September 15, 2016

Recently, I created a PowerShell script to help out with automatically creating a large number of folders, which will be used as our employee "Personal" folders. If you're not sure what a Personal folder is, it is a shared directory used to store any documents or files that are relevant to the work that an employee is doing. These Personal folders are meant to be used alongside "Departmental" shared folders, which are where the documents and files that everyone within a department/area will need access to are stored. In the case of Personal folders, they are meant to hold just the documents and files that the one employee may be working with.

Without using Personal folders, most employees will store the majority of their files on their Desktop or Documents folders on their workstation, only saving a handful of documents to shared departmental folders and the like. This can be a problem in situations where the employee's workstation has a failing hard drive, there's a malware infection, etc. as there are likely no backups of their documents. Personal folders, on the other hand, are typically shared off of a corporate file server that has some sort of backup solution in-place to protect corporate data.

For my particular situation, which spawned the creation of this PowerShell script, I needed to created a Personal folder for every active user account setup within Active Directory. Once created, the correct permissions needed to be applied to the folder so that only the corresponding employee would have access to it. This is a pretty simple task, and is a perfect candidate to make a script for.

Let's get started.

The first thing we will need to do is to import the Active Directory module for use. This module is essential in order for this script to obtain a list of all active accounts within Active Directory.

import-module ActiveDirectory

Next, let's just go ahead and store the UNC path to the shared folder where these Personal folders will be created into a variable for later use.

$Directory = "\\UNCPATHTOSHAREDFOLDER"

Now we can use the Get-ADUser cmdlet, provided to use via the ActiveDirectory module we imported, to get a list of all active accounts within Active Directory. This snippet of code will look like the following.

Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -Properties Name,SamAccountName

Since we don't just want the list of accounts, but also want to create a Personal folder for each account, we will need to create a loop. This can easily be done by piping the previous snippet of code into a ForEach-Object loop. Inside of this loop, we will need to first create the Personal folder for the user account, which will look something like the following. Keep in mind that, with how this code is written, the folder's name will be something like "John Smith," even if their account name is "John.Smith."

New-Item -type directory -Path "$Directory\$Name"

Lastly, we will need to assign the Full Control permission to this folder for the account itself. The following code will accomplish this.

$ACL = Get-Acl "$Directory\$Name"
$User = $_.SamAccountName
$AccessRule = New-Object  system.security.accesscontrol.filesystemaccessrule($User,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$ACL.SetAccessRule($AccessRule)
Set-Acl "$Directory\$Name." $ACL

Combining all of this code together, with some minor tweaks and code comments, should give us the following script.

#Import the ActiveDirectory module in order to Access AD via PowerShell
import-module ActiveDirectory


#The UNC path for the shared folder
$Directory = "\\UNCPATHTOSHAREDFOLDER"


#Get all active AD Users and loop through the usernames
Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -Properties Name,SamAccountName | ForEach-Object {


    $Name = $_.Name


    #Create Directory for each user
    New-Item -type directory -Path "$Directory\$Name"

    #Begin creating folder permissions
    $ACL = Get-Acl "$Directory\$Name"
    $User = $_.SamAccountName
    $AccessRule = New-Object system.security.accesscontrol.filesystemaccessrule($User,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
    $ACL.SetAccessRule($AccessRule)
    Set-Acl "$Directory\$Name." $ACL
}

Now you can run your code, which should result in a Personal folder being created for each active Active Directory account. Each of these should have the appropriate permissions applied, which is to give only the corresponding account Full Control over the folder.

0 comments:

Post a Comment

Subscribe to RSS Feed Follow me on Twitter!