I'm trying to use a CSV import to create batch users but for it to also create users' home folder and profile folders but with setting permissions at the same time.
I've found a lot of helpful information online, I just don't know how to make the syntax work with what I already have which took me quite a long time to even get to.
This is my script so far for creating accounts on the domain controller and then syncing them with O365. We use a csv as we create tons of users at the same time:
Import-Csv "C:\blablabla\filename.csv" | ForEach-Object {
New-ADUser -Name $_.Name `
-GivenName $_."GivenName" `
-Surname $_."Surname" `
-DisplayName $_."DisplayName" `
-SamAccountName $_."samAccountName" `
-UserPrincipalName $_."UserPrincipalName" `
-Path $_."Path" `
-AccountPassword (ConvertTo-SecureString “Pa$$w0rd” -AsPlainText -force) -Enabled $true `
-EmailAddress $_."EmailAddress" `
-ProfilePath $_."ProfilePath" `
-HomeDrive $_."HomeDrive" `
-HomeDirectory $_."HomeDirectory" `
-ScriptPath $_."ScriptPath" `
-Server $_."Server" `
-OtherAttributes #{ProxyAddresses= $_."ProxyAddresses"} `
}
Start-ADSyncSyncCycle -PolicyType Initial
All the values point to columns in the excel file which auto-complete based on a user's first and last name.
I know I'm supposed to be creating the home and profile folders and setting permissions as per the below for example, I just don't know how to make the syntax work with what I already have?
So far, the values only get set in AD correctly but the folders don't get created and permissions aren't getting applied.
I guess I could just add an other command to create a new folder but I wouldn't know how to do append that to the foreach command?
New-Item -ItemType Directory -Path \\dc\userdata
$ACL = (Get-ACL -Path $HomeDirectory)
$FullControlAccessRule = (New-Object System.Security.AccessControl.FileSystemAccessRule([System.Security.Principal.NTAccount]"hcc.local\$UserName","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow"))
$ACL.AddAccessRule($FullControlAccessRule)
Set-ACL -Path $HomeDirectory $ACL
Any help would be greatly appreciated.
Thanks.
So, as per what NAS said, something like this then
?
-OtherAttributes #{ProxyAddresses= $_."ProxyAddresses"}
New-Item -ItemType Directory -Path $_.HomeDirectory
New-Item -ItemType Directory -Path $_.ProfilePath
$ACL = (Get-ACL -Path $_.HomeDirectory)
$FullControlAccessRule = (New-Object System.Security.AccessControl.FileSystemAccessRule(
[System.Security.Principal.NTAccount]"hcc.local\$($_.samAccountName)",
"FullControl", "ContainerInherit, ObjectInherit", "None", "Allow"))
$ACL.AddAccessRule($FullControlAccessRule)
Set-ACL -Path $_.HomeDirectory $ACL
$ACL = (Get-ACL -Path $_.ProfilePath)
$FullControlAccessRule = (New-Object System.Security.AccessControl.FileSystemAccessRule(
[System.Security.Principal.NTAccount]"hcc.local\$($_.samAccountName)",
"FullControl", "ContainerInherit, ObjectInherit", "None", "Allow"))
$ACL.AddAccessRule($FullControlAccessRule)
Set-ACL -Path $_.ProfilePath $ACL
Import-Csv "C:\blablabla\filename.csv" | ForEach-Object {
New-ADUser -Name $_.Name `
...
