This script set the access list on all user home folders (user home folders name = user name) located on the network share \\server\homeroot. The script tasks are the following :

list user home folders

check if the username exists in AD

get current access list

remove the security right Everyone Full Control

add builtin administrators with Full Control

add the user with Modify right and set the ownership on their folders

The reference table flags of the object System.Security.AccessControl.FileSystemAccessRule is :

Subfolders and Files only InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly This Folder, Subfolders and Files InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.None This Folder, Subfolders and Files InheritanceFlags.ContainerInherit, InheritanceFlags.ObjectInherit, PropagationFlags.NoPropagateInherit This folder and subfolders InheritanceFlags.ContainerInherit, PropagationFlags.None Subfolders only InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly This folder and files InheritanceFlags.ObjectInherit, PropagationFlags.None This folder and files InheritanceFlags.ObjectInherit, PropagationFlags.NoPropagateInherit

Script (with Microsoft Active Directory module loaded : import-module activedirectory) :

$rootfolder = Get-ChildItem -Path \\server\homeroot foreach ($userfolder in $rootfolder) { $userfolder.FullName If (get-aduser "$userfolder") { Get-Acl $userfolder.FullName | Format-List $acl_var = Get-Acl $userfolder.FullName $acl_var.SetAccessRuleProtection($True, $False) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") $acl_var.RemoveAccessRuleAll($rule) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") $acl_var.AddAccessRule($rule) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userfolder.Name,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow") $acl_var.AddAccessRule($rule) $acct=New-Object System.Security.Principal.NTAccount("DOMAINNAME",$userfolder.name) $acl_var.SetOwner($acct) Set-Acl $userfolder.FullName $acl_var Get-Acl $userfolder.FullName | Format-List } }

Script (with Quest Active Directory module) :

$rootfolder = Get-ChildItem -Path \\server\homeroot foreach ($userfolder in $rootfolder) { $userfolder.FullName If (get-qaduser "DOMAINNAME\$userfolder") { Get-Acl $userfolder.FullName | Format-List $acl_var = Get-Acl $userfolder.FullName $acl_var.SetAccessRuleProtection($True, $False) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") $acl_var.RemoveAccessRuleAll($rule) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow") $acl_var.AddAccessRule($rule) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userfolder.Name,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow") $acl_var.AddAccessRule($rule) $acct=New-Object System.Security.Principal.NTAccount("DOMAINNAME",$userfolder.name) $acl_var.SetOwner($acct) Set-Acl $userfolder.FullName $acl_var Get-Acl $userfolder.FullName | Format-List } }