PowerShell Discussions

PowerShell Toolkit stopped working to create shares and cant figure out why

JBrendan101
65 Views

We are running 9.16.1p9 and recently turned off HTTP and HTTPS access to our SVM (recently turned only HTTPS back on) where we host some of our homedrives.  This is where the powershell toolkit script is pointed.  The SVM has a role that only allows certain behaviors 

 

API Access level

DEFAULTNone
versionRead-only
volume createRead-only
volume modifyRead-only
volume showRead-only
vserver cifs share access-control createRead/write
vserver cifs share access-control deleteRead/write
vserver cifs share access-control modifyRead/write
vserver cifs share access-control showRead/write
vserver cifs share createRead/write
vserver cifs share deleteRead/write
vserver cifs share modifyRead/write
vserver cifs share show

Read/write

When we have allowed VSAdmin the script will run but cant tell why the role causes it to fail

 

the script itself (sanitized for posting purposes) is 

 

      #F U N C T I O N S

 

      function Get_NetApp1_Folder_Array()

      {

            $Folders = @()

            $Folders = "\NetApp01$\Users"

            Return $Folders

 

            Return $Folders

      }

   

       

      function Get_NetApp2_Folder_Array()

      {

            $Folders = @()

            $Folders = "\netapp01$\Users", "\netapp02$\Users", `

                    "\netapp03$\Users"

 

            Return $Folders

      }

   

      function Get_NetApp3_Folder_Array()

      {

            $Folders = @()

            $Folders = "\netapp01$\Users", "\netapp02$\Users", `

                    "\netapp03$\Users", "\netapp04$\Users", `

                    "\netapp05$\Users"

 

            Return $Folders

      }

   

    function Get_NetApp4_Folder_Array()

      {

            $Folders = @()

            $Folders = "\netapp01$\Users","\netapp02$\Users", `

                    "\netapp03$\Users", "\netapp04$\Users", `

                    "\netapp05$\Users", "\netapp06$\Users", `

                    "\netapp07$\Users"

 

            Return $Folders

      }

   

   

      function Get_Device_Volumes ($Device)

      {

        $User = "DOMAIN\SERVICEACCOUNT"

        $Password = "SERVICEACCOUNT-PASSWORD"

 

        $SecurePass = ConvertTo-SecureString -String $Password -AsPlainText -Force

        $Credential = New-Object System.Management.Automation.PSCredential $User, $SecurePass

 

        $nacontroller = Connect-NcController $Device -HTTPS -Credential $Credential

         $VolumeNameArray = Get-NcVol -Controller $nacontroller

            Return $VolumeNameArray

      }

 

      function Test_For_User_Folder ($FolderPath2Use)

      {

            $FolderMessage = Test-Path $FolderPath2Use

            Return $FolderMessage

      }

   

      function Create_User_Folder ($FolderPath2Use)

      {

            Try

            {

                  New-Item -ItemType directory -Path $FolderPath2Use -ea Stop

                  $ReturnMessage = "The folder was created successfully."

            }

            Catch

            {

                  $ErrorMessage = $_.Exception.Message

                  $ReturnMessage = "ERROR " + $ErrorMessage

            Write-Host $ErrorMessage

            }

            Return $ReturnMessage    

      }

   

      function Set_Folder_Permissions_NetApp ($FolderPath2Use, $FQSNUser2Use)

      {

            $ACL = Get-ACL $FolderPath2Use                          # Get the existing security members

   

            $permission = $UserFQDN,"Modify","ContainerInherit,ObjectInherit","None","Allow"        

            $accessRule = new-object System.Security.AccessControl.FileSystemAccessRule $permission

            

        $acl.SetAccessRule($accessRule)

 

            Try

            {

                  $acl | Set-Acl $FolderPath2Use -ea Stop

                  $ReturnMessage = "Permissions set for user " + $FQSNUser2Use + " on " + $FolderPath2Use

            }

            Catch

            {

                  $ErrorMessage = $_.Exception.Message

                  $ReturnMessage = "ERROR " + $ErrorMessage

            }

            Return $ReturnMessage

      }

 

      function Share_Folder_NetApp ($Volume2Use, $Share2Use, $Controller2Use)

      {

            $ShareMessage = ""

            $FailedToConnect = "False"

   

            Try

            {

                  $User = "DOMAIN\SERVICEACCOUNT"

