The scripts grant full access permissions over the home folder of the target user account.
Script 1: Manager and additional delegates
The script grants the permissions to the user's manager and other delegates whose usernames (sAMAccountNames) are specified in a text property. The usernames must be specified as a comma-separated list, for example: jdoe, bstephens, jburns. To execute the script, create a business rule, custom command or scheduled task configured for the User object type.
In the script, the $additionalDelegatesPropertyName variable specifies the LDAP name of the property storing the list of additional delegates.
PowerShell
$additionalDelegatesPropertyName = "adm-CustomAttributeText1" # TODO: modify me
# Get home directory folder
try
{
$userShare = $Context.TargetObject.Get("homeDirectory")
}
catch
{
$Context.LogMessage("The user does not have a home directory.", "Warning") # TODO: modify me
return
}
# Get manager DN
try
{
$managerDN = $Context.TargetObject.Get("manager")
}
catch
{
$Context.LogMessage("The user does not have a manager assigned in AD.", "Warning") # TODO: modify me
return
}
try
{
$userNames = ($Context.TargetObject.Get($additionalDelegatesPropertyName)).Split(",") # TODO: modify me
}
catch
{
$userNames = $NULL
}
function SetFullControlPermission($userName, $domainName, $userShare)
{
$rights = [System.Security.AccessControl.FileSystemRights]"FullControl"
$objUser = New-Object System.Security.Principal.NTAccount($domainName, $userName)
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $rights, "ContainerInherit, ObjectInherit", "None", "Allow")
$objACL = Get-ACL $userShare
try
{
$objACL.AddAccessRule($objACE)
Set-ACL $usershare $objACL -ErrorAction Stop
}
catch
{
$Context.LogMessage("An error occurred while adding the permissions for user '$userName'. Error: " + $_.Exception.Message, "Warning")
}
}
# Get domain name
$domainName = $Context.GetObjectDomain("%distinguishedName%")
# Get manager name and domain name
$manager = $Context.BindToObjectByDN($managerDN)
$managerName = $manager.Get("sAMAccountName")
# Set permissions for Manager to the home folder
SetFullControlPermission $managerName $domainName $userShare
# Set permissions for specific users to the home folder
if ($userNames -ne $NULL)
{
foreach ($userName in $userNames)
{
SetFullControlPermission $userName.Trim() $domainName $userShare
}
}Script 2: Delegate specified in a parameter
The script grants full access permissions to the account specified in a custom command parameter. The parameter must be of the AD object picker type. Additionally, the script email the delegate about gaining the permissions. If the delegate has no email address specified, the notification will be sent to the initiator.
Parameters:
- $delegateParameterName - Specifies the name of the parameter used to specify the delegate with the param- prefix.
- $subject - Specifies the email notification subject.
- $messageTemplate - Specifies a template for the email notification. In the template, the {0} placeholder will be replaced with the name of the delegate gaining the permissions.
PowerShell
$delegateParameterName = "param-delegate" # TODO: modify me
$subject = "Grant permissions over home folder" # TODO: modify me
$messageTemplate = "Full access permissions were granted to user {0} over home folder of user %name%." # TODO: modify me
function SetFullControlPermission($sid, $userFolderPath)
{
$objACL = Get-ACL $userFolderPath
$acessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($sid, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$objACL.AddAccessRule($acessRule)
Set-ACL $userFolderPath $objACL
}
# Get home directory folder
try
{
$userShare = $Context.TargetObject.Get("homeDirectory")
}
catch
{
$Context.LogMessage("The user does not have a home directory.", "Warning") # TODO: modify me
return
}
# Get delegate SID and name
$delegateDN = $Context.GetParameterValue($delegateParameterName)
$delegate = $Context.BindToObjectByDN($delegateDN)
$delegateSidBinary = $delegate.Get("objectSid")
$delegateSid = New-Object System.Security.Principal.SecurityIdentifier($delegateSidBinary, 0)
$delegateName = $delegate.Get("name")
# Get delegate email
try
{
$recipientEmail = $delegate.Get("mail")
}
catch
{
$recipientEmail = "%adm-InitiatorEmail%"
}
# Set permissions
SetFullControlPermission $delegateSid $userShare
# Send mail
$message = [System.String]::Format($messageTemplate, @($delegateName))
if ([System.String]::IsNullOrEmpty($recipientEmail))
{
$Context.LogMessage("Neither the delegate nor the initiator has an email address specified.", "Information")
return
}
$Context.SendMail($recipientEmail, $subject, $message, $NULL)