Create shared folder as active directory would in powershell

Fral

1/5/24, 8:39 AM

With Active Directory I can manually create new users. Every time I do that, I use right click -> Copy on that user, then I modify some things like Name, Surname and SamAccountName. This process creates a new user with common properties with the copied user and also a home folder in our NAS (with path $NAS_path). I created a script to automate that and it works. The fundamental part of it is

$templateUser = Get-ADUser -Identity $usertocopy -Properties ObjectCategory, ObjectClass, PrincipalsAllowedToDelegateToAccount
New-ADUser -Name "$($user_name) $($user_surname)" -GivenName $user_name -Surname $user_surename -Description "employee" -SamAccountName $user_domain_name -UserPrincipalName "$($user_domain_name)@myorg" -HomeDirectory "$($NAS_path)\$($user_domain_name)" -HomeDrive "W:" -Accountpassword $password -ChangePasswordAtLogon $true -Instance $templateUser

For the most part I'm ok with the result. But it just creates a new user, how can I create a folder in the NAS with "similar" permissions for the new user? By "similar" I mean that the new user can do the same things with their new folder that the old user can do with their folder. Those are the permissions of the folder \\NASPATH\test.test of the user with SamAccountName test.test:

Get-Acl \\NASPATH\test.test | Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::\\NASPATH\test.test
Owner  : BUILTIN\Administrators
Group  : MYORG\Domain Users
Access : BUILTIN\Administrators Allow  268435456
         BUILTIN\Administrators Allow  FullControl
         MYORG\test.test Allow  268435456
         MYORG\test.test Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         NT AUTHORITY\SYSTEM Allow  FullControl
         CREATOR OWNER Allow  FullControl
         MYORG\ouradmin Allow  FullControl
Audit  : 
Sddl   : O:BAG:DUD:AI(A;OICIIO;GA;;;BA)(A;;FA;;;BA)(A;OICIIO;GA;;;S-1-5-21-2801405462-3170940757-3729986713-3219)(A;;FA
         ;;;S-1-5-21-2801405462-3170940757-3729986713-3219)(A;OICIID;FA;;;BA)(A;OICIID;FA;;;SY)(A;OICIIOID;FA;;;CO)(A;O
         ICIID;FA;;;S-1-5-21-2801405462-3170940757-3729986713-1530)

376

1 + 0

permissions

active-directory

network-share

home-directory

file-permissions

Score:0

Server

Manu

1/5/24, 9:55 AM

If you create the user with -HomeDirectory "\\Server\Share\%username%" the folder will be created on logon with the user as owner.

The user needs to be able to create folders on \\Server\Share\. You could give this permission to a group like "all_users" which every user will be put into when creating. Give Create files / write data and Create folders / append data permissions.

As far as I'm aware, most sysadmins keep it that way.

+ 4

Fral

1/5/24, 10:31 AM

Unfortunately this is not my case. I checked that when creating a new user through manually copying an older one the shared folder gets created immediately (before user logon!). Anyway I created a user using my script and it didn't create any folder, I logged in with the new user, then I logged off and checked back the shared folders: the folder for the new user wasn't created...

Fral

1/5/24, 10:36 AM

By "The user needs to be able to create folders on \\Server\Share\%username%", do you mean that I need to give some permission to the user before logon? So that the folder get automatically generated at logon?

Manu

1/6/24, 7:10 AM

yes, you could give this permission to a group like "all_users" which every user will be put into when creating. Give "Create files / write data", "Create folders / append data"

Fral

1/6/24, 8:56 AM

Thank you. I guess that this is a permission problem. In particular when creating the user I didn't copy the `PrimaryGroup` and `PrimaryGroupId` properties (because I got some errors), so I think that the created user belongs to no group, therefore it has no permissions. I'll try to create a user in an actual group and see if the magic happens (the folder gets automatically created)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Create shared folder as active directory would in powershell

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.