                  $Password = "SERVICEACCOUNT-PASSWORD"

 

            $SecurePass = ConvertTo-SecureString -String $Password -AsPlainText -Force

            $Credential = New-Object System.Management.Automation.PSCredential $User, $SecurePass

 

            $Controller = Connect-NcController $Controller2Use -Credential $Credential -Transient:$true -ea Stop

            $FailedToConnect = "False"

            }

            Catch

            {

                  $ErrorMessage = $_.Exception.Message

                  $FailedToConnect = "True"

                  $ReturnMessage = "ERROR " + $ErrorMessage

            }

 

 

        if ($FailedToConnect -eq "False")

            {

            Try

                  {

                Add-NcCifsShare -name $Share2Use -Path $Volume2Use -Controller $Controller -Comment "Home Share"

            }

                  Catch

                  {

                        $ErrorMessage = $_.Exception.Message

                        $ShareMessage = "ERROR " + $ErrorMessage

                  }

 

            Try

                  {

                Add-NcCifsShareAcl -Share $Share2Use -UserOrGroup "Authenticated Users"  -Permission full_control -Controller $Controller -ea Stop

                  }

                  Catch

                  {

                        $ErrorMessage = $_.Exception.Message

                        $ShareMessage = "ERROR " + $ErrorMessage

                  }

 

            Try

                  {

                Set-NcCifsShareAcl -Share $Share2Use -UserOrGroup "Authenticated Users"  -Permission full_control -Controller $Controller -ea Stop

                  }

                  Catch

                  {

                        $ErrorMessage = $_.Exception.Message

                        $ShareMessage = "ERROR " + $ErrorMessage

                  }

 

            Try

                  {

                      Remove-NcCifsShareAcl -Share $Share2Use -UserOrGroup "Everyone" -Controller $Controller -ea SilentlyContinue

                  }

                  Catch

                  {

                        $ErrorMessage = $_.Exception.Message

                        $ShareMessage = "ERROR " + $ErrorMessage

                  }

            }

 

        $ShareMessage = "Share successfully created"

 

            Return $ShareMessage

      }

 

      function RemoveNTFSPermissions($path, $object, $permission)

      {

            $FileSystemRights = [System.Security.AccessControl.FileSystemRights]$permission

            $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit"

            $PropagationFlag = [System.Security.AccessControl.PropagationFlags]"None"

            $AccessControlType =[System.Security.AccessControl.AccessControlType]::Allow

            $Account = New-Object System.Security.Principal.NTAccount($object)

            $FileSystemAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Account, $FileSystemRights, $InheritanceFlag, $PropagationFlag, $AccessControlType)

            $DirectorySecurity = Get-ACL $path

            $DirectorySecurity.RemoveAccessRuleAll($FileSystemAccessRule)

            Try

        {

            Set-ACL $path -AclObject $DirectorySecurity -ErrorAction SilentlyContinue

        }

        Catch

        {

            $ErrorMessage = $_.Exception.Message

        }

      }

 

      function RemoveInheritance($path)

      {

            $isProtected = $true

            $preserveInheritance = $true

            $DirectorySecurity = Get-ACL $path

            $DirectorySecurity.SetAccessRuleProtection($isProtected, $preserveInheritance)

            Try

        {         

            Set-ACL $path -AclObject $DirectorySecurity -ErrorAction SilentlyContinue

        }

        Catch

        {

            $ErrorMessage = $_.Exception.Message

        }

      }

 

      #MAIN PROCESSING THREAD

   

    #Add values for variables from previous operation

      $HomeDrive = "\\NetApp1\JUser$"

    $HomeDrive = $HomeDrive.Trim()

 

    $SplitForUser = $HomeDrive.Replace("\\","")

    $SplitForUser = $SplitForUser.Split("\")

    $UserName = $SplitForUser[1]

    $UserName = $UserName.Replace("$","")

    $Server = $SplitForUser[0]

    $UserShare = $UserName + "$"

      $UserFQDN = "Domain\" + $UserName  

    $NetAppDevice = $Server

 

    Write-Host $UserName

   

    #Check to see if the share already exists

      #$NetAppShareExists = Test_For_User_Folder $HomeDrive

    $NetAppShareExists = $False

 

      

      if ($NetAppShareExists -eq $False)

