Get user home directories recursively in PowerShell

So, I'm taking the dive into PowerShell. I've been tasked with redoing permissions on every home folder in the domain (they do not all fall under the same sub-directory - that would be too easy). I have a batch script written that takes two parameters: user name, and home folder path and pumps them through SetACL.

I want to use PowerShell to get the user names and home folders for every user in an OU. So far, I can get the user names, but I cannot figure out how to get the home directories.

This is my PowerShell so far (borrowed from various sources across the web):

$Dom = "LDAP://OU=Accounts,DC=myDomain,DC=local"
$Root = New-Object DirectoryServices.DirectoryEntry $Dom

# Create a selector and start searching from the Root of AD
$selector = New-Object DirectoryServices.DirectorySearcher
$selector.SearchRoot = $root
$Selector.pagesize = 20000


# Basically this will only grab user accounts and not computer accounts.
$adobj= $selector.findall() | where {
    $_.properties.objectcategory -match "CN=Person*"
}
foreach ($person in $adobj) {
    $prop=$person.properties
    Write-host "$($prop.cn)"
}

I'm eventually going to pipe the Write-host line into the setACL batch file, but I'm just writing the output for now to make sure that it's accurate. I've tried adding$($prop.homeDirectory) to the Write-host line with no luck.

Any pointers or suggestions?


Microsoft has updated their Active Directory powershell module and it is included with RSAT. Should you not want to use a third-party's modules, the following lists the sAMAaccountName and homeDirectory attributes for all users in the "JustAnOrgUnit" OU -- pretty much the same as @nimizen's answer, just without the Quest requirement.

Import-Module ActiveDirectory
Get-ADUser -SearchBase "OU=JustAnOrgUnit,DC=example,DC=com" -Filter * -Property * |
    Select-Object -Property sAMAccountName,homeDirectory |
        Export-CSV -Path C:\somefile.csv

Use Quest's AD cmdlets, they're free and really simplify this sort of thing.

You can get them from http://www.quest.com/powershell/activeroles-server.aspx

Once you have those loaded, try the following script but also have a read around the Get-QADUser cmdlet.

$csvfile = "C:\somefile.csv"
$root = "OU=Accounts,DC=myDomain,DC=local"
get-qaduser -SearchRoot $root `
-ObjectAttributes @{homeDirectory=’*'} -IncludeAllProperties | `
Select-Object LogonName,HomeDirectory | `
Export-Csv $csvfile

Here is how to update it on each homeDirectory without using multiple tools, and run through each account on-by-on from an OrgUnit and recursively go through each subOU too.

# source ACL required
$NewAcl = Get-Acl -Path "C:\directory\as\template"

# load active directory powershell module (requires RSAT installed)
Import-Module -Name ActiveDirectory -Force

# get all AD Users in OU from example, then set new Acl from source directory on their home directory paths
Get-ADuser -Filter * -SearchBase "OU=Accounts,DC=myDomain,DC=local" -Properties homeDirectory | ForEach-Object {
    $homedir = $_.'homeDirectory'
    try {
        # set acl settings
        Set-Acl -Path $homedir -AclObject $NewAcl -Confirm:$false -ErrorAction Stop
        # write output to console if successful
        Write-Output "Successfully updated ACL settings for ${homedir}"
    }
    catch {
        Write-Output "Unable to update ACL settings on ${homedir}"
    }
}