Solved: How to Change Home Directories to Read Only with only Active Directory Username supplied

natemclean · ‎2017-03-14

I'm looking to take a list of Active Directory usernames, poll Active Directory for the Home Directory which shows as \\occ01fs010\~username, and then alter the share for the users home directory to read only. The problem i can't figure out is how to get the script to find and use the absolute path since it can't find \\dfsservername\~username. The user could reside anywhere on these locations.

\\occ01fs010\home1$\users1

\\occ01fs010\home1$\users2

\\occ01fs010\home1$\users3

\\occ01fs010\home1$\users4

\\occ01fs010\home2$

\\occ01fs010\home3$

\\occ01fs010\home4$

Any help or pointers would be greatly appreciated.

JGPSHNTAP · ‎2017-03-14

First, let me ask this, what version of ontap, 7-mode or cdot, and are you saying that you aren't using the homedirectory search paths and you are using a 1:1 share ratio.

I think it's the latter b/c your home shares start with ~user, but with home-directory search path this is usually a home directory.

I can see if I can assist once you reply

natemclean · ‎2017-03-14

First, i'm not the NETAPP administrator, i just have access to change permissions on the shares through Windows Tools and/or Powershell. Pretty sure we're using home directory search paths because i can access a users files by going to \\occ01fs010\~username.

Right now we're using the below script. The problem is, i have to go and find the location on the filer where each users home directory is located. It could be any of the locations i listed earlier.

#Load Active Directory Module
Import-Module activedirectory

$csv = Import-Csv C:\Scripts\Users.csv
ForEach($line in $csv)
{

$Name = $line.Name;
$Location = $line.Location;
$Path = "$Location\$Name";

$colRights = [System.Security.AccessControl.FileSystemRights]::ReadAndExecute
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
#$flags = [Security.AccessControl.InheritanceFlags]($InheritanceFlag::ContainerInherit -bor $InheritanceFlag::ObjectInherit)

$objACL = Get-ACL $Path

#$objUser = New-Object System.Security.Principal.NTAccount("na\$name")
#$objUser = New-Object Security.AccessControl.FileSystemAccessRule ((New-Object System.Security.Principal.NTAccount("na\$name")),$colRights, $InheritanceFlag, $PropagationFlag, $objType)

$objACE = New-Object Security.AccessControl.FileSystemAccessRule `
("na\$Name", $colRights, $InheritanceFlag, $PropagationFlag, $objType)

$objACL.SetAccessRule($objACE)

Set-ACL $Path $objACL
}

natemclean · ‎2017-03-14

I was able to figure this out. I removed the location part of the script and altered the path in the script. Couple of tweaks to my inheritance and it's exactly what i needed. Glad i came to the Netapp site to understand some things.

#Load Active Directory Module

Import-Module activedirectory

$csv = Import-Csv C:\Scripts\Users.csv

ForEach($line in $csv)

{

$Name = $line.Name;

$Path = "\\OCC01FS011\~$Name";

$colRights = [System.Security.AccessControl.FileSystemRights]"DeleteSubdirectoriesAndFiles, Delete, ReadAndExecute"

$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit

$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None

$objType =[System.Security.AccessControl.AccessControlType]::Allow

#$flags = [Security.AccessControl.InheritanceFlags]($InheritanceFlag::ContainerInherit -bor $InheritanceFlag::ObjectInherit)

$objACL = Get-ACL $Path

#$objUser = New-Object System.Security.Principal.NTAccount("na\$name")

#$objUser = New-Object Security.AccessControl.FileSystemAccessRule ((New-Object System.Security.Principal.NTAccount("na\$name")),$colRights, $InheritanceFlag, $PropagationFlag, $objType)

$objACE = New-Object Security.AccessControl.FileSystemAccessRule `

("na\$Name", $colRights, $InheritanceFlag, $PropagationFlag, $objType)

$objACL.SetAccessRule($objACE)

Set-ACL $Path $objACL

}

View solution in original post

JGPSHNTAP · ‎2017-03-14

Ok, let's clear things up again.

Are you talking share permissions are NTFS permissions on the directory

Also, if you don't have Netapp rights, it looks like you are some sort of windows administrator and could be a built in administrator.

Also, Those are the .Net raw cmds, but I find it easier to use a microsoft community supplied module ntfssecurity for ntfs

https://gallery.technet.microsoft.com/scriptcenter/1abd77a5-9c0b-4a2b-acef-90dbb2b84e85

Download, put it into your modules directory, put path in your profile and import

That module is amazing and uses alphafs.dll which is a customized dll that was communitiy developed to help with windows permissions.

We have all been waiting for native permissioning in powershell for a long time.

Also, there are tons of native cmdlets for netapp

How to Change Home Directories to Read Only with only Active Directory Username supplied

Re: How to Change Home Directories to Read Only with only Active Directory Username supplied

Re: How to Change Home Directories to Read Only with only Active Directory Username supplied

Re: How to Change Home Directories to Read Only with only Active Directory Username supplied

Re: How to Change Home Directories to Read Only with only Active Directory Username supplied