Configure Home Directory for AD Users with PowerShell

  • by

Steps to configure Home Directory for AD Users with PowerShell

Preparation of Share Folder with Share & NTFS Permission

  1. Create a Folder called HOME in File Server with Allow Full Access Share Permission for Lab\Domain Users
New-Item -Path "C:\HOME" -ItemType Directory 
New-SmbShare -Name "HOME" -Path "C:\HOME" -FullAccess "Lab\Domain Users"

  1. Block the Inheritance permission from parent folder, and remove all the existing users’ permission
$acl = Get-Acl \\192.168.1.180\HOME
#First Parameter - To block Inheritance from the parent folder
#Second Parameter - $False = To Remove all existing Folder Permission , $True = To Retain
$acl.SetAccessRuleProtection($true,$false)
$acl | Set-Acl \\192.168.1.180\HOME
  1. Manually assign permission to Administrators, Creator Owner, SYSTEM, and Users
#Permission for CREATOR OWNER
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("CREATOR OWNER","FullControl", "ContainerInherit, ObjectInherit", "InheritOnly", "Allow")
$acl.SetAccessRule($AccessRule)

#Permission for Administrators
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "InheritOnly", "Allow")
$acl.SetAccessRule($AccessRule)

#Permission for SYSTEM
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.SetAccessRule($AccessRule)

#Permission for Users
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","CreateFiles, AppendData, ReadAndExecute, Synchronize", "None", "None", "Allow")
$acl.SetAccessRule($AccessRule)

#Apply NTFS permission to folder
$acl | Set-Acl \\192.168.1.180\HOME
  1. Select Administrators and change Applies to This Folder, subFolders and Files

Final Configuration of NTFS Security Permission for C:\HOME or \192.168.1.180\HOME

Configuration of Home Folder for individual user

  1. Configure HOME Folder for User
$User = "UAT2"
$ShareDrive = "\\192.168.1.180\HOME\"

#Home folder H: is pointing to \\192.168.1.180\HOME
Set-ADUser -Identity $User -HomeDirectory ($ShareDrive + $User) -HomeDrive "H:" 

We have to manually assign the NTFS permission for the users’ home folder, else users are NOT able to map to their home drive when they login

#Manually provision the users' home folder 
New-Item -ItemType directory -Path $ShareDrive -Name $User

#Get the exiting ACL 
$acl = Get-Acl ($ShareDrive + $User)

#Assign Domain\$user to have full access to thier individual folder
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("lab\$user","FullControl","Allow")
$acl.SetAccessRule($AccessRule)

#Apply the folder permission 
$acl | set-acl ($ShareDrive + $User)
  1. H drive will be mapped to \192.168.1.180\Username , and users (UAT1) will be blocked from accessing other users’ folder via Share UNC path