The script updates permissions for the target user home folder to keep only full access for the user themselves and inherited permissions. To execute the script, create a custom command, business rule or scheduled task configured for the User object type.
PowerShell
try
{
$folderPath = $Context.TargetObject.Get("homeDirectory")
}
catch
{
return
}
# Get ACL object
$aclObject = Get-Acl -Path $folderPath
# Get rules
$rules = $aclObject.GetAccessRules($true, $false, [System.Security.Principal.SecurityIdentifier])
# Get user SID
$userSidBinary = $Context.TargetObject.Get("objectSid")
$userSid = New-Object System.Security.Principal.SecurityIdentifier($userSidBinary, 0)
# Check rules
$addRuleForUser = $True
foreach ($rule in $rules)
{
if ($rule.IdentityReference -ne $userSid)
{
$aclObject.RemoveAccessRule($rule)
continue
}
if ($rule.FileSystemRights.HasFlag([System.Security.AccessControl.FileSystemRights]::FullControl))
{
$addRuleForUser = $False
continue
}
}
if ($addRuleForUser)
{
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSid, [System.Security.AccessControl.FileSystemRights]::FullControl, "ContainerInherit,ObjectInherit", "None", "Allow")
$aclObject.AddAccessRule($rule)
}
try
{
Set-Acl -Path $folderPath -AclObject $aclObject -ErrorAction Stop
}
catch
{
$Context.LogMessage("An error occurred while updating folder permissions. Error: " + $_.Exception.Message, "Error")
}