I am needing assistance with a script. What I am trying to accomplish is when new users are created in ADUC and their profile path(home folder) is created, it gives the users "Full Control". I am wanting to change that to Modify permissions. My problem is that there are multiple users created weekly, and I want a script that can go through all the home folders and if it finds a user with full control to change it to modify. But also there is a admin security group that has multiple admins in it that have "Full Control on each home directory. I don't want it to look inside the group and take away their full control. What cmdlets do I need to say ignore that group and only change a user that has the "Full Control" to modify permissions. I have a script that changes a specific user from "Full Control" to modify, but don't know the proper way to have it just search just a user account on the folders with "Full Control".
#ChangeACL.ps1
$Right="Modify"
#The possible values for Rights are
# ListDirectory
# ReadData
# WriteData
# CreateFiles
# CreateDirectories
# AppendData
# ReadExtendedAttributes
# WriteExtendedAttributes
# Traverse
# ExecuteFile
# DeleteSubdirectoriesAndFiles
# ReadAttributes
# WriteAttributes
# Write
# Delete
# ReadPermissions
# Read
# ReadAndExecute
# Modify
# ChangePermissions
# TakeOwnership
# Synchronize
# FullControl
$StartingDir="\\server\Path" #What directory do you want to start at?"
$Principal="domain\user" #What security principal do you want to grant" `
#define a new access rule.
$rule=new-object System.Security.AccessControl.FileSystemAccessRule($Principal,$Right,"ContainerInherit,ObjectInherit", 'None',"Allow")
foreach ($file in $(Get-ChildItem $StartingDir -recurse)) {
$acl=(Get-Item $file.FullName).GetAccessControl('Access')
#Add this access rule to the ACL
$acl.SetAccessRule($rule)
#Write the changes to the object
#Set-Acl $File.Fullname $acl
(Get-Item $file.FullName).SetAccessControl($acl)
}
Best Answer
After some testing I have come up with this script and seems to work: