Using powershell and SIDs to change ACLs

Recently I needed to create lots of users and homedirectories. This gave a me an challenge. How can I grant rights on a homefolder in seconds after creating an user.

If you create a user and then a folder, then set the rights. Go to the properties>securities tab, if you search for the user it takes a while before the domain controller has information about the new user.

So how do you create thousands of users without setting long delays to allow for Active Directory replication? You turn to SIDs. The SID is the Security Identifier of the account, its the SID that is saved in the ACL.

If you go into the securites tab now you should see the SID unless you are already talking to the same DC that created the user.

So I got a comment from Francis Favorini that I could simplify the account creation and SID retrieval parts. So I implemented those parts too.

Comments

  1. Francis Favorini says:

    You can make use of -PassThru on New-ADUser and get the SID directly from the returned object:
    $NewUser = New-ADUser -Server:$DomainController -Name $username -HomeDrive ‘D:’ -HomeDirectory $homeFolder -PassThru
    $SIDIdentity = $NewUser.SID
    # $NewUser.SID is already a [System.Security.Principal.SecurityIdentifier]

Leave a Reply