Fix Users Homefolder Permissions

Updated: May 17, 2016 | 9 comments | Tags: , , , ,

One of our customers Active Directory and file servers was having issues with backups on users home directory.

We designed a PowerShell-script to remedy the issue. The script looks through the a selected Organization Unit and verifies that all users have a home directory set, and that it has the appropriate NTFS-permissions.

In this case all users had Full-permissions on their home folder, which led to some users resetting permissions and removing unwanted permissions (Backup or Admin accounts) on their “private” folders.

This script will reset Modify-permissions for the targeted users.

#	User Home Directory Permissions - jocha.se 2013-01-15
#
#	Creates a HomeDirectory for users who are missing one.
#	Verifies they have Modify permissions, if they have Full it replaces with Modify.

# Loading modules
Import-Module ActiveDirectory

$DC = "DC01.DOMAIN.LOCAL"
$OU = "OU=Users,DC=DOMAIN,DC=LOCAL"

$Content = (Get-ADUser -server $Dc -filter * -Properties * -SearchBase $OU | select SamAccountName, HomeDirectory)

FOREACH ($ID in $Content) {
    $User = $ID.SamAccountName
    $Folder = $ID.HomeDirectory
    # If the user does not have a value for HomeDirectory it skips.
    If ($Folder) { 
        # If the HomeDirectory does not exist its created.
        If ((Test-Path $Folder) -ne $true) {
            New-Item -ItemType directory -Path $Folder
            icacls $Folder /grant $User`:`(OI`)`(CI`)M
            }
        # Checking if user has Full permissions on their folder.
        $Icacls = icacls $Folder 
        $Match = "*" + $User + ":(F)*"
        $IcaclsResult = $Icacls -like $Match
        If ($IcaclsResult) {
            Write-Host $User " HomeDirectory has incorrect permissions. Resetting..."
            icacls $Folder /remove:g $User
            icacls $Folder /grant $User`:`(OI`)`(CI`)M
        }
    }    
}

Let me know if anything is not working for you and I’ll do my best to help you out.

9 Comments

  1. z on 2013-03-25 at 06:55

    Great Script!!

    I have used it to correct my homefolder permisison issues. now i m working to add a poriton to create and set the home folder from a seond file that lists of severs names. This way the script continues through the OU.

    Thanks again

    Reply
  2. Joakim on 2013-03-26 at 09:25

    Thanks for stopping by, and glad to hear it helped you.
    I slightly updated the script and removed the need for a CSV-file.

    Reply
  3. RobD on 2013-10-30 at 19:13

    Hi,

    This is aweseme but Will this script set the permissions for sub files and folders? Also how could I add Domain admins to the full permissions? Thanks

    Reply
    • Joakim on 2013-10-30 at 22:29

      Hi Rob,

      This script will inherit down in the user-folders. And yes, you can certainly add "Domain Admins" to the permissions. I do however recommend you doing this at the root-folder and not on every user-folder.

      If you for some reason cannot add permissions to the root-folder let me know and I'll send you an updated version of the script.

      Best regards,
      Joakim

      Reply
  4. RobD on 2013-10-31 at 08:04

    Hi Joakim,
    Thanks for the reply, I really appreciate it! Unfortunately our permissions are broken, I've taken ownership of the files but need to reset all the permissions which is why I could do with a script to add domain admin! Any help would be brilliant! Thanks

    Reply
  5. RobD on 2013-10-31 at 09:32

    Would this do the job:

    # User Home Directory Permissions – heineborn.com 2013-01-15
    #
    # Creates a HomeDirectory for users who are missing one.
    # Verifies they have Modify permissions, if they have Full it replaces with Modify.

    # Loading modules
    Import-Module ActiveDirectory

    $DC = "Monmouth.local"
    $OU = "OU=Mathematics,OU=Academic Departments,OU=Users,OU=Monmouth School,DC=Monmouth,DC=local"

    $Content = (Get-ADUser -server $Dc -filter * -Properties * -SearchBase $OU | select SamAccountName, HomeDirectory)

    FOREACH ($ID in $Content) {
    $User = $ID.SamAccountName
    $Folder = $ID.HomeDirectory
    $Domain = "Monmouth.local\Domain Admins"
    # If the user does not have a value for HomeDirectory it skips.
    If ($Folder) {
    # If the HomeDirectory does not exist its created.
    If ((Test-Path $Folder) -ne $true) {
    New-Item -ItemType directory -Path $Folder
    icacls $Folder /grant $User`:`(OI`)`(CI`)F
    }
    # Checking if user has Full permissions on their folder.
    $Icacls = icacls $Folder
    $Match = "*" + $User + ":(F)*"
    $IcaclsResult = $Icacls -like $Match
    If ($IcaclsResult) {
    Write-Host $User " HomeDirectory has incorrect permissions. Resetting…"
    icacls $Folder /remove:g $User
    icacls $Folder /grant $User`:`(OI`)`(CI`)F
    icacls $Folder /grant $domain`:`(OI`)`(CI`)F
    }
    }
    }

    Reply
    • Joakim on 2013-11-02 at 10:48

      Hi Rob,

      Looks good, you should add "icacls $Folder /grant $domain`:`(OI`)`(CI`)F" to the "# If the HomeDirectory does not exist its created." section to make sure that its added even if a folder does not exist.
      / J

      Reply
  6. Johnf5 on 2014-08-16 at 19:59

    Hello! This post could not be written any better!

    Reply
  7. MikeS on 2017-06-13 at 04:10

    Hello,
    I really like the idea of checking modifying security settings from the OU, But I keep getting an error when running the script.
    Invalid parameter(s)
    RESET { SESSION }
    Would you have any suggestions?
    Thanks

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *