- User is created with username: mercadod and SID: 'S-1-5-036-054...'
- User leaves organization and is deleted.
- User is recreated with same username: mercadod and different unique SID: 'S-1-994-134...'
- The fileserver 'My Documents' folder for mercadod is not owned by new mercadod, causing serious logon issues.
- Old files without inheritance that do not propagate parent folder permissions as intended
- Jr. Sysadmin accidentally replaces owner of all user "My Documents" folders, sub-folders, and objects.
A script to recursively search and fix improper ownership / access control on the fileserver, based on folder name comparison with Active Directory. Remove orphaned folders that exceed X days since last modification.
LogPath --- location to save temp log files
DriveLetter --- drive letter to map fileshare folder (avoiding NTFS 260+ char limit)
RootDir --- location of fileserver user root directory
AgeLimit --- Max Age for orphaned folders (no matching username in Active Directory)
Username --- username for fileshare mapping
Password --- password for fileshare mapping
Repair-Fileshare -LogPath "C:\temp" -DriveLetter "F" -RootDir "\\fileshare\user\students" -AgeLimit "180" -Username "username" -Password "123457"
[SUCCESS]: DOMAIN\username1 has proper ownership of their folder.
Replacing access rules + owner for all objects in DOMAIN\username2 directory
[ERROR]: DOMAIN\username3 does not exist in Active Directory.
[SUCCESS]: \\fileshare\user\students\username3 was removed successfully. Total size: 140MB
Get-FolderItem function (for exceeding 260 character count)
$root1 = "\\fileserver\user\acad\student"
$root2 = "\\fileserver\user\acad\teacher"
$root3 = "\\fileserver\user\admin"
$rootlist = @($root1,$root2,$root3)
foreach($root in $rootlist)
Repair-Fileshare -LogPath "C:\temp" -RootDir "$root" -DriveLetter "F" -username "username" -password "password" -AgeLimit "180"
[DOWNLOAD LINK FOR FUNCTION]
Initially, I was confronted with [SCENARIO A] (some users were having 15 minute logons because the %USERNAME% folder they were mapping to was owned by a different SID) and decided to design a PowerShell script that would compare the folder name (based on %USERNAME% variable) with Active Directory users and remove orphaned folders that were X number of days old (in my case, 90 days.)
My script was working as intended on my test workstation, but when being applied to the fileserver I was running into issues with [SCENARIO B]. After becoming frustrated with the amount of "access denied" errors I was receiving on certain files, I decided to investigate. Most of my issues were a result of either files created without inheritance (and not propagating parent folder permissions of Domain Admin access) or other permission conflicts.
I managed to manufacture a much larger problem for myself ([SCENARIO C]) by setting the owner on all containers, subcontainers, and objects to "Administrators" local group. The intention was to eliminate permission issues, but the right approach would have been adding "Access control" to Full Control for a specific user/group as opposed to changing ownership. The intense level of regret after realizing that all access permissions were dropped from all user folders after changing ownership was enough to make me want to restore from backup.
Sometimes, life gives you lemons to see if you can make lemonade! My horrible mistake proved to be a wonderful learning experience. I learned a considerable deal about NTFS folder permissions and the wonders of PowerShell!
I have a scheduled task to run this function once a week, as well as sending an email report with any error results (access denied, NFTS character limit, etc) and the results log file.
Another problem solved with PowerShell automation :)