Subscribe to Windows IT Pro
August 28, 2001 12:00 AM

Create Home Directories and Set NTFS Permissions with a Web Script

Ethan Wilansky
Windows IT Pro
InstantDoc ID #22048
Rating: (2)
Downloads
22048.zip

Help desks often are responsible for creating home directories and setting NTFS permissions. Here's a script that provides a Web form that your Help desk staff or a similar group can use to perform these common tasks. The Web form uses Active Server Pages (ASP), Windows Management Instrumentation (WMI), and the Scripting Runtime Library's FileSystemObject object. (If you're unfamiliar with these technologies, see the Web exclusive sidebar "Resources for the Script's Technologies.")

You can find the script HomeFolderPerms.asp and its style sheet, StyleSheet.css, in the Code Library on the Windows Scripting Solutions Web site (http://www.winscriptingsolutions.com). Here's a look at how HomeFolderPerms.asp works and how you customize the script and the scripting environment so that you can use the Web form in your Windows 2000 network.

Taking the Bird's-Eye View
The Web scripting environment needed to create home directories and set NTFS permissions from a Web form is fairly complex. The complexity results from ensuring that only authorized personnel can run the script. By default, any member of the Administrators group in the domain can run the script, but making all your Help desk staff members part of this group is unrealistic and unsafe. Thus, I designed the script and set up the scripting environment so that a small group of Help desk staff members have enough privileges to successfully run the script. I call this group the HelpDesk group.

When a HelpDesk group member enters the script's URL in a browser, HomeFolderPerms.asp runs and displays the Web form that Figure 1 shows. After that person enters data into the form and clicks Submit, the script checks the form for appropriate and complete entries.

If the entries are OK, the script establishes two WMI namespace connections. The first connection is to the CIMv2 namespace on the file server containing the home directories. The second connection is to the Lightweight Directory Access Protocol (LDAP) namespace on the domain controller (DC) that contains the user accounts. After establishing the connections, the script checks whether the user account exists in the LDAP namespace. If the user account doesn't exist or the HelpDesk group member doesn't have sufficient privileges to access the LDAP namespace, the script informs the HelpDesk group member of the problem, then exits.

When the user account exists and the HelpDesk group member has sufficient privileges, the script checks whether the parent directory exists. If it doesn't or if the HelpDesk group member doesn't have sufficient permissions to the file system, the script informs the HelpDesk group member of the problem, then exits. When the parent directory exists and the HelpDesk group member has sufficient privileges, the script checks whether the home directory exists. If it doesn't, the script creates it.

With the home directory in existence, the script prepares a Security Descriptor (SD) that will eventually contain the discretionary ACL (DACL) for the home directory. The DACL is simply an array of access control entries (ACEs). The script then prepares the ACE, which contains the user account (i.e., the trustee) and the home-directory permissions that you want to assign the trustee.

At this point, the script assigns to a home directory the SD that contains the ACE, then applies the SD to the home directory. The action of replacing the default SD with the new SD removes inheritance from the parent directory. You'll likely want the parent directory's rights to flow to the users' home directories so that the script updates the home directory's DACL to allow inheritance. If you don't want to allow inheritance from the parent directory to users' home directories, you can have the HelpDesk group members clear the Allow inheritable permissions from parent to propagate to this directory check box that appears at the bottom of the form in Figure 1.

Taking a Closer Look
Now that you have an overall picture of how HomeFolderPerms.asp works, we'll take a closer look at the script. Let's examine the user-defined functions and subroutines that the script uses to

  • build the form
  • validate and assign the form's data
  • connect to the provider
  • perform file-system operations
  • create the SD and its ACE
  • assign the SD to the home directory
  • allow inheritance from the parent directory

Building the Form
To build the Web form, the script uses the Form subroutine. The Form subroutine uses a mixture of VBScript and HTML code to create ASP pages; %> and <% tags enclose the VBScript code. You'll see that the %> tag appears right before the HTML form begins. Although you could use ASP syntax to write the form, I find that it's simpler to exit the scripting language, use HTML syntax to build the form, then return to VBScript to end the procedure. I used the style sheet (i.e., StyleSheet.css) to enhance the form's appearance.

