PowerShell Discussions
PowerShell Discussions
We are running 9.16.1p9 and recently turned off HTTP and HTTPS access to our SVM (recently turned only HTTPS back on) where we host some of our homedrives. This is where the powershell toolkit script is pointed. The SVM has a role that only allows certain behaviors
API Access level
| DEFAULT | None |
| version | Read-only |
| volume create | Read-only |
| volume modify | Read-only |
| volume show | Read-only |
| vserver cifs share access-control create | Read/write |
| vserver cifs share access-control delete | Read/write |
| vserver cifs share access-control modify | Read/write |
| vserver cifs share access-control show | Read/write |
| vserver cifs share create | Read/write |
| vserver cifs share delete | Read/write |
| vserver cifs share modify | Read/write |
| vserver cifs share show | Read/write |
When we have allowed VSAdmin the script will run but cant tell why the role causes it to fail
the script itself (sanitized for posting purposes) is
#F U N C T I O N S
function Get_NetApp1_Folder_Array()
{
$Folders = @()
$Folders = "\NetApp01$\Users"
Return $Folders
Return $Folders
}
function Get_NetApp2_Folder_Array()
{
$Folders = @()
$Folders = "\netapp01$\Users", "\netapp02$\Users", `
"\netapp03$\Users"
Return $Folders
}
function Get_NetApp3_Folder_Array()
{
$Folders = @()
$Folders = "\netapp01$\Users", "\netapp02$\Users", `
"\netapp03$\Users", "\netapp04$\Users", `
"\netapp05$\Users"
Return $Folders
}
function Get_NetApp4_Folder_Array()
{
$Folders = @()
$Folders = "\netapp01$\Users","\netapp02$\Users", `
"\netapp03$\Users", "\netapp04$\Users", `
"\netapp05$\Users", "\netapp06$\Users", `
"\netapp07$\Users"
Return $Folders
}
function Get_Device_Volumes ($Device)
{
$User = "DOMAIN\SERVICEACCOUNT"
$Password = "SERVICEACCOUNT-PASSWORD"
$SecurePass = ConvertTo-SecureString -String $Password -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential $User, $SecurePass
$nacontroller = Connect-NcController $Device -HTTPS -Credential $Credential
$VolumeNameArray = Get-NcVol -Controller $nacontroller
Return $VolumeNameArray
}
function Test_For_User_Folder ($FolderPath2Use)
{
$FolderMessage = Test-Path $FolderPath2Use
Return $FolderMessage
}
function Create_User_Folder ($FolderPath2Use)
{
Try
{
New-Item -ItemType directory -Path $FolderPath2Use -ea Stop
$ReturnMessage = "The folder was created successfully."
}
Catch
{
$ErrorMessage = $_.Exception.Message
$ReturnMessage = "ERROR " + $ErrorMessage
Write-Host $ErrorMessage
}
Return $ReturnMessage
}
function Set_Folder_Permissions_NetApp ($FolderPath2Use, $FQSNUser2Use)
{
$ACL = Get-ACL $FolderPath2Use # Get the existing security members
$permission = $UserFQDN,"Modify","ContainerInherit,ObjectInherit","None","Allow"
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.SetAccessRule($accessRule)
Try
{
$acl | Set-Acl $FolderPath2Use -ea Stop
$ReturnMessage = "Permissions set for user " + $FQSNUser2Use + " on " + $FolderPath2Use
}
Catch
{
$ErrorMessage = $_.Exception.Message
$ReturnMessage = "ERROR " + $ErrorMessage
}
Return $ReturnMessage
}
function Share_Folder_NetApp ($Volume2Use, $Share2Use, $Controller2Use)
{
$ShareMessage = ""
$FailedToConnect = "False"
Try
{
$User = "DOMAIN\SERVICEACCOUNT"
$Password = "SERVICEACCOUNT-PASSWORD"
$SecurePass = ConvertTo-SecureString -String $Password -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential $User, $SecurePass
$Controller = Connect-NcController $Controller2Use -Credential $Credential -Transient:$true -ea Stop
$FailedToConnect = "False"
}
Catch
{
$ErrorMessage = $_.Exception.Message
$FailedToConnect = "True"
$ReturnMessage = "ERROR " + $ErrorMessage
}
if ($FailedToConnect -eq "False")
{
Try
{
Add-NcCifsShare -name $Share2Use -Path $Volume2Use -Controller $Controller -Comment "Home Share"
}
Catch
{
$ErrorMessage = $_.Exception.Message
$ShareMessage = "ERROR " + $ErrorMessage
}
Try
{
Add-NcCifsShareAcl -Share $Share2Use -UserOrGroup "Authenticated Users" -Permission full_control -Controller $Controller -ea Stop
}
Catch
{
$ErrorMessage = $_.Exception.Message
$ShareMessage = "ERROR " + $ErrorMessage
}
Try
{
Set-NcCifsShareAcl -Share $Share2Use -UserOrGroup "Authenticated Users" -Permission full_control -Controller $Controller -ea Stop
}
Catch
{
$ErrorMessage = $_.Exception.Message
$ShareMessage = "ERROR " + $ErrorMessage
}
Try
{
Remove-NcCifsShareAcl -Share $Share2Use -UserOrGroup "Everyone" -Controller $Controller -ea SilentlyContinue
}
Catch
{
$ErrorMessage = $_.Exception.Message
