Microsoft Virtualization Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Microsoft Virtualization Discussions

This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Start a New Post

How to Change Home Directories to Read Only with only Active Directory Username supplied

natemclean
‎2017-03-14 08:09 AM

I'm looking to take a list of Active Directory usernames, poll Active Directory for the Home Directory which shows as \\occ01fs010\~username, and then alter the share for the users home directory to read only.  The problem i can't figure out is how to get the script to find and use the absolute path since it can't find \\dfsservername\~username.  The user could reside anywhere on these locations.

 

\\occ01fs010\home1$\users1

\\occ01fs010\home1$\users2

\\occ01fs010\home1$\users3

\\occ01fs010\home1$\users4

\\occ01fs010\home2$

\\occ01fs010\home3$

\\occ01fs010\home4$

 

Any help or pointers would be greatly appreciated.

0 Kudos
View By:
1 ACCEPTED SOLUTION

natemclean
‎2017-03-14 09:54 AM

I was able to figure this out.  I removed the location part of the script and altered the path in the script.  Couple of tweaks to my inheritance and it's exactly what i needed.  Glad i came to the Netapp site to understand some things.

 

 

#Load Active Directory Module

Import-Module activedirectory

 

$csv = Import-Csv C:\Scripts\Users.csv

ForEach($line in $csv)

{

 

$Name = $line.Name;

$Path = "\\OCC01FS011\~$Name";

 

$colRights = [System.Security.AccessControl.FileSystemRights]"DeleteSubdirectoriesAndFiles, Delete, ReadAndExecute"

$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit

$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None

$objType =[System.Security.AccessControl.AccessControlType]::Allow

#$flags = [Security.AccessControl.InheritanceFlags]($InheritanceFlag::ContainerInherit -bor $InheritanceFlag::ObjectInherit)

 

$objACL = Get-ACL $Path

 

#$objUser = New-Object System.Security.Principal.NTAccount("na\$name")

#$objUser = New-Object Security.AccessControl.FileSystemAccessRule ((New-Object System.Security.Principal.NTAccount("na\$name")),$colRights, $InheritanceFlag, $PropagationFlag, $objType)

 

$objACE = New-Object Security.AccessControl.FileSystemAccessRule `

    ("na\$Name", $colRights, $InheritanceFlag, $PropagationFlag, $objType)

 

 

$objACL.SetAccessRule($objACE)

 

Set-ACL $Path $objACL

}

View solution in original post

0 Kudos
4 REPLIES 4

natemclean
‎2017-03-14 09:54 AM

I was able to figure this out.  I removed the location part of the script and altered the path in the script.  Couple of tweaks to my inheritance and it's exactly what i needed.  Glad i came to the Netapp site to understand some things.

 

 

#Load Active Directory Module

Import-Module activedirectory

 

$csv = Import-Csv C:\Scripts\Users.csv

ForEach($line in $csv)

{

 

$Name = $line.Name;

$Path = "\\OCC01FS011\~$Name";

 

$colRights = [System.Security.AccessControl.FileSystemRights]"DeleteSubdirectoriesAndFiles, Delete, ReadAndExecute"

$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit

$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None

$objType =[System.Security.AccessControl.AccessControlType]::Allow

#$flags = [Security.AccessControl.InheritanceFlags]($InheritanceFlag::ContainerInherit -bor $InheritanceFlag::ObjectInherit)

 

$objACL = Get-ACL $Path

 

#$objUser = New-Object System.Security.Principal.NTAccount("na\$name")

#$objUser = New-Object Security.AccessControl.FileSystemAccessRule ((New-Object System.Security.Principal.NTAccount("na\$name")),$colRights, $InheritanceFlag, $PropagationFlag, $objType)

 

$objACE = New-Object Security.AccessControl.FileSystemAccessRule `

    ("na\$Name", $colRights, $InheritanceFlag, $PropagationFlag, $objType)

 

 

$objACL.SetAccessRule($objACE)

 

Set-ACL $Path $objACL

}

View solution in original post

0 Kudos

JGPSHNTAP
‎2017-03-14 10:24 AM
In response to natemclean

Ok, let's clear things up again.

 

Are you talking share permissions are NTFS permissions on the directory

 

Also, if you don't have Netapp rights, it looks like you are some sort of windows administrator and could be a built in administrator.

 

Also, Those are the .Net raw cmds, but I find it easier to use a microsoft community supplied module ntfssecurity for ntfs

 

https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85

 

Download, put it into your modules directory, put path in your profile and import

 

That module is amazing and uses alphafs.dll which is a customized dll that was communitiy developed to help with windows permissions.  

 

We have all been waiting for native permissioning in powershell for a long time.

 

Also, there are tons of native cmdlets for netapp

JGPSHNTAP
‎2017-03-14 08:18 AM

First, let me ask this, what version of ontap, 7-mode or cdot, and are you saying that you aren't using the homedirectory search paths and you are using a 1:1 share ratio.

 

I think it's the latter b/c your home shares start with ~user, but with home-directory search path this is usually a home directory.

 

I can see if I can assist once you reply

0 Kudos

natemclean
‎2017-03-14 08:55 AM
In response to JGPSHNTAP

First, i'm not the NETAPP administrator, i just have access to change permissions on the shares through Windows Tools and/or Powershell.  Pretty sure we're using home directory search paths because i can access a users files by going to \\occ01fs010\~username.

 

 

Right now we're using the below script.  The problem is, i have to go and find the location on the filer where each users home directory is located.  It could be any of the locations i listed earlier.

 

 

 

#Load Active Directory Module
Import-Module activedirectory

$csv = Import-Csv C:\Scripts\Users.csv
ForEach($line in $csv)
{

$Name = $line.Name;
$Location = $line.Location;
$Path = "$Location\$Name";

$colRights = [System.Security.AccessControl.FileSystemRights]::ReadAndExecute
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
#$flags = [Security.AccessControl.InheritanceFlags]($InheritanceFlag::ContainerInherit -bor $InheritanceFlag::ObjectInherit)

$objACL = Get-ACL $Path

#$objUser = New-Object System.Security.Principal.NTAccount("na\$name")
#$objUser = New-Object Security.AccessControl.FileSystemAccessRule ((New-Object System.Security.Principal.NTAccount("na\$name")),$colRights, $InheritanceFlag, $PropagationFlag, $objType)

$objACE = New-Object Security.AccessControl.FileSystemAccessRule `
("na\$Name", $colRights, $InheritanceFlag, $PropagationFlag, $objType)


$objACL.SetAccessRule($objACE)

Set-ACL $Path $objACL
}

0 Kudos
Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

View All
NetApp Insights to Action
I2A Banner
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2021 NetApp
Let us know
Public