-OtherAttributes #{ProxyAddresses= $_."ProxyAddresses"} # Remove backtick
New-Item -ItemType Directory -Path $_.HomeDirectory # create home path if needed
New-Item -ItemType Directory -Path $_.ProfilePath # create profile path if needed
$ACL = (Get-ACL -Path $_.HomeDirectory) # No need for quotes around properties if they do not contain spaces or other special characters
$FullControlAccessRule = (New-Object System.Security.AccessControl.FileSystemAccessRule(
[System.Security.Principal.NTAccount]"hcc.local\$($_.samAccountName)", # replace $UserName with correct variable
"FullControl", "ContainerInherit, ObjectInherit", "None", "Allow"))
$ACL.AddAccessRule($FullControlAccessRule)
Set-ACL -Path $_.HomeDirectory $ACL
# -> # repeat for profile path if needed
}
Related
everyone please help me, I need a command to assign permissions to a folder in the directory tree, conditional on the correct directory name to be assigned. I am trying to write a command line but when assigning a group or a user, it can be assigned but other users are removed, I want to not remove any users.
$mypath = "D:\KIEM TRA1"
$myacl = Get-Acl $mypath
$myaclentry = "EMC0\test.ktnb","readandexecute,write","Allow"
$myaccessrule = New-Object System.Security.AccessControl.FileSystemAccessRule($myaclentry)
$myacl.SetAccessRule($myaccessrule)
Get-ChildItem -Path "$mypath" -Recurse -Force |
Where-Object { $_.Name -eq 'A' -or $_.Name -eq 'B' } |
Set-Acl -AclObject $myacl -Verbose
I want to do it on a subdirectory and not remove the existing user
I guess what you need is to create a new access rule using 5 parameters, so you can handle inheritance and propagation too.
Try this (always on a set of test folders first of course..)
$mypath = "D:\KIEM TRA1"
$account = "EMC0\test.ktnb"
# see: https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemrights
# https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.inheritanceflags
# https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.propagationflags
$rule = [System.Security.AccessControl.FileSystemAccessRule]::new($account, "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
# on older PowerShell versions use:
# $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($account, "Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
# get a list of folder FullNames of subfolders with name 'A' or 'B'
$folders = (Get-ChildItem -Path $mypath -Directory -Recurse | Where-Object { $_.Name -match '^[AB]$' }).FullName
foreach ($directory in $folders) {
# get the current ACL of the folder
$acl = Get-Acl -Path $directory
# add the new rule to the ACL
$acl.AddAccessRule($rule)
$acl | Set-Acl -Path $directory -Verbose
}
Note:
Instead of AddAccessRule(), you might prefer SetAccessRule().
AddAccessRule
This method will add this access rule to the ACL.
If a user has Modify permission and we use AddAccessRule() to create a new rule with Read permission the user will still also have Modify permissions.
SetAccessRule
This method removes any existing access an replaces that access with the specified rule.
If a user has Modify permission and a new rule is created using SetAccessRule() specifying Read permission, that user will now only have Read permission.
I try to create a folder using PowerShell for the following files
4_2017-07-16_01-22-52.mp4
4_2017-07-16_01-23-50.mp4
4_2017-07-16_01-24-54.mp4
4_2017-07-16_01-26-21.mp4
I use this method
https://stackoverflow.com/a/41468253/13002495
the problem that it will create a directory 4 then move the files to it what I need to have a directory like the following
4_2017-07-16 or a directory like 4_2017_07_16
this is the first method.
the second method if you can help to have a script to create the following directories
2017 directory then a subdirectory 02 then subdirectory 16 then a subdirectory 4 then move the files to subdirectory 4
so it will be as following
2017
--------07
------------16
---------------------04 ----> files will be here
can you help with these 2 methods?
You could try something like this:
$folder = 'FILES_FOLDER'
Get-ChildItem -Path $folder | ForEach-Object {
$subFolders = $_.Name.Split("-_")
$path = Get-Location
$order = 1, 2, 3, 0
$order | ForEach-Object {
$path = Join-Path -Path $path -ChildPath $subFolders[$_]
if (-not (Test-Path -Path $path -PathType Container)){
New-Item -Path $path -ItemType Directory
}
}
Move-Item -Path $_.FullName -Destination $path
}
Which will move all files to:
2017/07/16/4/4_2017-07-16_01-22-52.mp4
2017/07/16/4/4_2017-07-16_01-23-50.mp4
2017/07/16/4/4_2017-07-16_01-24-54.mp4
2017/07/16/4/4_2017-07-16_01-26-21.mp4
Explanation:
Split the files on "-" and "_" with Split. Can look at about_split for more information.
