
      4. change ownwerof the folder back to the original

      From the code below, step 3 from above does not seem to be not working, and i’m not sure why, could you please assist?

      #run as administrator and as Domain Admin
      #Script requires Active Directory and NTFSSecurity powershell modules
      #acl change for directories we need to take ownership of

      #$ErrorActionPreference = "silentlycontinue"

      cd c:\Scripts\HomedirACL
      ipmo activedirectory
      ipmo NTFSSecurity

      $userList="exeit5.txt" #plaintext list of user account in scope
      $server = "MCRFS02" #set this to the CIFS server the homedirs are on - MCRFS02?
      $root="z:\home\" #map the root of the homedir share to Z:\ (\\mcrfs02\isadhomes01$ etc)
      $serviceAccount="ISAD\svc_account" #service account to add to ACL
      $timeStamp = get-date -Format "yyyyMMddHHmmss" #timestape to use on logfiles
      $outputLog = "logs\output_$timeStamp.log" #general output log file
      $orphanedprofilesLog = "logs\orphanedprofiles_$timeStamp.log" #profiles that do not have a corresponding AD account
      $errorLog = "logs\error_$timeStamp.log" #error logfile
      $successLog = "logs\success_$timeStamp.log" #success logfile

      function Check-ConnectedUser($profile) {
      #check if users have an active SMB session on $server, return true of false

      $activeUsers = @()

      $shares = [ADSI]"WinNT://$server/lanmanserver" #get shares in SMB server
      $shares.psbase.children | select @{n="ShareName";e={$}},@{n="LocalPath";e={$}}

      $shares.Invoke("Resources") | foreach {
      $activeUsers+= $_.GetType().InvokeMember("User", 'GetProperty', $null, $_, $null) #get active sessions

      $activeUsers = $activeUsers | select -Unique #reduce list down to unique entries as accounts can be listed more than once
      write-host $activeUsers

      if ($activeUsers -match $profile) {
      Write-Host $true
      return $true
      else {
      Write-Host $false
      return $false

      function Test-ACL($profilePath) {
      #test if $serviceAccount is on the users U: drive, return true of false
      $testAcl = Get-NTFSAccess $profilePath

      if ($testAcl.account -contains $serviceAccount) {
      #Write-Host $true
      return $true
      else {
      #Write-Host $false
      return $false


      #Main loop
      #Loop through profiles in $userList and cross reference against AD. if the AD account exists, perform actions
      $profiles = Get-content $userList
      $totalProfiles = $profiles.Count
      $output = "$totalProfiles profiles in total"
      write-host $output

      foreach ($profile in $profiles) {
      #test if user exists in AD and skip if they don't
      $User = $null
      $User = Get-ADUser -Identity $profile -ErrorAction SilentlyContinue
      If ($User -eq $Null) {
      $output = "$profile does not exist in AD. Skipping`n"&lt;/code&gt;<br />&lt;code&gt;write-host $output&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$orphanedprofilesLog -append&lt;/code&gt;</p><p>&lt;code&gt;}&lt;/code&gt;</p><p>&lt;code&gt;Else {&lt;/code&gt;</p><p>&lt;code&gt;$profilePath = $root + $profile #build homedir path&lt;/code&gt;<br />&lt;code&gt;$profilePathTest = $root + $profile + '\*' #build homedir path for ACL test&lt;/code&gt;<br />&lt;code&gt;#test if user exists in the currently mapped ISADHomes share and skip if they don't&lt;/code&gt;<br />&lt;code&gt;if (Test-Path $profilePath){&lt;/code&gt;<br />&lt;code&gt;#test if we can access their home directory, if we can then add the service account. if we cannot then take ownership and reapply the ACL&lt;/code&gt;</p><p>&lt;code&gt;If (Test-Path $profilePathTest) {&lt;/code&gt;</p><p>&lt;code&gt;$output = "$profile found in AD, $profilePath access successful. Adding $serviceAccount to ACL"&lt;/code&gt;<br />&lt;code&gt;write-host $output&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$outputLog -append&lt;/code&gt;</p><p>&lt;code&gt;Add-NTFSAccess -path $profilePath -Account $serviceAccount -AccessRights ReadAndExecute&lt;/code&gt;</p><p>&lt;code&gt;If (Test-ACL $profilePath) {&lt;/code&gt;<br />&lt;code&gt;$output = "$profile permission change completed `n"
      Write-Host $output
      $output |out-file -FilePath .\$outputLog -append
      $output |out-file -FilePath .\$successLog -append
      else {
      $output = "$profile permission change failed `n"&lt;/code&gt;<br />&lt;code&gt;Write-Host $output&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$outputLog -append&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$errorLog -append&lt;/code&gt;</p><p>&lt;code&gt;}&lt;/code&gt;<br />&lt;code&gt;}&lt;/code&gt;</p><p>&lt;code&gt;else {&lt;/code&gt;<br />&lt;code&gt;$output = "$profile found in AD, $profilePath access Failed"&lt;/code&gt;</p><p>&lt;code&gt;write-host $output&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$outputLog -append&lt;/code&gt;</p><p>&lt;code&gt;$isUserConnected = Check-ConnectedUser($profile)&lt;/code&gt;<br />&lt;code&gt;#test if user has an active SMB session on $server and skip if they do&lt;/code&gt;<br />&lt;code&gt;if ($isUserConnected -eq $true) {&lt;/code&gt;</p><p>&lt;code&gt;$output = "$profile is connected to their U: drive. Skipping`n"
      Write-Host $output
      $output |out-file -FilePath .\$outputLog -append
      $output |out-file -FilePath .\$errorLog -append

