|
Hello! I’m a total loving idiot who last programmed 20 years ago! But! I’ve been exposed to enough powershell scripts at my job that I want to get elbow deep. Right now, I’m trying to develop a script that will take a username, check against the first two characters, and then create a folder, modify its permissions, create a sub folder and then modify that subfolder’s inherited permissions. Like I said, total idiot with no experience. So I’m trying to construct this step by step I’ve started by defining $username via a Read-Host prompt. After which, a Switch command runs. Depending on the first two characters, I want it to set a location, check against if a folder with $username exists already, and then create the folder if it doesn’t. The switch is set for wildcard, and checks against those first two characters, it displays an acknowledgement and then runs the set location, followed by a test-path -path $username, then the NewItem command. I was going to have these be a per entry option for set-location. I’m mostly checking to see if I’m on the right path or if I should be looking into a different function than switch, and if trying to change commands per input is the best path. Thank you!
|
#
¿
May 25, 2023 00:58
|
|
|
|
| # ¿ Apr 29, 2024 05:46 |
|
|
Toshimo posted:It's a maybe. You probably don't need Set-Location at all, but it doesn't hurt. For sure! So the input is $username = Read-Host -Prompt 'Provide username' switch -wildcard ($username) The first two letters correspond w/ the office. so AZJOND for an Arizona user, for example. It sees the AZ* then it literally goes "This is an Arizona user"; $path = "C:\Test\AZ\$username'; test-path -path $path -isvalid; set-location 'C:\Test\AZ': New-Item -Itemtype directory -path $username The bold part is what I've been working on tonight. I want to be sure to validate the location ahead of time to avoid issues of overwriting, etc. I've thought about maybe that the Test-Path occurs as part of the switch, which would then move forward if it's "False" and then break out into a standard script that would use a $path defined within the switch as well. So it would look like This is an Arizona user, $path = " "; test-path -path $path -isvalid" New-Item -ItemType Directory -path $path THEN into the more standardized subfolders and permissions actions. I also am not expecting anyone to do my homework, so if you would want to guide me towards certain cmdlets or concepts to look into, I'm down. I think I am doing ok with the logic of how I want things to work, but just working on syntax and understanding how variables, etc are referenced. Edit: Re-reading the documentation and realizing isvalid doesn't do what i think it does haha. oops. Boywhiz88 fucked around with this message at 03:06 on May 25, 2023 |
|
#
¿
May 25, 2023 02:54
|
|
|
Looking at everything, I think I might stick w/ a switch because we have 10 offices. I'll pull $office as a substring of $username. The switch will pull the office path using $office. Test the path and then create if false. I'll have to poke at it tonight when I'm back home, but this doesn't sound crazy right? Ultimately, the path will be something along the lines of \\$office\STATIC FOLDER\$username Once I can get this handled, then it's just a matter of then populating a subfolder w/ a static name, and then the part that I'm really dreading: automated permissions changes!!! Starting with the $username folder, so that the subfolder inherits the permissions, then turning off and converting permissions, then removing a standard SG we have in our ourg.
|
|
#
¿
May 31, 2023 15:10
|
|
|
OK, we're making folders how we want them to be named, and where we want them to be! Hurrah. Now to get into permissions. At this time, I'm hoping to have the $username folder inherit permissions, add PCNAME\$username (when introduced into work, it'll be DOMAIN\$username), and provide Modify writes. Afterwards, it will generate a subfolder called PERSONAL. Turn off inheritance while keeping permissions, and removing a specific SG that we have at work. I've got it adding the $username to the folder permissions (i setup a dummy user on my PC), but it doesn't successfully add the Modify "Allow" mark. I've tried it as this: $ACL = Get-Acl $path $perm = New-Object System.Security.AccessControl.FileSystemAccessRule("PCNAME\$username", "Modify", "Allow") $ACL.SetAccessRule($perm) $ACL | Set-ACL $path Which is a copy&paste from pretty much everything you see on this. I've also tried it where it calls out inheritance/propagation w/ no difference. No fails when testing the script... just doesn't lock in the permissions.