Get the current folder path with Get-Location, which is used to append to the current path for making sub directories.
Create an $order array to create the correct sub folder order as shown in the question.
Iterate through this $order array and create new directories if they dont exist. Can use Test-Path to check if the sub folders exist, and New-Item to create a new directory.
Move files to final sub directory with Move-Item. These sub directories will be in your current working directory. You could obviously change this to another directory location as well.
For your first method (one destination folder with name like 4_2017_07_16), you can do:
$source = 'D:\Mp4Files' # rootfolder where the files are
$destination = 'D:\Test' # rootfolder where the files need to go
Get-ChildItem -Path $source -File -Filter '*.mp4' |
Group-Object { ($_.BaseName -replace'(\d+_[^_]+).*', '$1') } |
ForEach-Object {
$targetFolder = Join-Path -Path $destination -ChildPath $_.Name
# create this folder if it does not already exist
if (!(Test-Path -Path $targetFolder -PathType Container)) {
$null = New-Item -Path $targetFolder -ItemType Directory
}
$_.Group | Move-Item -Destination $targetFolder
}
Result:
D:\TEST\4_2017-07-16
4_2017-07-16_01-22-52.mp4
4_2017-07-16_01-23-50.mp4
4_2017-07-16_01-24-54.mp4
4_2017-07-16_01-26-21.mp4
The second method creates more subfolders, based on the first part of the filenames:
$source = 'D:\Mp4Files'
$destination = 'D:\Test'
Get-ChildItem -Path $source -File -Filter '*.mp4' |
Group-Object { ($_.BaseName -replace'(\d+_[^_]+).*', '$1') } |
ForEach-Object {
$index, $year, $month, $day = $_.Name -split '[-_]'
$targetFolder = Join-Path -Path $destination -ChildPath ('{0}\{1:00}\{2:00}\{3:00}' -f $year, [int]$month, [int]$day, [int]$index)
# create this folder if it does not already exist
if (!(Test-Path -Path $targetFolder -PathType Container)) {
$null = New-Item -Path $targetFolder -ItemType Directory
}
$_.Group | Move-Item -Destination $targetFolder
}
Result:
D:\TEST\2017
\---07
\---16
\---04
4_2017-07-16_01-22-52.mp4
4_2017-07-16_01-23-50.mp4
4_2017-07-16_01-24-54.mp4
4_2017-07-16_01-26-21.mp4
I have Windows Server 2016 Datacenter (64 bit) as a File Server (contains several Shared folder & subfolders).
I want to make a list OR export user Folder Structure along with permissions ( Read, Modify, Full .. etc..)
I tried with below PS script but I am getting an error message with I have mentioned after the script.
Powershell
$FolderPath = dir -Directory -Path "E:\Project Folders\#Folder_Name" -Recurse -Force
$Report = #()
Foreach ($Folder in $FolderPath) {
$Acl = Get-Acl -Path $Folder.FullName
foreach ($Access in $acl.Access)
{
$Properties = [ordered]#{'FolderName'=$Folder.FullName;'AD Group or User'=$Access.IdentityReference;'Permissions'=$Access.FileSystemRights;'Inherited'=$Access.IsInherited}
$Report += New-Object -TypeName PSObject -Property $Properties
}
}
$Report | Export-Csv -path "C:\Folder Permissions\Folder Name.csv"
Error:
dir : Access to the path 'E:\Project Folders**Folder Path**\New folder' is denied. At C:\Users\Administrator\Documents\PS Script**File Name**.ps1:1 char:15 + ... olderPath = dir -Directory -Path "E:\Project Folders**Folder Name**" -Re ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (E:\Project Fold...ngar\New folder:String) [Get-Child Item], UnauthorizedAccessException + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
Please help me out!
