Re-give users ownership of their mapped home folders via powershell
Since you are setting the Home folders in AD, why not just re-assign using ADUC and variables?
Let's say your folders are named as your usernames
You can filter the view to only show users who currently have a value set for their home folder.
Select all the users you want to update and go to the Properties of those users, then the Profile
tab.
Enter in the path of the home folder as such:
\\<servername>\Home Folders\%USERNAME%
and then hit okay. It will cycle through and reset the permissions for each folder using their individual usernames.
You will need to change the path to match your pathing, but the important part is the %USERNAME%
.
To check the ownership of a folder or file, you can use the GetOwner method:
$acl = Get-Acl $dir.fullname
$acl.GetOwner([System.Security.Principal.NTAccount])
And set the new owner with:
$objUser = New-Object System.Security.Principal.NTAccount("YourDomain", "YourUser")
$acl.SetOwner($objUser)
this might help. I had to fix permissions on a shared folder configuration I adopted a while back. Using powershell and subinacl.exe (because changing owner remotely doesn't work often). this was also used to do some cleanup so there is some extra code in here to rename disabled or deleted user account folders. It's an old script also using Quest cmdlets which can be replaced with native AD cmdlet now.
Add-PSSnapin quest*
$dirlist = gci \\server\share | ? { $_.PSIsContainer }
$subinacl = "C:\utils\subinacl.exe"
foreach ($userdir in $dirlist)
{
#the foldername was a funny format (citrix 2008 profile with .2k8 suffix)
$username = $userdir.name.Split('.')[0]
$adaccount = Get-QADUser $username
If (($adaccount.AccountIsDisabled -eq $TRUE) -or (!$adaccount))
{
write-host "$username is not a current employee"
#rename folder to _DEL_originalname
$newname = "_DEL_$username"
rename-item -path $userdir -newname $newname
}
Else
{
#get full path
Write-Host "$userdir - changing permissions"
$currentDir = $userdir.FullName # this way you don't duplicate the start folder
#get ACL of folder
$acl = Get-Acl $currentDir
If ($acl.access -notcontains $username) {
#variable to set new permissions for username of folder
$permission = "domain\$username",”FullControl”,”ContainerInherit,ObjectInherit”,”None”,”Allow”
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
#actually set the permissions
$acl.SetAccessRule($accessRule)
Set-Acl $currentDir $acl
#use subinacl to set owner at parent level and below
$params1 = "/file $currentDir /setowner=domain\$username"
$params2 = "/subdirectories $currentDir\*.* /setowner=domain\$username"
$params3 = "/subdirectories $currentDir\* /grant=domain\$username"
$params4 = "/subdirectories $currentDir\* /grant=domain\administrators=F"
Invoke-Expression "$subinacl $params1" | out-null
Invoke-Expression "$subinacl $params2" | out-null
Invoke-Expression "$subinacl $params3" | out-null
}
}
}