New AD user with roaming profile and home folder

With Microsoft’s module ActiveDirectory, making a new user in Active Directory with PowerShell is trivial — with parameters to do just about everything. However, making a new user with roaming profile and home folders isn’t as easy. In this post, I’ll show how to automatically generate roaming profile and home folders for a new user with correct permissions.

The cmdlet New-ADUser from the ActiveDirectory module luckily supports the parameters -HomeDirectory, -HomeDrive and -ProfilePath — making our job here much easier. All we need to do, is generate the folders and assign correct ACL.

In this script, I’ll assume home folders and roaming profiles reside in \\Share\%username%.

Import-Module ActiveDirectory

#These could be set with parameters, defined from CSV, given through Read-Host etc.
$username = "username"
$givenname = "givenname"
$surname = "surname"
$name = $givenname + " " + $surname
$mail = "mail"
$OU = "OU=Users,DC=domain,DC=local"

#Profile and home path ("Profile.V2" if client is Vista or newer, else "Profile")
$profile = "\\Share\" + $username + "\Profile.V2"
$homedir = "\\Share\" + $username + "\Home"
New-Item $profile -type directory -force
New-Item $homedir -type directory -force
$domainUser = "DOMAIN\" + $username

#Creating user
New-ADUser -SamAccountName $username `
           -Name $name -DisplayName $name `
           -GivenName $givenname -Surname $surname `
           -AccountPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force) `
           -ChangePasswordAtLogon 1 `
           -EmailAddress $mail -Enabled $true `
           -UserPrincipalName $mail `
           -ProfilePath $profile -HomeDirectory $homedir -HomeDrive "H:" -Path $OU

#Create ACL
$Access = Get-Acl $profile
$FileSystemAccessRule=New-Object System.Security.AccessControl.FileSystemAccessRule `
($username, `
[System.Security.AccessControl.FileSystemRights]"FullControl", `
[System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit", `
[System.Security.AccessControl.PropagationFlags]"InheritOnly", `
[System.Security.AccessControl.AccessControlType]"Allow")
$Access.AddAccessRule($FileSystemAccessRule)

#Set ACL to profile and home path
SET-ACL $profile $Access
set-acl $homedir $access

ACL’s are a bit difficult to get right, but once we have it down like in this script, the future possibilites are endless. I’ll show how to extend this to Azure AD in a later post.

3 thoughts on “New AD user with roaming profile and home folder

  1. Danny says:

    Exactly what I was looking for – awesome!

    Thanks for sharing!

    PS: The thing I dont understand is: whats this line for?
    $domainUser = “DOMAIN\” + $username
    The variable $domainUser is nowhere used, or am I wrong?

    • someguy says:

      on line 25 “-UserPrincipalName $mail `” this will cause a UPN error if you do not change that to something unique. Something like $domainuser

  2. someguy says:

    on line 25 “-UserPrincipalName $mail `” this will cause a UPN error if you do not change that to something unique.

Leave a Reply

Your email address will not be published. Required fields are marked *