Create home folder on another domain

davidchurch7329 · 2022-05-26T13:38:21.000Z

Hi Community,

I have a powershell script to create a new user in AD. Problem is that some of our file servers are in a different domain. I can connect to another domain by using the code below amending AD attributes, but how do I add a home folder on the remote file server in a different domain? There is no ad object in the other domain but a contact is created? Have searched the web, but cannot find a solution? Can anyone help?

I did though have a stab if you see below, but code is wrong… Help!

Thanks in advance

Enable WinRM remote administrating
Set-ItemProperty –Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System –Name LocalAccountTokenFilterPolicy –Value 1 -Type DWord
Try
{
Enable-PSRemoting -Force
}
catch
{}
#Set trusted hosts to your second domain controller
Set-Item WSMan:\localhost\Client\TrustedHosts –Value s-chip.sussexdowns.ac.uk -Force

#Initiate Remote PS Session to local DC
$ps = New-PSSession -ComputerName domain server -Credential $cred

Import-Module ActiveDirectory

Invoke-Command -Session $ps -scriptblock { import-module ActiveDirectory }
Import-PSSession -Session $ps -Module ActiveDirectory -AllowClobber -ErrorAction Stop

Create folder and set ACL

New-Item -Name $sam -ItemType Directory -Path $drivepathE
$permissions = Get-Acl $homeshareE
$userpermissions = New-Object System.Security.AccessControl.FileSystemAccessRule(“domain$sam”,“FullControl”,“ContainerInherit, ObjectInherit”, “None”, “Allow”)
$permissions.AddAccessRule($userpermissions)
Set-Acl $homeshare $permissions

Neally · 2022-05-26T14:04:39.000Z

Welcome

If you post code, please use the ‘Insert Code’ button. Please and thank you!

PLEASE READ BEFORE POSTING! Read if you're new to the PowerShell forum! Programming & Development

Hi, and welcome to the PowerShell forum! Don’t apologize for being a “noob” or “newbie” or “n00b.” There’s just no need – nobody will think you’re stupid, and the forums are all about asking questions. Just ask! Use a descriptive subject. Don’t say “Need help” or “PowerShell Help”, actually summarize what the problem is. It helps the rest of us keep track of which problem is which. Don’t post massive scripts. We’re all volunteers and we don’t have time to read all that, nor will we copy…

192033ab-bb8f-4032-88a5-8e2313af0344-codebutton_small.png

Neally Bot

Neally · 2022-05-26T14:12:42.000Z

user297736:

Depending on how AD is set up, adding a file location in the home directory path SHOULD prompt AD to also create a home directory folder.

user297736:

There is no ad object in the other domain but a contact is created?

Well, a contact does not have a home directly attribute.

I’m still confused on your question so you:

You CAN update AD, but it does NOT create a homefolder?

new-aduser $newUserInfo -server $otherDomain -credential $otherDomainCred

You can talk to another domain like this by providing the server parameter the other domain name and feeding it other domain credentials.

Again, I’m still not clear what you need?

davidchurch7329 · 2022-05-26T19:39:48.000Z

Sorry if I have not been clear. Let me explain a bit more - We have migrated users to a new domain but some of the servers are still in the old domain. I want to create a user in the new domain, but the home folder may be in the old domain on a file server. I am struggling to create a home folder in another domain which has the new domain user assigned permissions to it as a trust is in place.

Anyone have any idea how I can do this?

Neally · 2022-05-26T20:08:15.000Z

user297736:

Sorry if I have not been clear. Let me explain a bit more - We have migrated users to a new domain but some of the servers are still in the old domain. I want to create a user in the new domain, but the home folder may be in the old domain on a file server. I am struggling to create a home folder in another domain which has the new domain user assigned permissions to it as a trust is in place.

Anyone have any idea how I can do this?

Do you have a 2 way trust between the domains, or how is that setup?

What exactly do you struggle with? just settings NTFS permissions? Do you still have to create the folder, or does AD create the folder?

