Fix Users Homefolder Permissions

A step in making sure my customers AD and file server is safe and working (and is getting backed up properly) I designed a small Powershell-script. The script will look through the a selected Organization Unit and verify that all users have a Home Directory set, and that it has the appropriate NTFS permissions.

Previously all users had Full-permissions on their home folder, which led to the users resetting permissions and removing unwanted permissions (Backup or Admin accounts) to their “private” stuff.

This script will set Modify-permissions for the user. I know it’s not the most well-written script out there, but it works! :)

#	User Home Directory Permissions - heineborn.com 2013-01-15
#
#	Creates a HomeDirectory for users who are missing one.
#	Verifies they have Modify permissions, if they have Full it replaces with Modify.

# Loading modules
Import-Module ActiveDirectory

$DC = "DC01.HEINEBORN.LOCAL"
$OU = "OU=Users,DC=heineborn,DC=local"

$Content = (Get-ADUser -server $Dc -filter * -Properties * -SearchBase $OU | select SamAccountName, HomeDirectory)

FOREACH ($ID in $Content) {
    $User = $ID.SamAccountName
    $Folder = $ID.HomeDirectory
    # If the user does not have a value for HomeDirectory it skips.
    If ($Folder) { 
        # If the HomeDirectory does not exist its created.
        If ((Test-Path $Folder) -ne $true) {
            New-Item -ItemType directory -Path $Folder
            icacls $Folder /grant $User`:`(OI`)`(CI`)M
            }
        # Checking if user has Full permissions on their folder.
        $Icacls = icacls $Folder 
        $Match = "*" + $User + ":(F)*"
        $IcaclsResult = $Icacls -like $Match
        If ($IcaclsResult) {
            Write-Host $User " HomeDirectory has incorrect permissions. Resetting..."
            icacls $Folder /remove:g $User
            icacls $Folder /grant $User`:`(OI`)`(CI`)M
        }
    }    
}

Advanced Security Settings

Let me know if anything is not working for you and I’ll do my best to help you out.

Share this!

Related posts

  1. Office 365 Change Calendar Permissions in Office 365
  2. PowerShell PowerShell: List newly created users
  3. redircmp Change default OU for computers in AD
  4. wbadmin failure Windows Backup failing on TrueCrypt drive

Comments

  • z

    Great Script!!

    I have used it to correct my homefolder permisison issues. now i m working to add a poriton to create and set the home folder from a seond file that lists of severs names. This way the script continues through the OU.

    Thanks again

    March 25, 2013 — 6:55
  • Joakim

    Thanks for stopping by, and glad to hear it helped you.
    I slightly updated the script and removed the need for a CSV-file.

    March 26, 2013 — 9:25
  • Hi,

    This is aweseme but Will this script set the permissions for sub files and folders? Also how could I add Domain admins to the full permissions? Thanks

    October 30, 2013 — 19:13
    • Joakim

      Hi Rob,

      This script will inherit down in the user-folders. And yes, you can certainly add "Domain Admins" to the permissions. I do however recommend you doing this at the root-folder and not on every user-folder.

      If you for some reason cannot add permissions to the root-folder let me know and I'll send you an updated version of the script.

      Best regards,
      Joakim

      October 30, 2013 — 22:29
  • Hi Joakim,
    Thanks for the reply, I really appreciate it! Unfortunately our permissions are broken, I've taken ownership of the files but need to reset all the permissions which is why I could do with a script to add domain admin! Any help would be brilliant! Thanks

    October 31, 2013 — 8:04
  • Would this do the job:

    # User Home Directory Permissions – heineborn.com 2013-01-15
    #
    # Creates a HomeDirectory for users who are missing one.
    # Verifies they have Modify permissions, if they have Full it replaces with Modify.

    # Loading modules
    Import-Module ActiveDirectory

    $DC = "Monmouth.local"
    $OU = "OU=Mathematics,OU=Academic Departments,OU=Users,OU=Monmouth School,DC=Monmouth,DC=local"

    $Content = (Get-ADUser -server $Dc -filter * -Properties * -SearchBase $OU | select SamAccountName, HomeDirectory)

    FOREACH ($ID in $Content) {
    $User = $ID.SamAccountName
    $Folder = $ID.HomeDirectory
    $Domain = "Monmouth.local\Domain Admins"
    # If the user does not have a value for HomeDirectory it skips.
    If ($Folder) {
    # If the HomeDirectory does not exist its created.
    If ((Test-Path $Folder) -ne $true) {
    New-Item -ItemType directory -Path $Folder
    icacls $Folder /grant $User`:`(OI`)`(CI`)F
    }
    # Checking if user has Full permissions on their folder.
    $Icacls = icacls $Folder
    $Match = "*" + $User + ":(F)*"
    $IcaclsResult = $Icacls -like $Match
    If ($IcaclsResult) {
    Write-Host $User " HomeDirectory has incorrect permissions. Resetting…"
    icacls $Folder /remove:g $User
    icacls $Folder /grant $User`:`(OI`)`(CI`)F
    icacls $Folder /grant $domain`:`(OI`)`(CI`)F
    }
    }
    }

    October 31, 2013 — 9:32
    • Joakim

      Hi Rob,

      Looks good, you should add "icacls $Folder /grant $domain`:`(OI`)`(CI`)F" to the "# If the HomeDirectory does not exist its created." section to make sure that its added even if a folder does not exist.
      / J

      November 2, 2013 — 10:48
  • Leave a Reply

    Your email address will not be published.

    *