Microsoft Virtualization Discussions
Microsoft Virtualization Discussions
I'm looking to take a list of Active Directory usernames, poll Active Directory for the Home Directory which shows as \\occ01fs010\~username, and then alter the share for the users home directory to read only. The problem i can't figure out is how to get the script to find and use the absolute path since it can't find \\dfsservername\~username. The user could reside anywhere on these locations.
\\occ01fs010\home1$\users1
\\occ01fs010\home1$\users2
\\occ01fs010\home1$\users3
\\occ01fs010\home1$\users4
\\occ01fs010\home2$
\\occ01fs010\home3$
\\occ01fs010\home4$
Any help or pointers would be greatly appreciated.
Solved! See The Solution
I was able to figure this out. I removed the location part of the script and altered the path in the script. Couple of tweaks to my inheritance and it's exactly what i needed. Glad i came to the Netapp site to understand some things.
#Load Active Directory Module
Import-Module activedirectory
$csv = Import-Csv C:\Scripts\Users.csv
ForEach($line in $csv)
{
$Name = $line.Name;
$Path = "\\OCC01FS011\~$Name";
$colRights = [System.Security.AccessControl.FileSystemRights]"DeleteSubdirectoriesAndFiles, Delete, ReadAndExecute"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
#$flags = [Security.AccessControl.InheritanceFlags]($InheritanceFlag::ContainerInherit -bor $InheritanceFlag::ObjectInherit)
$objACL = Get-ACL $Path
#$objUser = New-Object System.Security.Principal.NTAccount("na\$name")
#$objUser = New-Object Security.AccessControl.FileSystemAccessRule ((New-Object System.Security.Principal.NTAccount("na\$name")),$colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACE = New-Object Security.AccessControl.FileSystemAccessRule `
("na\$Name", $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL.SetAccessRule($objACE)
Set-ACL $Path $objACL
}
First, let me ask this, what version of ontap, 7-mode or cdot, and are you saying that you aren't using the homedirectory search paths and you are using a 1:1 share ratio.
I think it's the latter b/c your home shares start with ~user, but with home-directory search path this is usually a home directory.
I can see if I can assist once you reply
First, i'm not the NETAPP administrator, i just have access to change permissions on the shares through Windows Tools and/or Powershell. Pretty sure we're using home directory search paths because i can access a users files by going to \\occ01fs010\~username.
Right now we're using the below script. The problem is, i have to go and find the location on the filer where each users home directory is located. It could be any of the locations i listed earlier.
#Load Active Directory Module
Import-Module activedirectory
$csv = Import-Csv C:\Scripts\Users.csv
ForEach($line in $csv)
{
$Name = $line.Name;
$Location = $line.Location;
$Path = "$Location\$Name";
$colRights = [System.Security.AccessControl.FileSystemRights]::ReadAndExecute
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
#$flags = [Security.AccessControl.InheritanceFlags]($InheritanceFlag::ContainerInherit -bor $InheritanceFlag::ObjectInherit)
$objACL = Get-ACL $Path
#$objUser = New-Object System.Security.Principal.NTAccount("na\$name")
#$objUser = New-Object Security.AccessControl.FileSystemAccessRule ((New-Object System.Security.Principal.NTAccount("na\$name")),$colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACE = New-Object Security.AccessControl.FileSystemAccessRule `
("na\$Name", $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL.SetAccessRule($objACE)
Set-ACL $Path $objACL
}
I was able to figure this out. I removed the location part of the script and altered the path in the script. Couple of tweaks to my inheritance and it's exactly what i needed. Glad i came to the Netapp site to understand some things.
#Load Active Directory Module
Import-Module activedirectory
$csv = Import-Csv C:\Scripts\Users.csv
ForEach($line in $csv)
{
$Name = $line.Name;
$Path = "\\OCC01FS011\~$Name";
$colRights = [System.Security.AccessControl.FileSystemRights]"DeleteSubdirectoriesAndFiles, Delete, ReadAndExecute"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
#$flags = [Security.AccessControl.InheritanceFlags]($InheritanceFlag::ContainerInherit -bor $InheritanceFlag::ObjectInherit)
$objACL = Get-ACL $Path
#$objUser = New-Object System.Security.Principal.NTAccount("na\$name")
#$objUser = New-Object Security.AccessControl.FileSystemAccessRule ((New-Object System.Security.Principal.NTAccount("na\$name")),$colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACE = New-Object Security.AccessControl.FileSystemAccessRule `
("na\$Name", $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL.SetAccessRule($objACE)
Set-ACL $Path $objACL
}
Ok, let's clear things up again.
Are you talking share permissions are NTFS permissions on the directory
Also, if you don't have Netapp rights, it looks like you are some sort of windows administrator and could be a built in administrator.
Also, Those are the .Net raw cmds, but I find it easier to use a microsoft community supplied module ntfssecurity for ntfs
https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85
Download, put it into your modules directory, put path in your profile and import
That module is amazing and uses alphafs.dll which is a customized dll that was communitiy developed to help with windows permissions.
We have all been waiting for native permissioning in powershell for a long time.
Also, there are tons of native cmdlets for netapp