So you invoke this on DOMAIN 1?

New-Object System.Security.AccessControl.FileSystemAccessRule("domain2\$sam",“FullControl”,“ContainerInherit, ObjectInherit”, “None”, “Allow”)

so you give user from domain2 access to the folder in domain1

Neally · 2022-05-26T22:54:48.000Z

this worked fine for me, depending on your trust you might not even need to specify credentials separately.

clear

$domainFROMCred = (Get-Credential)
$domainTOCred   = (Get-Credential)

$domainTO   = 'to.domain.com'
$userToadd  = 'bbelcher' # sam name to be added
$domainFROM = 'from.domain.com'

Invoke-Command -ComputerName $domainTO -ScriptBlock {
   
    $id   = Get-ADUser $using:userToadd -Server $using:domainFROM -Credential $using:domainTOCred
    # you gotta adjust the path here
    $path = "c:\userHomeShare\$($id.samaccountname)"
    $ACL  = (Get-Acl $path -ErrorAction Stop)
    
    $rights      = 'FullControl' 
    $inheritance = 'ContainerInherit, ObjectInherit'
    $propagation = 'None'
    $type        = 'Allow'
    $AccessRule  = New-Object System.Security.AccessControl.FileSystemAccessRule($id.sid, $rights, $inheritance, $propagation, $type)
    $acl.AddAccessRule($AccessRule)
    $acl | Set-Acl -Path "$path"

} -Credential $domainTOCred

david452309 · 2022-05-27T02:46:53.000Z

so you are using the equivalent of duct tape and bailing wire.

What are you going to do when you move everyone onto the same domain? Keep the home folders … in your forward thinking have you implemented DFS-R f/N or these shares so it is simple to move shares as the need arises .

davidchurch7329 · 2022-05-27T09:54:21.000Z

Thank you very much for your time on this it is much appreciated.

I run the script in our new domain and logged onto each domain with credentials but I get the following error:

Connecting to remote server old.domain.com failed with the following error message : WinRM cannot process the request. The following error ocurred while using Kerberos authentication: Cannot find the computer old.domain.com. Verify that the computer exists on the network and that the name provided is spelled correctly.

Am I missing something?

Thanks

Neally · 2022-05-27T14:33:36.000Z

is the OLD domain still existing? are there DNS entries? Is the trust still there?

sounds like that machine you run it from does not know about the other one?

davidchurch7329 · 2022-05-27T16:42:08.000Z

Thanks agian for your help. I had a typo in my script - my fault. The script works, but how do I create a folder? If I create a folder manually then the permissions get assigned automatically in the script?

Neally · 2022-05-27T16:54:07.000Z

user297736:

Thanks agian for your help. I had a typo in my script - my fault. The script works, but how do I create a folder? If I create a folder manually then the permissions get assigned automatically in the script?

Well no, permissions get set as they inherit. PLUS the user you want to add.

IMO:

create folder (new-item)
disable inheritance, remove non-needed access
add the domain user who needs to access it.

can all be done in that script.

e.g.

# create folder
    new-item "c:\userHomeShare\$($id.samaccountname)" -ItemType Directory -Force

    # disable inheritance
    icacls.exe ("c:\userHomeShare\$($id.samaccountname)") /inheritance:d

davidchurch7329 · 2022-05-27T17:31:07.000Z

Thanks again. When I run New-item it comes back with - path is not of legal form + category info: Invalid argument : (\server\users:String ) [New-item ], Argument Exception

Not sure what I am doing wrong?

Neally · 2022-05-27T17:33:22.000Z

user297736:

Thanks again. When I run New-item it comes back with - path is not of legal form + category info: Invalid argument : (\server\users:String ) [New-item ], Argument Exception

Not sure what I am doing wrong?

wihtout knowing your data, hard to tell

the illegal form usually means whitespace or symbols that are not allowed

davidchurch7329 · 2022-05-27T17:55:53.000Z

Your script works perfect. Thank you very much for your help… Have a good weekend…