With Microsoft’s module ActiveDirectory, making a new user in Active Directory with PowerShell is trivial — with parameters to do just about everything. However, making a new user with roaming profile and home folders isn’t as easy. In this post, I’ll show how to automatically generate roaming profile and home folders for a new user with correct permissions.
The cmdlet New-ADUser from the ActiveDirectory module luckily supports the parameters -HomeDirectory, -HomeDrive and -ProfilePath — making our job here much easier. All we need to do, is generate the folders and assign correct ACL.
In this script, I’ll assume home folders and roaming profiles reside in \\Share\%username%.
Import-Module ActiveDirectory #These could be set with parameters, defined from CSV, given through Read-Host etc. $username = "username" $givenname = "givenname" $surname = "surname" $name = $givenname + " " + $surname $mail = "mail" $OU = "OU=Users,DC=domain,DC=local" #Profile and home path ("Profile.V2" if client is Vista or newer, else "Profile") $profile = "\\Share\" + $username + "\Profile.V2" $homedir = "\\Share\" + $username + "\Home" New-Item $profile -type directory -force New-Item $homedir -type directory -force $domainUser = "DOMAIN\" + $username #Creating user New-ADUser -SamAccountName $username ` -Name $name -DisplayName $name ` -GivenName $givenname -Surname $surname ` -AccountPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force) ` -ChangePasswordAtLogon 1 ` -EmailAddress $mail -Enabled $true ` -UserPrincipalName $mail ` -ProfilePath $profile -HomeDirectory $homedir -HomeDrive "H:" -Path $OU #Create ACL $Access = Get-Acl $profile $FileSystemAccessRule=New-Object System.Security.AccessControl.FileSystemAccessRule ` ($username, ` [System.Security.AccessControl.FileSystemRights]"FullControl", ` [System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit", ` [System.Security.AccessControl.PropagationFlags]"InheritOnly", ` [System.Security.AccessControl.AccessControlType]"Allow") $Access.AddAccessRule($FileSystemAccessRule) #Set ACL to profile and home path SET-ACL $profile $Access set-acl $homedir $access
ACL’s are a bit difficult to get right, but once we have it down like in this script, the future possibilites are endless. I’ll show how to extend this to Azure AD in a later post.