Groups and permissions

I'm preparing a script where some local groups need to be created then domain groups added to them. Also it'll create some folder structure and assing my local groups with the right permissions. I thought that rather than hardcodding all that it would be better to make it more general so if groups need to be changed or folder structure modified it can be easily done. Hence I decided to use it as a good opportunity to learn to work with functions to extend my beginner's PS skills.

I started with creating text files with what will be needed later. So I have folders.txt, LocalG.txt and DomainG_A.txt DomainG_B.txt all put in variables

###############################

$folders = Get-Content .\folders.txt

$LocalG = Get-Content .\LocalG.txt

$DomainG_A = Get-Content .\DomainG_A.txt

$DomainG_B = Get-Content .\DomainG_B.txt

#######  Functions   #################

# Test if folders exist and if not create them

Function TestFolders ($folders){

              foreach($folder in $folders){

                       if((Test-Path $folder) -eq $False){

                            New-Item -Path $folder -ItemType Directory -Force

                       }

                }

}

# Remove all ACLs from existing folder structure in case it's incorrect

Function RemoveACL ($folder) {

$acl = Get-Acl $folder

foreach($access in $acl.Access){

         $acl.SetAclAccessRuleProtection($True, $True)

         $acl.RemoveAccessRuleAll($access)

}

Set-Acl $folder $acl

}

# Create Local Groups

Function AddLocalGroups ($Groups){

foreach ($group in $Groups){

         $cn = [ADSI]("WinNT://$env:computername")

         $gp = $cn.Create("Group", "$group")

         $gp.setInfo()

}

}

# Here I would like adding domain groups A and B to some of my local groups

Function AddTo_A_Group ($AGroups){

foreach($gp in $AGroups){

           $gr = $gp.Replace('\','/')  # as we will likely see domain\group format in the text file

            $objGroup = [ADSI]"WinNT://$gr"

            $objGroupA1 = [ADSI]("WinNT://Test Group 1 A")

            $objGroupA1.PSBase.Invoke('Add',$objGroup.PSBase.Path)

            $objGroupA2 = [ADSI]("WinNT://Test Group 2 A")

            $objGroupA2.PSBase.Invoke('Add',$objGroup.PSBase.Path)

}

}



Function AddTo_B_Group ($BGroups){

foreach($gp in $BGroups){

              $gr = $gp.Replace('\','/')

              $objGroup = [ADSI]"WinNT://$gr"

              $objGroupB1 = [ADSI]("WinNT://Test group 1 B")

              $objGroupB1.PSBase.Invoke('Add',$objGroup.PSBase.Path)

              $objGroupB2 = [ADSI]("WinNT://Test group 2 B")

              $objGroupB2.PSBase.Invoke('Add',$objGroup.PSBase.Path)

}

}  # surely this can be done better

# To add a group and assign e.g. read and execute permissions

Function ModifyACL($folder,$group){

$acl = Get-Acl $folder

$rule = New-Object System.Security.AccessControl.FileSystemRule -ArgumentList @(

               $group.Name,

               "ReadAndExecute",

               "ContainerInherit, ObjectInherit",

               "None",

               "Allow"

               )

$acl.AddAccessRule($rule)

Set-ACL $folder $acl

}

##################################

AddLocalGroups($LocalG)            # create local groups based on the contents of LocalG.txt

AddTo_A_Group($DomainG_A)     # add A domain groups to Local groups with A in their name

AddTo_B_Group($DomainG_B)     # add B domain groups to Local groups with B in their name

foreach ($folder in $folders){

           TestFolders($folder)          # test if folders exists and create as needed

           RemoveACL($folder)          # remove all current permissions

           foreach($group in $LocalG){

                   if($group -match "A"){          # for all groups with A in their name

                            ModifyACL($folder, $group)      # add group and give it R&E permissions

                    }

            }

}

Running the above Local groups get created and this is as far as it gets :)

When the script gets to AddTo_A_Group function it throws an exception calling Invoke with 2 arguments: Unknown name(0x80020006 (Disp_E_UNKNOWNNAME) on my $objGroupA.PSBase.Invoke('Add',$objGroup.PSBase.Path)

Some help would be much appreciated.

   

March 25th, 2015 12:09pm

What I sin this variable $objGroup.PSBase.Path?

You need to use LDAP paths and not other

Free Windows Admin Tool Kit Click here and download it now
March 25th, 2015 3:10pm

Note that we do not call functions with parens:

AddTo_A_Group($DomainG_A)

should be:

AddTo_A_Group  $DomainG_A

It can cause issues.

March 25th, 2015 3:11pm

Place trace statements and look at what you are actually trying to add

Write-Host $objGroup.PSBase.Path -fore green

Once you see the value I think you will understand what you have done wrong.

Free Windows Admin Tool Kit Click here and download it now
March 25th, 2015 3:14pm

Yeah, PSBase is a sort of great unknown for me. I suppose I use [ADSI] as most of similar code (including your neat one-liner :) ) uses it presumably not to need to have connection with any DC.

After adding a couple of write-hosts here and there I'm seeing that although the group name $gr looks correct (here contoso.net/GroupA1) in the next line the $objGroup shows up as System.DirectoryServices.DirectoryEntry and same for $objGroupA1 where I was expecting to see contoso.net/GroupA and contoso/Test Group A 1. $objGroup.Path doesn't show anything but $objGroup.PSBase.Path shows System.DirectoryServices.DirectoryEntry again...

March 26th, 2015 9:17am

I didn't realise the group I want to add has to actually exist. Thought I can just make something up and it'll get added. How wrong was that... :) I did a couple of modifications starting with putting real domain groups in my DomainG_A.txt

then

$objGroupA1 = [ADSI]"WinNT://env:computername/$gr"

$objGroupA1.Add("WinNT://$gr")

And this seems to work so one sem forward still lot to go :)

Free Windows Admin Tool Kit Click here and download it now
March 26th, 2015 5:06pm

I didn't realise the group I want to add has to actually exist. Thought I can just make something up and it'll get added. How wrong was that... :) I did a couple of modifications starting with putting real domain groups in my DomainG_A.txt

then

$objGroupA1 = [ADSI]"WinNT://env:computername/$gr"

$objGroupA1.Add("WinNT://$gr")

And this seems to work so one step forward still lot to

March 26th, 2015 9:05pm

Problem continues... Oh an actually in the reply above I meant the first line to be

$objGroupA1 = [ADSI]"WinNT://env:computername/Test Group 1 A" not $gr

Thing is now I created diferent local groups in the same way as before but now changing the group name to a slightly longer name in the statement above doesn't work. When I run the line and then call $objGroupA1 I'm getting ... "distinguishedname": The group name could not be fond"...

yet when I remove the $env:computername it works... any ideas?

Free Windows Admin Tool Kit Click here and download it now
April 2nd, 2015 6:44am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics