Powershell – Get user home directories recursively in PowerShell

active-directorypowershell

So, I'm taking the dive into PowerShell. I've been tasked with redoing permissions on every home folder in the domain (they do not all fall under the same sub-directory – that would be too easy). I have a batch script written that takes two parameters: user name, and home folder path and pumps them through SetACL.

I want to use PowerShell to get the user names and home folders for every user in an OU. So far, I can get the user names, but I cannot figure out how to get the home directories.

This is my PowerShell so far (borrowed from various sources across the web):

$Dom = "LDAP://OU=Accounts,DC=myDomain,DC=local"
$Root = New-Object DirectoryServices.DirectoryEntry $Dom

# Create a selector and start searching from the Root of AD
$selector = New-Object DirectoryServices.DirectorySearcher
$selector.SearchRoot = $root
$Selector.pagesize = 20000


# Basically this will only grab user accounts and not computer accounts.
$adobj= $selector.findall() | where {
    $_.properties.objectcategory -match "CN=Person*"
}
foreach ($person in $adobj) {
    $prop=$person.properties
    Write-host "$($prop.cn)"
}

I'm eventually going to pipe the Write-host line into the setACL batch file, but I'm just writing the output for now to make sure that it's accurate. I've tried adding$($prop.homeDirectory) to the Write-host line with no luck.

Any pointers or suggestions?

Best Answer

Microsoft has updated their Active Directory powershell module and it is included with RSAT. Should you not want to use a third-party's modules, the following lists the sAMAaccountName and homeDirectory attributes for all users in the "JustAnOrgUnit" OU -- pretty much the same as @nimizen's answer, just without the Quest requirement.

Import-Module ActiveDirectory
Get-ADUser -SearchBase "OU=JustAnOrgUnit,DC=example,DC=com" -Filter * -Property * |
    Select-Object -Property sAMAccountName,homeDirectory |
        Export-CSV -Path C:\somefile.csv

Related Solutions

Powershell – Kill process, then uninstall application–Can I do this with PowerShell, over 400 computers, from a txt file

While this is technically possible, there's probably a better way to go about it.

And speaking of better ways to go about it, You could do this in a GPO with a few lines of code as a startup or shutdown script, which is how I handle this. With a few more lines of code you could log the results of checking for the presence of this thing and/or uninstalling it, which would undoubtedly be useful in your compliance efforts.

If a GPO-linked startup/shutdown script's not an option for whatever reason, I think I'd use PSExec to kill the process on a list of computers read in from file and then script the uninstall in an appropriate language. Seem to me that this is a lot easier in VB, for example.

a=WshShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\UninstallString")

If a<>"" Then

WshShell.Run(a&" /S"),1,True
i=i+1

end if

(Goodbye Google Toolbar, in that example which I wrote or copied a few years back. Copied, probably. I am rather lazy.)

Without debugging the PS script you copied, I'd point out that you might be running a different PS version, different PS modules installed/loaded and/or there might be some dependencies that your XP machines don't have in place that's causing problems.

Powershell – (Powershell) Method to return a list of groups where a specific user has ‘write member’ security

There are two problems here.

The CMDlet Get-QADPermission is writing directly to the console during execution which is why you're seeing Permissions for: .... Since your pipeline is writing to the same output, it all gets mixed together. Store the output from your pipeline to a variable instead.
When you pipe the group into Get-QADPermission, you're throwing away the group object and getting a permissions object instead. If you want to keep the original object, you need to filter with Where-Object.

Also, be careful with Get-QADPermission. If you only query for WriteProperty, it won't return results with both Read+Write access. Usually you want to query for both. And in most cases, you also want to use -Inherited to get permissions granted from parent OU's. If you're really looking for once-off permissions, then you can ignore this switch.

function Test-UserCanModifyGroupsInOU ($Username, $OU)
{
  $results = Get-QADGroup -SearchScope 'OneLevel' -SearchRoot $OU |
    Where-Object {
      $_ | Get-QADPermission -Rights ReadProperty,WriteProperty -Property member -Account $username
    } |
    Select @{Name="User";Expression={$username}}, @{Name="Group";Expression={$_.Name}}
  $results | Write-Output
  $results | Export-Csv "$username.csv"
}

@("bob","sally") |
  ForEach-Object {
    Test-UserCanModifyGroupsInOU -Username $_ -OU 'domain.org.com/path/to/OU'
  }

Also note that this only works for permissions on specific properties. It won't return results for a user that has "Full Control" on the group, even though they're stil allowed to modify the member attribute.

Best Answer

Related Solutions

Powershell – Kill process, then uninstall application–Can I do this with PowerShell, over 400 computers, from a txt file

Powershell – (Powershell) Method to return a list of groups where a specific user has ‘write member’ security

Related Topic