Fix Users Homefolder Permissions

A step in making sure my customers AD and file server is safe and working (and is getting backed up properly) I designed a small Powershell-script. The script will look through the a selected Organization Unit and verify that all users have a Home Directory set, and that it has the appropriate NTFS permissions.

Previously all users had Full-permissions on their home folder, which led to the users resetting permissions and removing unwanted permissions (Backup or Admin accounts) to their “private” stuff.

This script will set Modify-permissions for the user. I know it’s not the most well-written script out there, but it works! :)

#	User Home Directory Permissions - heineborn.com 2013-01-15
#
#	Creates a HomeDirectory for users who are missing one.
#	Verifies they have Modify permissions, if they have Full it replaces with Modify.

# Loading modules
Import-Module ActiveDirectory

$DC = "DC01.HEINEBORN.LOCAL"
$OU = "OU=Users,DC=heineborn,DC=local"

$Content = (Get-ADUser -server $Dc -filter * -Properties * -SearchBase $OU | select SamAccountName, HomeDirectory)

FOREACH ($ID in $Content) {
    $User = $ID.SamAccountName
    $Folder = $ID.HomeDirectory
    # If the user does not have a value for HomeDirectory it skips.
    If ($Folder) { 
        # If the HomeDirectory does not exist its created.
        If ((Test-Path $Folder) -ne $true) {
            New-Item -ItemType directory -Path $Folder
            icacls $Folder /grant $User`:`(OI`)`(CI`)M
            }
        # Checking if user has Full permissions on their folder.
        $Icacls = icacls $Folder 
        $Match = "*" + $User + ":(F)*"
        $IcaclsResult = $Icacls -like $Match
        If ($IcaclsResult) {
            Write-Host $User " HomeDirectory has incorrect permissions. Resetting..."
            icacls $Folder /remove:g $User
            icacls $Folder /grant $User`:`(OI`)`(CI`)M
        }
    }    
}

Advanced Security Settings

Let me know if anything is not working for you and I’ll do my best to help you out.

10 Comments

  1. Great Script!!

    I have used it to correct my homefolder permisison issues. now i m working to add a poriton to create and set the home folder from a seond file that lists of severs names. This way the script continues through the OU.

    Thanks again

    Reply
    • How do I modify to not use the $ID.Homedirectory value from ADUC user properties and instead match a username to a foldername, creating the folder if it does not exist? We don't populate the home directory field in ADUC as it seems to slow down logon. A user home drive is mapped at logon matching usernames to folder names.

      Reply
  2. Joakim

    Thanks for stopping by, and glad to hear it helped you.
    I slightly updated the script and removed the need for a CSV-file.

    Reply
  3. Hi,

    This is aweseme but Will this script set the permissions for sub files and folders? Also how could I add Domain admins to the full permissions? Thanks

    Reply
    • Joakim

      Hi Rob,

      This script will inherit down in the user-folders. And yes, you can certainly add "Domain Admins" to the permissions. I do however recommend you doing this at the root-folder and not on every user-folder.

      If you for some reason cannot add permissions to the root-folder let me know and I'll send you an updated version of the script.

      Best regards,
      Joakim

      Reply
  4. Hi Joakim,
    Thanks for the reply, I really appreciate it! Unfortunately our permissions are broken, I've taken ownership of the files but need to reset all the permissions which is why I could do with a script to add domain admin! Any help would be brilliant! Thanks

    Reply
  5. Would this do the job:

    # User Home Directory Permissions – heineborn.com 2013-01-15
    #
    # Creates a HomeDirectory for users who are missing one.
    # Verifies they have Modify permissions, if they have Full it replaces with Modify.

    # Loading modules
    Import-Module ActiveDirectory

    $DC = "Monmouth.local"
    $OU = "OU=Mathematics,OU=Academic Departments,OU=Users,OU=Monmouth School,DC=Monmouth,DC=local"

    $Content = (Get-ADUser -server $Dc -filter * -Properties * -SearchBase $OU | select SamAccountName, HomeDirectory)

    FOREACH ($ID in $Content) {
    $User = $ID.SamAccountName
    $Folder = $ID.HomeDirectory
    $Domain = "Monmouth.local\Domain Admins"
    # If the user does not have a value for HomeDirectory it skips.
    If ($Folder) {
    # If the HomeDirectory does not exist its created.
    If ((Test-Path $Folder) -ne $true) {
    New-Item -ItemType directory -Path $Folder
    icacls $Folder /grant $User`:`(OI`)`(CI`)F
    }
    # Checking if user has Full permissions on their folder.
    $Icacls = icacls $Folder
    $Match = "*" + $User + ":(F)*"
    $IcaclsResult = $Icacls -like $Match
    If ($IcaclsResult) {
    Write-Host $User " HomeDirectory has incorrect permissions. Resetting…"
    icacls $Folder /remove:g $User
    icacls $Folder /grant $User`:`(OI`)`(CI`)F
    icacls $Folder /grant $domain`:`(OI`)`(CI`)F
    }
    }
    }

    Reply
    • Joakim

      Hi Rob,

      Looks good, you should add "icacls $Folder /grant $domain`:`(OI`)`(CI`)F" to the "# If the HomeDirectory does not exist its created." section to make sure that its added even if a folder does not exist.
      / J

      Reply
  6. Hello! This post could not be written any better!

    Reply
  7. Perhaps set the owner of folder if using disk quotas. icacls $Folder /setowner $User /T

    Reply

Submit a Comment

Your email address will not be published.

*