Our department is pretty large and users tend to change user folder permissions out of our standard. This script I threw together to cycle through a list of folders that match the users ‘samAccountName’ in active directory. BEWARE This will delete folders and data of users that do not exist.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 |
Remove-Variable * -ErrorAction SilentlyContinue; Remove-Module *; $error.Clear(); Clear-Host $Domain = "MyDomain" $RootFSPath = "G:\users3" Function GetFolderACL([string]$User, [bool]$Recursive) { $filePath = "$RootFSPath\$User" #Get-Acl -Path $filePath | Format-List $filePathacl = Get-Acl -Path $filePath if ($Recursive -eq $True) { $folders = Get-ChildItem $filePath -Recurse #-Directory foreach ($folder in $folders) { #Get-Acl -Path $folder.FullName | Format-List foreach ($access in $filePathacl.Access) { if ($access.IdentityReference.Value -eq "$Domain\$user" -and $access.FileSystemRights -eq "Modify, Synchronize") { continue } if ($access.IdentityReference.Value -eq "NT AUTHORITY\SYSTEM" -and $access.FileSystemRights -eq "FullControl") { continue } if ($access.IdentityReference.Value -eq "BUILTIN\Administrators" -and $access.FileSystemRights -eq "FullControl") { continue } if ($access.IdentityReference.Value -eq "$Domain\Domain Admins" -and $access.FileSystemRights -eq "FullControl") { continue } Write-Host $access.IdentityReference $access.FileSystemRights } } } } Function GetFolderACLRecursive([string]$filePath, [string]$User,[bool]$Recursive) { if ($Recursive -eq $True) { $folders = Get-ChildItem $filePath -Recurse -Directory foreach ($folder in $folders) { GetFolderACLRecursive $folder.PSPath $true } } [bool]$UserPerm = $false [bool]$SystemPerm = $false [bool]$AdminPerm = $false [bool]$DomainAdminPerm = $false $Searcher = [ADSISearcher]"(sAMAccountName=$folder)" $Results = $Searcher.FindOne() If ($Results -eq $Null) { if ($filePath -ne "$RootFSPath\") { #try your best not to wak the parent folder due to Hr's typeo's ;) Write-Host "$folder does not exist in AD, $filePath can be deleted... Deleting" Remove-Item –path $filePath –recurse -force $UserPerm = $true } } else #If they do exit check the ACLS { $filePathacl = Get-Acl -Path $filePath foreach ($access in $filePathacl.Access) { if ($access.IdentityReference.Value -eq "$Domain\$User" -and $access.FileSystemRights -eq "Modify, Synchronize") { $UserPerm = $true continue } if ($access.IdentityReference.Value -eq "NT AUTHORITY\SYSTEM" -and $access.FileSystemRights -eq "FullControl") { $SystemPerm = $true continue } if ($access.IdentityReference.Value -eq "BUILTIN\Administrators" -and $access.FileSystemRights -eq "FullControl") { $AdminPerm = $true continue } if ($access.IdentityReference.Value -eq "$Domain\Domain Admins" -and $access.FileSystemRights -eq "FullControl") { $DomainAdminPerm = $true continue } Write-Host $filePath.PadRight(15) $access.IdentityReference $access.FileSystemRights } if ($SystemPerm -eq $false) { Write-Host "Missing System Permission to $filePath" } if ($AdminPerm -eq $false) { Write-Host "Missing Admin Permission to $filePath" } if ($DomainAdminPerm -eq $false) { Write-Host "Missing DominAdmin Permission to $filePath" } if (($UserPerm -eq $false) -or ($SystemPerm -eq $false) -or ($AdminPerm -eq $false) -or ($DomainAdminPerm = $false)) { return $false } } } Function SetFolderACL([string]$User, [bool]$Recursive, [bool]$EnableInheritance, [bool]$DisableInheritance) { $filePath = "$RootFSPath\$User" $filePathacl = Get-Acl -Path $filePath if ($EnableInheritance -eq $True) #This should not happen if we are looking to disable Inheritance, We want to remove it from the parent folder last below in this code. { foreach ($access in $filePathacl.Access) { #if ($access.IdentityReference.Value -eq $user) { #$acl.RemoveAccessRule($access) | Out-Null $filePathacl.RemoveAccessRule($access) #} } $filePathacl.SetAccessRuleProtection($false,$false) Set-Acl -Path $filePath -AclObject $filePathacl } if ($Recursive -eq $True) { $folders = Get-ChildItem $filePath -Recurse #-Directory foreach ($folder in $folders) { $acl = Get-Acl -Path $folder.FullName Write-Host $folder.FullName if ($EnableInheritance -eq $True) { $acl.SetAccessRuleProtection($false,$false) Set-Acl -Path $folder.FullName -AclObject $acl } if ($DisableInheritance -eq $True) { $acl.SetAccessRuleProtection($true,$true) Set-Acl -Path $folder.FullName -AclObject $acl } foreach ($access in $acl.Access) { #if ($access.IdentityReference.Value -eq $user) { #$acl.RemoveAccessRule($access) | Out-Null $acl.RemoveAccessRule($access) #} } Set-Acl -Path $folder.FullName -AclObject $acl } } if ($DisableInheritance -eq $True) #This should not happen if we are looking to disable Inheritance, We want to remove it from the parent folder last below in this code. { $filePathacl = Get-Acl -Path $filePath $filePathacl.SetAccessRuleProtection($true,$true) foreach ($access in $filePathacl.Access) { #if ($access.IdentityReference.Value -eq $user) { #$acl.RemoveAccessRule($access) | Out-Null $filePathacl.RemoveAccessRule($access) #} } Set-Acl -Path $filePath -AclObject $filePathacl } $acl = Get-Acl -Path $filePath $permission = "$Domain\$user", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow" $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission $acl.SetAccessRule($accessRule) $acl | Set-Acl $filepath } Function SetStrightFolderACL([string]$User, [bool]$Recursive, [bool]$EnableInheritance, [bool]$DisableInheritance) { Write-Host $folder.FullName $filePath = "$RootFSPath\$User" $filePathacl = Get-Acl -Path $filePath $acl = Get-Acl -Path $filePath $permission = "$Domain\$user", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow" $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission $acl.SetAccessRule($accessRule) $acl | Set-Acl $filepath } $folders = Get-ChildItem "$RootFSPath" #-Recurse #-Directory foreach ($folder in $folders) { $acl = Get-Acl -Path $folder.FullName #Write-Host (GetFolderACLRecursive "$RootFSPath\$folder" $folder $false) $result = GetFolderACLRecursive "$RootFSPath\$folder" $folder $false if ($result -eq $false) { $Searcher = [ADSISearcher]"(sAMAccountName=$folder)" $Results = $Searcher.FindOne() If ($Results -eq $Null) { #Write-Host "Users does not exist in AD" } Else { #Write-Host "User found in AD" SetFolderACL $folder.Name $true $false $True #Remove Inhairtance SetFolderACL $folder.Name $true $true $false #Enable Inhairtance } } #Write-Host $folder.FullName #Write-Host $folder.Name #GetFolderACL $folder.Name $false #SetStrightFolderACL $folder.Name $true $true $false #Enable Inhairtance #SetFolderACL $user $true $true $false #Enable Inhairtance } exit #GetFolderACL $user $true SetFolderACL $user $true $false $True #Remove Inhairtance SetFolderACL $user $true $true $false #Enable Inhairtance exit SetFolderACL $user $true $false $True #Remove Inhairtance exit SetFolderACL $user $true $true $false #Enable Inhairtance exit |