Windows – PowerShell/Command Prompt – Create folders from AD group members

active-directorycommand-line-interfacepowershellwindows

Is there a simple script I can use to give a destination folder and the AD group I want to use and it would generate a set of folders with the members of that AD group and delegate the proper permissions to those folders?

I have gotten as far as dsget group "FQN" -members and it returns a list of FQN's.

Here is an example of what I am looking for…

SomeADGroup
  member1
  member2
  ...
  memberN


Root Folder - has permission for SomeADGroup (already set up)
    member1 - member1 has modify; other SomeADGroup members, no permissions
    member2 - member2 has modify; other SomeADGroup members, no permissions
    ...
    memberN - memberN has modify; other SomeADGroup members, no permissions

Best Answer

Here-- have at.

Option Explicit

' DOMAIN\Group to process
Const DOMAIN = "DOMAIN"
Const GROUP = "Human Resources Department"

' Destination path - Do not append a "\"
Const DESTINATION_PATH = "C:\Test"

' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1

Dim objNameTranslate, objGroup, strUser, objShell

Set objNameTranslate = CreateObject("NameTranslate")
objNameTranslate.Init ADS_NAME_INITTYPE_GC, ""
objNameTranslate.Set ADS_NAME_TYPE_NT4, DOMAIN & "\" & GROUP
Set objGroup = GetObject("LDAP://" & Replace(objNameTranslate.Get(ADS_NAME_TYPE_1779), "/", "\/")) 

set objShell = CreateObject("Wscript.Shell")

For Each strUser in objGroup.Members
    objShell.Run "%COMSPEC% /c mkdir " & DESTINATION_PATH & "\" & strUser.samAccountName
    objShell.Run "CACLS " & DESTINATION_PATH & "\" & strUser.samAccountName & " /E /G " & DOMAIN & "\" & strUser.samAccountName & ":F"
Next ' strUser

A quick tour:

Set the DOMAIN, GROUP, and DESTINATION_PATH. Obviously, you'll have to be logged-on as a user with rights to make directories and set permission under the DESTINATION_PATH when you run this.

I could've probably done this more efficient in PowerShell, except that I can't stand PowerShell and haven't wanted to be bothered to get more in-depth with it. >smile< Likewise, I could've probably done the directory-making with the FileSystemObject, but this was faster for me to write. I could've done something fancier instead of the CACLS but, hey, it works.

Related Solutions

Windows – Useful Command-line Commands on Windows

A little known one is

getmac

It shows the MAC address(es) of your network adapter(s).

Screenshot of running getmac from a Windows commandline window.

Windows Scripting – Script to Reset Home Directory Permissions on a Windows Share

Assuming you're running this on Windows Server 2003 or newer you'll have both the TAKEOWN and ICACLS commands. I'm also assuming the that top level folder permission is set sanely (i.e. "Authenticated Users - List Folder Contents - This folder only", proper "Administrator" permissions if you like them being able to get into user folders, etc).

@echo off
FOR /D %%i in (*) do (
  TAKEOWN /f "%%i" /r /d y
  ICACLS "%%i" /reset /T
  ICACLS "%%i" /grant:r "DOMAIN\%%i":(OI)(CI)F
  rem Unremark this line to set the owner to the user, if you like that
  rem ICACLS "%%i" /setowner "DOMAIN\%%i" /T
)

That'll take ownership, clean up all the permissions and restore inheritance, add the user w/ Full Control rights to the directory, and then optionally give back ownership if you un-rem the last line.

My condolences for having to deal with users sharing files between each other out of home directories. That's a real pain.

Best Answer

Related Solutions

Windows – Useful Command-line Commands on Windows

Windows Scripting – Script to Reset Home Directory Permissions on a Windows Share

Related Topic