IT Admin Tips: Automatically Create a New User's Personal Folder

In the previous post, IT Admin Tips: Create Personal Folders for All Active Directory Users With PowerShell, we went through the steps to create a PowerShell script that would go through your list of Domain Accounts and create a Personal Folder for each active account. This is very useful when you are first implementing Personal Folders, but what about creating Personal Folders for newly created Domain Accounts? Wouldn't it be helpful to have something in-place that automatically creates a properly configured Personal Folder for newly created Domain Accounts within minutes of the account being created? In this post, that is precisely what we will go through creating.

Just like in the previous post, we will begin by importing the ActiveDirectory module for use and setting a variable to be the UNC path for the shared folder.

import-module ActiveDirectory

$Directory = "\\UNCPATHTOSHAREDFOLDER"

Next, we will be doing something similar to what we did within the post IT Admin Tips: Creating AD User Account Alerts, with regards to the "Account Created Alert" that was created. Just like in that post, we will begin by storing the contents of the most recent Event ID 4720, which is generated whenever a new Domain Account is created, into a variable for use.

$Event = Get-EventLog -LogName Security -InstanceId 4720 -Newest 1

Next, we will need to parse out the Domain Account's username from the Event ID. This can be accomplished via the following code.

[String]$String = $Event.ReplacementStrings
$UserName = ($String).split()[0]

Now that we have the username for the newly created user, we can obtain information on this account from Active Directory, which we will use when creating the Personal Folder.

$ADUserData = Get-ADUser $UserName
$Name = $ADUserData.Name
$UserID = $ADUserData.SamAccountName[String]$String = $Event.ReplacementStrings
$UserName = ($String).split()[0]

Just like with the previous post, we will now create a Personal Folder for this newly created Domain Account, along with assigning the Full Control permission to this folder for the account.

New-Item -type directory -Path "$Directory\$Name"

$ACL = Get-Acl "$Directory\$Name"
$AccessRule = New-Object  system.security.accesscontrol.filesystemaccessrule($UserID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$ACL.SetAccessRule($AccessRule)
Set-Acl "$Directory\$Name." $ACL

When this code is put all together, we end up with something like the following.

#Import the ActiveDirectory module in order to access AD via PowerShell
import-module ActiveDirectory

#The UNC path for the shared folder
$Directory = "\\UNCPATHTOSHAREDFOLDER"

#Get the contents of the most recent Event ID 4720 (generated when an account is created)
$Event = Get-EventLog -LogName Security -InstanceId 4720 -Newest 1

#Parse out the UserName
[String]$String = $Event.ReplacementStrings
$UserName = ($String).split()[0]

#Get User's Active Directory Object Data
$ADUserData = Get-ADUser $UserName
$Name = $ADUserData.Name
$UserID = $ADUserData.SamAccountName

#Create the new user's Personal Folder
New-Item -type directory -Path "$Directory\$Name"

#Give the user Full Control permissions to their Personal Folder
$ACL = Get-Acl "$Directory\$Name"
$AccessRule = New-Object  system.security.accesscontrol.filesystemaccessrule($UserID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$ACL.SetAccessRule($AccessRule)
Set-Acl "$Directory\$Name." $ACL

Once this script has been created, you can schedule it within Task Scheduler on your Active Directory server using a Domain Account with the appropriate access. Ideally, this account would be some sort of "service" account and not associated with a particular IT Admin. In order for the new Domain Account's Personal Folder to be created immediately, you will need to configure the task to be triggered whenever Security Event ID 4720 occurs.

Read More

IT Admin Tips: Create Personal Folders for All Active Directory Users With PowerShell

Recently, I created a PowerShell script to help out with automatically creating a large number of folders, which will be used as our employee "Personal" folders. If you're not sure what a Personal folder is, it is a shared directory used to store any documents or files that are relevant to the work that an employee is doing. These Personal folders are meant to be used alongside "Departmental" shared folders, which are where the documents and files that everyone within a department/area will need access to are stored. In the case of Personal folders, they are meant to hold just the documents and files that the one employee may be working with.

Without using Personal folders, most employees will store the majority of their files on their Desktop or Documents folders on their workstation, only saving a handful of documents to shared departmental folders and the like. This can be a problem in situations where the employee's workstation has a failing hard drive, there's a malware infection, etc. as there are likely no backups of their documents. Personal folders, on the other hand, are typically shared off of a corporate file server that has some sort of backup solution in-place to protect corporate data.

For my particular situation, which spawned the creation of this PowerShell script, I needed to created a Personal folder for every active user account setup within Active Directory. Once created, the correct permissions needed to be applied to the folder so that only the corresponding employee would have access to it. This is a pretty simple task, and is a perfect candidate to make a script for.

Let's get started.

The first thing we will need to do is to import the Active Directory module for use. This module is essential in order for this script to obtain a list of all active accounts within Active Directory.

import-module ActiveDirectory

Next, let's just go ahead and store the UNC path to the shared folder where these Personal folders will be created into a variable for later use.

$Directory = "\\UNCPATHTOSHAREDFOLDER"

Now we can use the Get-ADUser cmdlet, provided to use via the ActiveDirectory module we imported, to get a list of all active accounts within Active Directory. This snippet of code will look like the following.

Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -Properties Name,SamAccountName

Since we don't just want the list of accounts, but also want to create a Personal folder for each account, we will need to create a loop. This can easily be done by piping the previous snippet of code into a ForEach-Object loop. Inside of this loop, we will need to first create the Personal folder for the user account, which will look something like the following. Keep in mind that, with how this code is written, the folder's name will be something like "John Smith," even if their account name is "John.Smith."

New-Item -type directory -Path "$Directory\$Name"

Lastly, we will need to assign the Full Control permission to this folder for the account itself. The following code will accomplish this.

$ACL = Get-Acl "$Directory\$Name"
$User = $_.SamAccountName
$AccessRule = New-Object  system.security.accesscontrol.filesystemaccessrule($User,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$ACL.SetAccessRule($AccessRule)
Set-Acl "$Directory\$Name." $ACL

Combining all of this code together, with some minor tweaks and code comments, should give us the following script.

#Import the ActiveDirectory module in order to Access AD via PowerShell
import-module ActiveDirectory


#The UNC path for the shared folder
$Directory = "\\UNCPATHTOSHAREDFOLDER"


#Get all active AD Users and loop through the usernames
Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -Properties Name,SamAccountName | ForEach-Object {


    $Name = $_.Name


    #Create Directory for each user
    New-Item -type directory -Path "$Directory\$Name"

    #Begin creating folder permissions
    $ACL = Get-Acl "$Directory\$Name"
    $User = $_.SamAccountName
    $AccessRule = New-Object system.security.accesscontrol.filesystemaccessrule($User,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
    $ACL.SetAccessRule($AccessRule)
    Set-Acl "$Directory\$Name." $ACL
}

Now you can run your code, which should result in a Personal folder being created for each active Active Directory account. Each of these should have the appropriate permissions applied, which is to give only the corresponding account Full Control over the folder.

Read More