      {

        $bOpStatus = "OK"

        $bOpMessage = "Share Good"

 

        if ($NetAppDevice -eq "NetApp1")

            {

                  $FolderArray = Get_NetApp1_Folder_Array

            }

            

            if ($NetAppDevice -eq "NetApp2")

            {

                  $FolderArray = Get_NetApp2_Folder_Array

            }

            

            if ($NetAppDevice -eq "NetApp3")

            {

                  $FolderArray = Get_NetApp3_Folder_Array

            }

            

            if ($NetAppDevice -eq "NetApp4")

            {

                  $FolderArray = Get_NetApp4_Folder_Array

            }

            

            

            $controller = $NetAppDevice

            $NetAppVolumes = Get_Device_Volumes $controller

            

            foreach ($Volume in $NetAppVolumes)

            {

                  $Check = "*" + $Volume + "*"

                    

                  foreach ($Folder in $FolderArray)

                  {

                        if ($Folder -like $Check)

                        {

                              $TotalSpace = $TotalSpace + $Volume.Available

                              $Volumes += $Volume

                        }

                  }

            }

            

            $Volumes = $Volumes | sort-object Available -descending

            

            foreach ($Folder in $FolderArray)

            {

                  $Check = "*" + $Volumes[0] + "*"

                  if ($Folder -like $Check)

                  {

                        $FolderPath = $Folder + "\"

                        $UseVolume = $Volumes[0]

                        Break

                  }

            }

            

            $PhysicalPath = "\\" + $NetAppDevice + $FolderPath + $UserName

            

        Write-Host $PhysicalPath

 

            $FolderTest = Test_For_User_Folder $PhysicalPath

        #Write-Host $PhysicalPath

            $FolderCreateMessage = ""                    

            if ($FolderTest -eq $False)

            {                    

                      $FolderCreateMessage = Create_User_Folder $PhysicalPath

            }

                                          

            if ($FolderCreateMessage -like '*ERROR*')

            {

                  $FolderCreated = "False"

                  $bOpStatus = "Failed"

                  $bOpMessage = "Could not create the user folder."

            }

            Else

            {

                  $FolderCreated = "True"

            }

 

            if ($FolderCreated -eq "True")

            {

                  $PermissionSetMessage = Set_Folder_Permissions_NetApp $PhysicalPath $UserFQDN

                                            

                  RemoveInheritance $PhysicalPath

                  RemoveNTFSPermissions $PhysicalPath "Authenticated Users" "Modify, ChangePermissions"

                  RemoveNTFSPermissions $PhysicalPath "Users" "Modify, ChangePermissions"

                  RemoveNTFSPermissions $PhysicalPath "Creator Owner" "Modify, ChangePermissions"

                  RemoveNTFSPermissions $PhysicalPath "SYSTEM" "Modify, ChangePermissions"

                                                

                  if ($PermissionSetMessage -like '*ERROR*')

                  {

                        #$PermissionSet = "True"

                $PermissionSet = "False"

                        $bOpStatus = "Failed"

                        $bOpMessage = "Unable to set folder permissions."

                  }

                  Else

                  {

                        $PermissionSet = "True"

                  }

                                          

                  If ($PermissionSet -eq "True")

                  {

                        $NetAppVolumeSharePath = "/vol/" + $UseVolume + "/Users/" + $UserName

                        $NetAppShare = $UserShare

                        $ShareCreateMessage = Share_Folder_NetApp $NetAppVolumeSharePath $NetAppShare $NetAppDevice

                        if ($ShareCreateMessage -like '*ERROR*')

                        {

                              $ShareSet = "False"

                              $bOpStatus = "Failed"

                              $bOpMessage = "Unable to share the folder."

                        }

                        Else

                        {

                              $ShareSet = "True"

                              $bOpStatus = "Completed"

                              $bOpMessage = "User Share Created."

                        }

                  }

            }

      }

      Else

      {

            $bOpStatus = "Failed"

            $bOpMessage = "User Share Already Exists."      

      }

      

      

          new-Object pscustomobject -property @{

                StatusMsg = $bOpMessage

            Status = $bOpStatus

          }

 

Any help figuring out where we have gone wrong would be amazing.  This script has worked for years and since we have started locking down more and more features we are discovering some issues.

 

Thank you in advance

 

0 REPLIES 0
Public