Permissions

christopherwhiteley2344 · 2017-11-17T22:00:29.000Z

Hey Spiceheads,

I am banging my head up against the wall for what should be an easy thing. I am looking at user folder permissions and trying to make it very specific. My goal is this:

Each User folder will have these permissions:
Domain\Domain Admins
Local\Administrators
Domain%username%

What is the easiest way to do this so that I can make this happen? I have searched and everyone seems to have a different way of doing things. I have the “everyone” for the share as Full as that doesn’t matter.

I have done the “create” function in GP under user configuration > Preferences > Windows Settings > Folders and checked the “Run in logged on users Security Context”

Gary-D-Williams · 2017-11-17T22:59:48.000Z

christopher4:

Domain%username%

Don’t do this. never assign users to folders with direct permissions. Put users into folders and assign the folders the permissions.

christopherwhiteley2344 · 2017-11-17T23:05:21.000Z

I understand for shared folders, but I am doing their own personal folders that get mapped as a drive and I don’t want anyone else stumbling across them.

lewandowski · 2017-11-18T03:58:21.000Z

Home folders, if done manually, can just have system, admin and the user. No need for local admin permissions on server shares.

christopherwhiteley2344 · 2017-11-18T05:11:56.000Z

That’s exactly what I want but I don’t want to do it manually. I want to create a script to do this for me. That’s the reason for this post.

scottbrindley · 2017-11-20T12:44:07.000Z

I have done something similar to this , I created a batch file using ICALS “Drive:\Path” /grant username:(OI)(CI)M.

christopherwhiteley2344 · 2017-11-20T14:52:07.000Z

So I ended up figuring this out and I can hopefully help other people with this. What I did was to follow this person’s advice on setting the permissions at the top folder:

Mass remove inheritance on multiple folders with powershell Programming & Development

Hello. I have recently run into an issues with our user folders. I'm trying to remove a particular group from each user folder but wanting to keep that group in the parent folder. There are 410 user folders that i do not want to manipulate manually. Is there a way to do this with powershell? Thanks in advance

Then I found this powershell script that would add just the user based on foldername with the full control permissions. I just placed this Powershell script inside of the folder that I needed permissions on. This worked for me!

$domainName = "Domain\"
$folders = get-childitem | foreach {if($_.PSIsContainer){$_.fullname}}

ForEach ($folder in $folders){
  $folderName = (Get-Item $folder).name
  $userName = $folderName
  $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
  $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
  $objType = [System.Security.AccessControl.AccessControlType]::Allow
  $permission = "$domainName$userName","FullControl",$InheritanceFlag,$PropagationFlag,"Allow"
  $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
  
  icacls.exe $folder /reset
  $acl = Get-ACL $folder
  $acl.SetAccessRule($accessRule)
  $acl | Set-ACL $folder 
}

I hope this helps someone!