As is often the case these days, these home directories are stored on NAS devices that typically auto-create home directories on the fly with the appropriate permissions. As a result, my script needed to explicitly grant the user Full Control to their new folder. I didn't find the native help on the set-acl cmdlet very helpful in regard to adding a user to an existing folder's ACL. Luckily I did something similar in VB.NET and had good idea of what needed to be done. That along with a little get-acl and get-member action (and a little trial and error) got me where I needed to be.
The process is actually pretty straight froward.
- Capture the current ACL with Get-ACL
$DirACL = Get-ACL "\\FileServer\users$\JoeUser" - Create a new FileSystemAccessRule for the user and add it to the ACL you just captured
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule "Domain\JoeUser","FullControl","ContainerInherit,ObjectInherit","None","Allow"
$DirACL.AddAccessRule($AccessRule) - Write the new ACL back with set-acl
Set-ACL "\\FileServer\users$\JoeUser" $DirACL
Since it take a couple of lines and is something that often needs to be repeated, it could easily be made a function like this:
Function Set-FullControl {
param ([string]$User, [string]$FolderPath)
$DirACL = Get-ACL $FolderPath
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $User,"FullControl","ContainerInherit,ObjectInherit","None","Allow"
$DirACL.AddAccessRule($AccessRule)
Set-ACL $FolderPath $DirACL
}
Set-FullControl "DOMAIN\JoeUser" "\\FileServer\users$\JoeUser"
