I'm building a script that checks if the homedirectory of the users are correct and if not set the correct path. OU-1 has a diffrent path than OU-2 and some users are an exception. But the script isn't working.
This is what I got so far:
$folderpath = "\\172.16.32.27\gebruikers\homedir\", "\\172.16.32.27\share\homedirectories\"
$homedrive = "H"
$SearchBase = "OU=test,DC=Test,DC=org", "OU=users,DC=Test,DC=org"
$domain = "test.org"
$excludes = @("test", "user22")
$i = 0
$filter3 = "homedirectory -notlike '$("$homepath[$i]")' -and samaccountname -ne '$($excludes -join "' -and samaccountname -ne '")'"
$SearchBase | foreach {
Get-ADUser -SearchBase $_ -Filter $filter3 -Properties HomeDirectory, UserPrincipalName, Homedrive, samaccountname | % {
$homedirectory = "$($folderpath[$i])$($_.SamAccountName)"
if (!(Test-Path -Path $homedirectory)) {
New-Item -Type Directory -Path $homedirectory
$acl = Get-Acl -Path $homedirectory
$permission = $_.UserPrincipalname, 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)
$permission = "$domain\Domain Admins", 'FullControl', 'ContainerInherit, ObjectInherit', 'None', 'Allow'
$rule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.SetAccessRule($rule)
Set-Acl -Path $homedirectory -AclObject $acl
Set-ADUser $_ -HomeDirectory "$homedirectory" -HomeDrive $homedrive
} elseif ($_.HomeDirectory -ne "$homedirectory*" -or $_.Homedrive -ne "$homedrive") {
Set-ADUser $_ -HomeDirectory "$homedirectory" -HomeDrive $homedrive
}
}
$i++
}
If you create a mapping between OUs and home directories:
you can process them like this:
With that said, an IMHO much cleaner approach would be to put all home directories under a single share, adjust the (NTFS) permissions on that shared folder like this:
and have missing home directories automatically created with a simple logon script. In batch it would look somewhat like this:
but you could use VBScript or PowerShell just as well.
Enable Access-based Enumeration on top of that, and your users will not only be able to access just their own home, but also won't even see anyone else's.