Creating a Home Drive with Windows PowerShell: Part 3

Summary: Microsoft PowerShell MVP, Sean Kearney, concludes his series about creating a home drive with Windows PowerShell.

Microsoft Scripting Guy, Ed Wilson, is here. If you are a seasoned Hey, Scripting Guy! Blog reader, you know that the most frequent guest blogger is Sean Kearney. If you are new to the blog, I welcome you, and I encourage you to catch up with Sean’s previous blogs.

Sean is a Windows PowerShell MVP and an Honorary Scripting Guy. Sean has been selected to present sessions called Integrating with Microsoft System Center 2012 and Windows PowerShell at TechEd NA and TechEd Europe this year. In his free time, Sean has written several blog posts about Hyper-V and some other cool stuff. Sean will be the blogger all week, and today he is writing about home folders.

BTW, if you are in New Orleans for TechEd this week, be sure to come by the Scripting Guys booth and say hello. The Scripting Wife and I will be there in addition to Chris Duck and Brian Wilhite. We also invited www.powershell.org to share the booth with us, so come by say hello to Don Jones, Jason Helmick, and Mike Robbins. I am also sure Sean will be hanging out at the booth.

Before you read this blog post, check out the earlier parts:

With the access rule created, we need only add it in to our list of rules for the users’ home drive. Remember, because of how we defined the permissions on the root of the home folder structure, the only accounts that will be inherited for permissions will be Domain Admins and local Administrators.

To add the rule, we perform the following four steps:

  • Get the current access control list from the folder in question by using Get-ACL.
  • Build a new access rule for our user.
  • Run the AddAccessRule method against the current ACL object.
  • Store the new access control list on the folder with Set-ACL.

As simple as it sounds, use Get-ACL on the new user home folder to store the object into a Windows Powershell variable for editing and reuse:

$HomeFolderACL=GET-ACL \CONTOSO-FPSUsers$JohnnyTest

Next build the access rule. In our case, this is for JohnnyTest in the CONTOSO domain:

$IdentityReference=’CONTOSOJohnnyTest’

$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]”FullControl”

$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”

$PropagationFlags=[System.Security.AccessControl.PropagationFlags]”None”

$AccessControl=[System.Security.AccessControl.AccessControlType]”Allow”

$AccessRule=NEW-OBJECT [System.Security.AccessControl.FileSystemAccessRule]($IdentityReference,$FileSystemAccessRights,$InheritanceFlags,$PropogationFlags,$AccessControl)

Now add the rule to the access list that is presently stored in $HomeFolderACL:

$HomeFolderACL.AddAccessRule($AccessRule)

Then store the new access rule on the folder with Set-ACL:

SET-ACL –path \CONTOSO-FPSUsers$JohnnyTest -AclObject $HomeFolderACL

At this point, we’ll take these new changes and build a small script in Windows Powershell to properly do all the work for us—right down to creating the folder on the remote server. New-Homedrive.ps1 will look like this:

New-Homedrive.ps1

 

PARAM(

$Alias

)

 

# Assign the Drive letter and Home Drive for

# the user in Active Directory

 

$HomeDrive=’Z:’

$UserRoot=’\CONTOSO-FPSUsers$’

$HomeDirectory=$UserRoot+$AccountName 

SET-ADUSER $Alias –HomeDrive $HomeDrive –HomeDirectory $HomeDirectory 

 

# Create the folder on the root of the common Users Share

 

NEW-ITEM –path $HomeDirectory -type directory -force 

$Domain=’CONTOSO’

$IdentityReference=$Domain+’’+$Accountname

 

# Set parameters for Access rule

 

$FileSystemAccessRights=[System.Security.AccessControl.FileSystemRights]”FullControl”

$InheritanceFlags=[System.Security.AccessControl.InheritanceFlags]”ContainerInherit, ObjectInherit”

$PropagationFlags=[System.Security.AccessControl.PropagationFlags]”None”

$AccessControl=[System.Security.AccessControl.AccessControlType]”Allow”

 

# Build Access Rule from parameters

 

$AccessRule=NEW-OBJECT [System.Security.AccessControl.FileSystemAccessRule]($IdentityReference,$FileSystemAccessRights,$InheritanceFlags,$PropogationFlags,$AccessControl)

 

# Get current Access Rule from Home Folder for User

 

$HomeFolderACL.AddAccessRule($AccessRule)

SET-ACL –path $HomeDirectory -AclObject $HomeFolderACL

Now, I could have said, “Here’s a script to do this.” But I think knowing some of the deeper pieces of the process should help you understand how to manipulate the data for Set-ACL.

At the end of it all? Take this script, use it, be more efficient and consistent, and get yourself home a lot earlier. That’s where it all really matters.

~Sean

Thank you, Sean, for a great series.

Join us tomorrow as Sean continues his Friday Hyper-V series.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy