Add a Private folder to all homedirectories with ACLs ·

So I found a user on Microsoft Social that needed some help creating a Privet folder in all users home directories and applying special permissions on that folder.

So I reused some old blog entries about Using powershell and SIDs to change ACLs and Remove NTFS rights inheritance using Powershell and wrote together a small script.

#Get all users with homefolders
$Users = Get-ADUser -Filter * -Properties homedirectory| ? {$_.homedirectory -ne $Null}
#Loop throgh all users
ForEach( $User in $Users)
{
 #Build the ACE for DomainUsers
 $ace1 = New-Object System.Security.AccessControl.FileSystemAccessRule ('file.local\Domain Admins', 'FullControl', ('ContainerInherit','ObjectInherit'), 'None','Allow')
 #Build the Fullcontroll for the user that is InheritOnly
 $ace2 = New-Object System.Security.AccessControl.FileSystemAccessRule ($User.SID, 'FullControl', ('ContainerInherit','ObjectInherit'),'InheritOnly','Allow')
 #And ACE for the user to read the Private folder
 $ace3 = New-Object System.Security.AccessControl.FileSystemAccessRule ($User.SID, 'ReadAndExecute', 'None', 'None','Allow')
 #Save the directory path to a variable
 $HomeFolder = ($user.homedirectory+'\Private')
 #Create the folder, do a Test-Path if you dont want a varning if it exists already.
 New-Item -Type Directory $HomeFolder|Out-Null
 #Ready ACL from the folder
 $acl = Get-ACL -Path $HomeFolder
 #Add the ACEs to the ACLS
 $acl.AddAccessRule($ace1)
 $acl.AddAccessRule($ace2)
 $acl.AddAccessRule($ace3)
 #Remove the inheritance leaving only the new ACEs
 $acl.SetAccessRuleProtection($True, $False)
 #Set the ACL to the folder
 Set-Acl -Path $HomeFolder -AclObject $acl
}

This script will take all users with a home directory, create a Private folder, and then set the required rights.