$ShareMessage = "ERROR " + $ErrorMessage
}
}
$ShareMessage = "Share successfully created"
Return $ShareMessage
}
function RemoveNTFSPermissions($path, $object, $permission)
{
$FileSystemRights = [System.Security.AccessControl.FileSystemRights]$permission
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]"None"
$AccessControlType =[System.Security.AccessControl.AccessControlType]::Allow
$Account = New-Object System.Security.Principal.NTAccount($object)
$FileSystemAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Account, $FileSystemRights, $InheritanceFlag, $PropagationFlag, $AccessControlType)
$DirectorySecurity = Get-ACL $path
$DirectorySecurity.RemoveAccessRuleAll($FileSystemAccessRule)
Try
{
Set-ACL $path -AclObject $DirectorySecurity -ErrorAction SilentlyContinue
}
Catch
{
$ErrorMessage = $_.Exception.Message
}
}
function RemoveInheritance($path)
{
$isProtected = $true
$preserveInheritance = $true
$DirectorySecurity = Get-ACL $path
$DirectorySecurity.SetAccessRuleProtection($isProtected, $preserveInheritance)
Try
{
Set-ACL $path -AclObject $DirectorySecurity -ErrorAction SilentlyContinue
}
Catch
{
$ErrorMessage = $_.Exception.Message
}
}
#MAIN PROCESSING THREAD
#Add values for variables from previous operation
$HomeDrive = "\\NetApp1\JUser$"
$HomeDrive = $HomeDrive.Trim()
$SplitForUser = $HomeDrive.Replace("\\","")
$SplitForUser = $SplitForUser.Split("\")
$UserName = $SplitForUser[1]
$UserName = $UserName.Replace("$","")
$Server = $SplitForUser[0]
$UserShare = $UserName + "$"
$UserFQDN = "Domain\" + $UserName
$NetAppDevice = $Server
Write-Host $UserName
#Check to see if the share already exists
#$NetAppShareExists = Test_For_User_Folder $HomeDrive
$NetAppShareExists = $False
if ($NetAppShareExists -eq $False)
{
$bOpStatus = "OK"
$bOpMessage = "Share Good"
if ($NetAppDevice -eq "NetApp1")
{
$FolderArray = Get_NetApp1_Folder_Array
}
if ($NetAppDevice -eq "NetApp2")
{
$FolderArray = Get_NetApp2_Folder_Array
}
if ($NetAppDevice -eq "NetApp3")
{
$FolderArray = Get_NetApp3_Folder_Array
}
if ($NetAppDevice -eq "NetApp4")
{
$FolderArray = Get_NetApp4_Folder_Array
}
$controller = $NetAppDevice
$NetAppVolumes = Get_Device_Volumes $controller
foreach ($Volume in $NetAppVolumes)
{
$Check = "*" + $Volume + "*"
foreach ($Folder in $FolderArray)
{
if ($Folder -like $Check)
{
$TotalSpace = $TotalSpace + $Volume.Available
$Volumes += $Volume
}
}
}
$Volumes = $Volumes | sort-object Available -descending
foreach ($Folder in $FolderArray)
{
$Check = "*" + $Volumes[0] + "*"
if ($Folder -like $Check)
{
$FolderPath = $Folder + "\"
$UseVolume = $Volumes[0]
Break
}
}
$PhysicalPath = "\\" + $NetAppDevice + $FolderPath + $UserName
Write-Host $PhysicalPath
$FolderTest = Test_For_User_Folder $PhysicalPath
#Write-Host $PhysicalPath
$FolderCreateMessage = ""
if ($FolderTest -eq $False)
{
$FolderCreateMessage = Create_User_Folder $PhysicalPath
}
if ($FolderCreateMessage -like '*ERROR*')
{
$FolderCreated = "False"
$bOpStatus = "Failed"
$bOpMessage = "Could not create the user folder."
}
Else
{
$FolderCreated = "True"
}
if ($FolderCreated -eq "True")
{
$PermissionSetMessage = Set_Folder_Permissions_NetApp $PhysicalPath $UserFQDN
RemoveInheritance $PhysicalPath
RemoveNTFSPermissions $PhysicalPath "Authenticated Users" "Modify, ChangePermissions"
RemoveNTFSPermissions $PhysicalPath "Users" "Modify, ChangePermissions"
RemoveNTFSPermissions $PhysicalPath "Creator Owner" "Modify, ChangePermissions"
RemoveNTFSPermissions $PhysicalPath "SYSTEM" "Modify, ChangePermissions"
if ($PermissionSetMessage -like '*ERROR*')
{
#$PermissionSet = "True"
$PermissionSet = "False"
$bOpStatus = "Failed"
$bOpMessage = "Unable to set folder permissions."
}
Else
{
$PermissionSet = "True"
}
If ($PermissionSet -eq "True")
{
$NetAppVolumeSharePath = "/vol/" + $UseVolume + "/Users/" + $UserName
$NetAppShare = $UserShare
$ShareCreateMessage = Share_Folder_NetApp $NetAppVolumeSharePath $NetAppShare $NetAppDevice
if ($ShareCreateMessage -like '*ERROR*')
{
$ShareSet = "False"
$bOpStatus = "Failed"
$bOpMessage = "Unable to share the folder."
}
Else
{
$ShareSet = "True"
$bOpStatus = "Completed"
$bOpMessage = "User Share Created."
}
}
}
}
Else
{
$bOpStatus = "Failed"
$bOpMessage = "User Share Already Exists."
}
new-Object pscustomobject -property @{
StatusMsg = $bOpMessage
Status = $bOpStatus
}
Any help figuring out where we have gone wrong would be amazing. This script has worked for years and since we have started locking down more and more features we are discovering some issues.
Thank you in advance