      else {
      #no active session so take ownership and reapply ACL
      $output = "$profile is not connected to their U: drive. Taking ownership of $profilePath (This part of the script is commented out as its untested)"
      Write-Host $output
      $output |out-file -FilePath .\$outputLog -append
      # Set-NTFSOwner $profile -Account 'ISAD\Domain Admins' -whatif

      $output = "re-adding ACL to $profilePath"
      write-Host $output
      $output |out-file -FilePath .\$outputLog -append

      #Add-NTFSAccess -path $profilePath -Account 'ISAD\Domain Admins' -AccessRights FullControl
      #Add-NTFSAccess -path $profilePath -Account $profile -AccessRights FullControl
      #Add-NTFSAccess -path $profilePath -Account $serviceAccount -AccessRights ReadAndExecute

      If (Test-ACL $profilePath) {
      $output = "$profile permission change completed (or it will be when uncommented and tested...)`n"&lt;/code&gt;<br />&lt;code&gt;Write-Host $output&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$outputLog -append&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$successLog -append &lt;/code&gt;<br />&lt;code&gt;}&lt;/code&gt;<br />&lt;code&gt;else {&lt;/code&gt;<br />&lt;code&gt;$output = "$profile permission change failed `n"
      Write-Host $output
      $output |out-file -FilePath .\$outputLog -append
      $output |out-file -FilePath .\$errorLog -append


      $output = "$profile complete `n"&lt;/code&gt;<br />&lt;code&gt;Write-Host $output&lt;/code&gt;<br />&lt;code&gt;$output |out-file -FilePath .\$outputLog -append&lt;/code&gt;</p><p>&lt;code&gt;}&lt;/code&gt;<br />&lt;code&gt;#add section to check if user is connected, take ownership and blat correct acl&lt;/code&gt;<br />&lt;code&gt;}&lt;/code&gt;</p><p>&lt;code&gt;}&lt;/code&gt;<br />&lt;code&gt;else {&lt;/code&gt;<br />&lt;code&gt;$output = "$profile does not exist in $root. Skipping`n"
      write-host $output
      $output |out-file -FilePath .\$errorLog -append
      Read-Host 'Press Enter to continue…' | Out-Null



      this was previously asked on 243362, but when ive gone back to edit it seems ta have been removed, so i have raised it again.



    • #243677
      Topics: 13
      Replies: 1753
      Points: 3,136
      Helping Hand
      Rank: Community Hero

      jim, welcome back to Please take a moment and read the very first post on top of the list of this forum: Read Me Before Posting! You’ll be Glad You Did!.

      When you post code, error messages, sample data or console output format it as code, please.
      In the “Text” view you can use the code tags “PRE“, in the “Visual” view you can use the format template “Preformatted“. You can go back edit your post and fix the formatting – you don’t have to create a new one.
      Thanks in advance.

      The code you post is very difficult to read, please correct it with PRE tags. You’re referencing “Step 3” but there are no comments that indicate steps or where in the code you are having issues. Either comment what is not working, as it’s a lot of code, or only post the section that isn’t working.

Viewing 1 reply thread
  • You must be logged in to reply to this topic.