|
|
#
¿
Jun 5, 2023 01:48
|
|
|
Even with the AddAccessRule, it's still not doing it. That being said, I'll try the inheritance and propagation flags, just in case. Also tried ISE as admin to see if that made a difference but alas...sloshmonger posted:Looks like you've got the right constructor for the $perm variable, but you're using the SetAccessRule method for $ACL. That will remove all access rules and just have the one you specify in it (https://learn.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.directorysecurity?view=net-7.0). If you want to add an additional permission on top of the parent permissions, use the AddAccessRule method. Thank you for this! I'll probably end up replicating or copying this after i overcome whatever is going on w/ the original permissions. Reading the AccessRuleProtection, you're saying that first $True value is saying no to inheritance (protected = true) but the 2nd $true is saying but bring these values along tho... we need them. Is that a correct understanding of that function? mllaneza posted:I'm getting twitchy seeing a Switch construct used instead of a dictionary. Set the dictionary up with values of $office as keys, and folder names as values. This is both cleaner code, but when they open a new office you only have to add a key/value pair instead of adding a line to the switch. Would that be looking at the hash tables example in this article? https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_hash_tables?view=powershell-7.3 Dictionaries seems a bit much for my needs from skimming through that article. I really appreciate everyone's input here. It's a lot of fun for me to have an idea of how this might work, and be able to put one foot in front of the other and get that much further after stumbling. EDIT: INHERITANCE FLAGS DID IT FOLKS. LET'S loving GOOOOOOOOOOOOOOOO EDIT 2: Personal is turning off inheritance, preserving the rights, but won't remove the user that I have setup. Blergh! It even says "yeah I did it!" when running the script Boywhiz88 fucked around with this message at 21:59 on Jun 5, 2023 |
|
#
¿
Jun 5, 2023 20:47
|
|
|
I'm still struggling w/ removing the one user w/ my script. If anyone has any insight, I'd appreciate it. I'm hoping to avoid the NTFSAccess as I'd like to keep it as pure Powershell as possible. I've played around with method for removing, the syntax of what occurs when and no difference. It'll turn off inheritance and keep the permissions, but it won't actually remove PCNAME\Username from the PERSONAL folder that gets created. It's quite annoying! Thoughts?
|
|
#
¿
Jun 13, 2023 16:37
|
|
|
EoRaptor posted:Is the user the owner? You can't remove access rights from the owner. No, but we're good! So, I had begun to think that maybe that removal wasn't happening so I tried other ways but was getting security exceptions. I wasn't sure so I backed away. Brought it to a coworker who gave me the same code I had tried, but I checked against the error. So here's the back-half of the script! #PERSONAL $Subfolder = new-item -ItemType Directory -Name "PERSONAL" -path $Path $SubACL = $ACL.psobject.copy() $SubACL.SetAccessRuleProtection($True, $True) $SubACL | Set-ACL $Subfolder.FullName #Thank you CoC, sloshmonger $SubACL = Get-Acl $Subfolder $rules = $SubAcl.Access | Where { $_.IdentityReference -eq "MULE\Test" } foreach($rule in $rules) { $SubAcl.RemoveAccessRule($rule) } # Perform the modification (Get-Item $Subfolder).SetAccessControl($subacl) #We've got a winner! JUICE BY TAPPY JUICE BY TAPPY Thank you all! This is going to help make my life sooooooooo much easier. It's also showing me how this stuff works, and what I might be able to do! So grateful for everyone's contributions. I knew there'd be one little thing to make the difference.
|
|
#
¿
Jun 19, 2023 23:32
|
|
|
No idea, but when you see it like that, you can't help but think... there's gotta be a way. I have what I think is an impossible ask: I'm trying my damndest to find a process where I can import a CSV (preferably) with appointments filled out to an M365 Room Mailbox. The idea here is that we have our standard holidays, and we want to book out our conference rooms. I'm hoping to automate in some way, vs my boss sending out manual invites/manually logging into each mailbox. Thoughts or leads? Right now, I'm coming up short but I feel crazy because you think it would be possible. EDIT: Realizing the EWS API isn't as depreciated as I might have thought... will consider that avenue because there's some stuff available. But I'm just surprised there's no way via EXO Powershell.
|
|
#
¿
Dec 11, 2023 20:30
|
|
|
|
| # ¿ Apr 29, 2024 05:46 |
|
|
sloshmonger posted:You're going to have to do some work in the Graph API if you want to do that. Thank you for this! I can't believe I'm just seeing this! Between the holidays and just feeling defeated I never followed up. I saw this because last night I was going to come in here with an inquiry... but then I had a moment of clarity and I figured it all out. I've upgraded my one script to now use CSVs to setup the path and permissions. I also have created one for some Entra/Identity/Azure AD functionality w/ some Exchange stuff. I'm so happy. We have an annual influx where these are going to come in so handy. I feel so accomplished!!!
|
|
#
¿
Apr 11, 2024 13:45
|
|