0 votes

Hello all,

I'm working on adding a folder creation step to one of our scripts which executes after account creation. When I run the commandlets themselves in Powershell, they process properly, but when I run them via Adaxes I get an error that 'You must provide a value expression on the right-hand side of the '+' operator' when trying to execute my ICACLS.exe command to create the folder and set the permissions on it.

I know the syntax for the icacls.exe command is correct as it works when run manually in Powershell, but I'm assuming I need to adjust the syntax somehow for Adaxes, or do some other step to allow Adaxes to handle execution of an external command? Perhaps the reference variables need to be named differently?

Any help would be appreciated.

Here's a snippet of the script:

$newPath = "\\server\share$\staff\" + %username%
New-Item $newPath -type directory

#Defining access rights
$UserandPerms = "domain\" + %username% + ":(OI)(CI)(M)"
icacls.exe $newPath /grant $UserandPerms

by (190 points)
0

I'm going to bump this up for you, I was looking to do something similar!

0

I found this, while tring to make my script, if it helps you at all.

Running icacls under PowerShell
The options for icacls do not always run easily under PowerShell, but they can be made to work by setting a few variables and then executing with Invoke-Expression to expand all the variables:

#set PS variables for each of the icacls options
$Path = "c:\demo"   #The path must be the first thing passed to icacls
$Grant = "/grant:r"
$Remove = "/remove"
$replaceInherit = "/inheritance:r"
$permission = ":(OI)(CI)(F)"
$useraccount1 = "ss64dom\simon"
$useraccount2 = "administrators"

#run icacls using invoke Expression
Invoke-Expression -Command ('icacls $Path $replaceInherit $Grant "${useraccount1}${permission }"')
0

Ok, I just finished testing my script in Adaxes, and I use the ICACLS as well, and it worked. Hope this helps.

#Copy Home folder from Template
$user = "%samAccountName%"
$src = "\\servername\Home\Template"
$dst = "\\servername\Home\" + $user

Get-ChildItem $src | Copy-Item -Destination $dst -Force

# This turns off inherited permissions from the top level folder {Need this if you want to remove any inherited perms}
$acl = Get-ACL -Path $dst
$acl.SetAccessRuleProtection($True, $True)
Set-Acl -Path $dst -AclObject $acl

# This removes the permission from the folder 
ICACLS ("$dst") /remove:g:d "Everyone"
ICACLS ("$dst") /remove:g:d "Someuser"
ICACLS ("$dst") /remove:g:d "Adaxes User"
0

Yes, I was able to get this to work using your method. I don't really understand why my syntax doesn't work, I'm guessing it's something about how the variables are passed vs how they're structured when I run it straight in powershell, but it's working regardless. Thanks for your help!

0

No problem! Helped me do what I've been looking to do as well!

0

I found that using ICACLS does the job, but when you look at the permissions on the folder, they are all listed as "Special Permissions". Functionally sufficient, but somewhat annoying if you have Help desk folks just checking to see if someone has rights.
I found that using the cmdlets in PowerShell actually listed the rights properly after execution. Figure I'd include what I found, and what I'm using. This is assuming you're creating the User's folder directly at the \\server\share path.

$acl = Get-Acl \\SERVER\SHARE\%username%
$acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“ADMINISTRATORS”,”FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Allow”)
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(“HELPDESK”,”FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Allow”)
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DOMAIN\%username%",”Read,Write,Delete,Modify”, “ContainerInherit, ObjectInherit”, “None”, “Allow”)
$acl.AddAccessRule($rule)
Set-Acl \\SERVER\SHARE\%username% $acl

Please log in or register to answer this question.

Related questions

0 votes
1 answer

Is there a way for Adaxes to use a user's Microsoft 365 profile pictures instead of having to select a file on a per user basis?

asked Feb 1 by keneth.figueroa (20 points)
0 votes
1 answer

Hi All, I am currently using the 30 day free trial of Adaxes and seeing if we can use it to achieve our method of user provisioning. I am looking into server-side ... variable value within an SQL query Can this be achieved? Any help is much appreciated, Thanks

asked Feb 1 by Lewis (40 points)
0 votes
1 answer

Using the powershell module, I know how to create a scheduled task, and also how to bind to a scheduled task that is already known. I also have used code to try creating ... same time as another. These are all one-time tasks and will be removed once executed.

asked Jan 19 by aweight (60 points)
0 votes
1 answer

can Adaxes be used to automate Mapped Drives for users?

asked Dec 1, 2023 by cojast (20 points)
0 votes
1 answer

Hi, we have replaced our local Exchange server with installation of Exchange Management Tools (EMT) installed directly on Adaxes server. And my question is: How can I force ... this is how 'Set External Senders' option looks in Adaxes config Thanks in advance

asked Apr 1, 2023 by KIT (960 points)
3,552 questions
3,242 answers
8,243 comments
547,828 users