1

So long story short, someone has added permissions at the top level of the Home Drive folder for some users and access has been given to home drives that shouldn’t have been. I’m trying to clean it up.

I have the below test folder, it’s stripping back the rights as I want to the bear minimum. The user is given full rights on the folder and inheritance disabled

$FolderPath = "\\location\c$\HomeDrives"

Write-Host "#Adding global Permissions    #" -ForegroundColor Green

foreach ($homeFolder in (Get-ChildItem $FolderPath | Where {$_.psIsContainer -eq $true})) {
    $homefolder
    $acl = Get-Acl $homefolder.FullName 
    $acl.Access | %{$acl.RemoveAccessRule($_)} 
    $acl.SetAccessRuleProtection($True, $False) 
    $Rights = [System.Security.AccessControl.FileSystemRights]::FullControl
    $inherit = [System.Security.AccessControl.FileSystemAccessRule]::ContainerInherit -bor [System.Security.AccessControl.FileSystemAccessRule]::ObjectInherit
    $Propagation = [System.Security.AccessControl.PropagationFlags]::None
    $Access = [System.Security.AccessControl.AccessControlType]::Allow
    $acct = New-Object System.Security.Principal.NTAccount("Builtin\Administrators") 
    $acl.SetOwner($acct) 
    Set-Acl $homefolder.FullName $acl
}

Write-Host "#Adding user specific Permissions    #" -ForegroundColor Green

foreach ($homeFolder in (Get-ChildItem $FolderPath | Where {$_.psIsContainer -eq $true})) {
    $homeFolder
    $acl = Get-Acl $homefolder.FullName
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($homefolder.Name,"FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
    $acl.AddAccessRule($rule)
    Set-Acl $homefolder.FullName $acl
}

I now want the user to be the owner based off the folder name i.e. johnb is the folder name, johnb is the owner.

And I also want to give local Administrators and SYSTEM full access.

So end game should be: the user, local administrators to the file server and SYSTEM have full access, inheritance is disabled.

Script - https://gallery.technet.microsoft.com/scriptcenter/Reset-Home-Folder-Share-a4b42fc5/view/Discussions#content

4 Spice ups
2

Root folder… shares–> domain users full permissions
NTFS–> Block Inheritance domain admin full access
move users folder under it
or
https://community.spiceworks.com/scripts/show/4157-bulk-update-and-create-ad-users-home-folder-with-permissions

1 Spice up
3

I wouldn’t recommend full rights for users, in my experience the “smart” users will change perms preventing things like backups to correctly execute.

Had a senior exec do this and then one day several months later come to us and ask for us to restore his files as he had “accidently” deleted key documents required for a meeting that morning - the outcome was he complained to the CEO when we advised there were no files to restore for his folder due to him stripping all permissions except his own.

4

You first resolution:

That would require a change at the top level for all users in AD i.e. user has home folder mapped via AD profile, that location is \domainlocation\DFSShare*Home*\testuser. I would have to change that for all users to the new root folder i.e. \domainlocation\DFSShare*NewHome*\testuser

Or

This script, from what I can tell is creating new home folders for users? I want to edit what I already have. With my current script I can get it down to the user having full access, I need to only add the below options

  • Make the user owner the owner

  • Give Administrators and SYSTEM full access.