Thanks in Advance
As noted by the other comments.
This is not a PowerShell error/issue, it is a permissions one. The same thing can/will happen if you say you did this use case on the Windows folder tree.
Since you know this will happen, either fix the permissions on the tree you are working on or do this.
Get-ChildItem -Directory -Path 'C:\Windows\System32' -Recurse -ErrorAction SilentlyContinue
or if you want to just stop when a path fails.
# Treat non-terminating erros as terminating
$RootFolderUnc = 'C:\Windows\System32'
Try {Get-ChildItem -Directory -Path $RootFolderUnc -Recurse -ErrorAction Stop}
Catch [System.UnauthorizedAccessException]
{
Write-Warning -Message "$env:USERNAME. You do not have permissions to view this path."
$_.Exception.Message
}
I am new to PowerShell and looking for some help. Here I am trying to create a text file in all the drives but seems I am missing something here, any help is appreciated:
$drives = get-psdrive -p "FileSystem"
foreach ($drive in $drives)
{
New-Item -Path '$drive:\IO.txt' -ItemType File
}
Also, have another query regarding the same that how I can exclude particular drives e.g. "A:", "C:", "D:" drives?
Thanks
I think this is more what you are after.
$drives = get-psdrive -p "FileSystem"
$exclude = "C","D"
foreach ($drive in $drives) {
# Exclamation (!) is the same as -not meaning if not $true > Do the thing
If(!$exclude.Contains($drive.Name)) {
New-Item -Path "$($drive):\IO.txt" -ItemType File
}
}
Give New-Item -ItemType File -Name "Filename.ext" a shot,
see: https://mathieubuisson.github.io/powershell-linux-bash/
A more PowerShell like way is to filter the drives with a Where-Object and
do it in a single pipe
Get-PSDrive -PSProvider "FileSystem" |
Where-Object Name -notmatch 'A|C|D' |
New-Item -Path {"$($_.Name):\IO.txt"} -ItemType File -WhatIf
If the output looks OK remove the trailing -WhatIf
I'm having some trouble creating home folders with powershell, I create the folder
New-Item -Path "C:\Homes\" -name $username -ItemType Directory
Then I copy the ACL and disable the inheritance and add the new permissions
$Rights = [System.Security.AccessControl.FileSystemRights]"FullControl"
$Inheritance = [System.Security.AccessControl.InheritanceFlags]::"ContainerInherit", "ObjectInherit"
$Propagation = [System.Security.AccessControl.PropagationFlags]::None
$AC =[System.Security.AccessControl.AccessControlType]::Allow
$NewACL = New-Object System.Security.AccessControl.FileSystemAccessRule ($username, $Rights, $Inheritance, $Propagation, $AC)
$ACL = Get-Acl -Path "C:\Homes\$username"
$ACL.SetAccessRuleProtection($True, $False)
$ACL.SetAccessRule($NewACL)
$NewACL = New-Object System.Security.AccessControl.FileSystemAccessRule ("SYSTEM", $Rights, $Inheritance, $Propagation, $AC)
$ACL.SetAccessRule($NewACL)
$NewACL = New-Object System.Security.AccessControl.FileSystemAccessRule ("Administrators", $Rights, $Inheritance, $Propagation, $AC)
$ACL.SetAccessRule($NewACL)
Set-Acl -Path "C:\Homes\$username" -AclObject $ACL
Finally I mount the folders as H: and set it as home dir
Set-ADUser -Identity $username -Replace #{HomeDirectory=$homeDir}
Set-ADUser -Identity $username -Replace #{HomeDrive=$homeDrive}
When I login to a user and try to add a file/folder I recieve permission denied.
The Root Folder (C:\Homes) is shared and has configured permissions
#Louis J. Are you sure permissions have been set properly? I mean you should try to get ACL of the created folder using command like :
(Get-Acl H:...).Access
Then check user's rights over this directory.
By the way, do you execute your script with elevated rights?