Validating and Assigning the Data
After a HelpDesk group member completes the form, he or she clicks Submit. The Submit event prompts the FeedbackForm_OnSubmit function into action. This function determines whether the person has filled in the three required text boxes (i.e., Local domain controller, User account name, and Path to parent directory). If a required text box is empty, the function displays a message box that details the information the person needs to provide. The FeedbackForm_OnSubmit function also determines whether the Path to parent directory text box contains a properly formatted path. If the path is incorrect, the function displays a message box that provides the proper format for the path. After the HelpDesk group member clicks OK in the message box, the FeedbackForm_OnSubmit function places the cursor in the appropriate text box in the form so that the person can enter or modify the information.

After validating the data, the script assigns the data to variables. Before assigning the string in the Path to parent directory text box to a variable, the script uses the AdjustPathSpec subroutine to remove any backslash at the end of the string. Although a backslash at the end of a path is syntactically legal, the script uses paths without them.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • KHALED
    6 years ago
    May 24, 2006

    I am not able to find the entire scripts to download. Any idea. Thanks

  • Anonymous User
    7 years ago
    Apr 21, 2005

    I am a novice when it comes to ASP, so please bear with me. I have modified your UserCreate.asp and have it working fine, but when it comes to HomeFolderPerms.asp, the home directory on the file server is not created (although the script thinks it is) - until it tries to apply rights I have domain admin rights. I can run a test vbs script from the same directory on the domain server and create directories without a problem.

  • RICHARD
    8 years ago
    Nov 04, 2004

    The script is creating the users home directory but it si not giving it the necessary rights to the folder. The error I get is Unable to retrieve the Win32_LogicalFileSecurity Setting of d:\\ririvera

  • Remy
    8 years ago
    Mar 29, 2004

    Indeed this is the best script I've seen so far. But, one little tiny thing is missing....varType function is missing.

  • Braden Callahan
    10 years ago
    Aug 28, 2002

    How can I do this with multiple users? I took your script and hacked it into a VBScript file to run against a large volume of data. The problem is that I can only use one user and it overwrites the existing ACE entries for the ACL. This is the best script I have found to do this so far. I commend you on your knowledge. Thanks for any help.



    Braden - Thanks for your kind words about the article. I have to tell you, I really sweated that one out because, as you've found, the documentation on configuring DACLs using WMI is somewhat incomplete.


    In answer to your first question, you should wrap the modifications to the DACL inside a script that uses either ADO and the ADSI OLE DB provider or a script that enumerates containers using the ADSI IADsContainer interface.


    Here's a script that uses ADO to return all user accounts that are security principals in a domain named na.fabrikam.com. Once that result set is returned, the script modifies the company attribute of each user account to Fabrikam. What you need to do is replace the bolded lines of the script below with the script I wrote to modify the DACL of user account folders. Of course, you should also change the distinguishedName specified in the query string. I know this isn't a complete solution but hopefully it puts you on the right track. This script is part of the System Administration Scripting Guide (SASG) that I'm contributing to for the Windows .NET Server Resource Kit. To see this and many other scripts, visit: http://www.microsoft.com/technet/scriptcenter. This is the area that our team is responsible for and the scripts there are derived primarily from the scripts that will eventually appear in the SASG.




    Set objConnection = CreateObject("ADODB.Connection")

    objConnection.Open "Provider=ADsDSOObject;"



    Set objCommand = CreateObject("ADODB.Command")

    objCommand.ActiveConnection = objConnection



    objCommand.CommandText = "LDAP://dc=NA,dc=fabrikam,dc=com;" & _ 

       "(&(objectCategory=person)(objectClass=user));" & "ADsPath;subtree"


    Set objRecordSet = objCommand.Execute



    While Not objRecordset.EOF

       strADsPath = objRecordset.Fields("ADsPath")

       Set objUser = GetObject(strADsPath) 

       objUser.Put "company", "Fabrikam"

       objUser.SetInfo

       objRecordset.MoveNext

    Wend



    WScript.Echo objRecordSet.RecordCount & " user accounts modified."

    objConnect.Close



    About not overwriting the DACL, I would have to research this before feeling comfortable with answering your question. Unfortunately, I'm swamped right now with trying to get chapters delivered for the SASG. I hope, though, that I've helped put you on the right track for now. I suggest visiting the TechNet Script Center to see what you can dig up. You might also want to download the latest WMI SDK and read about the Security Provider. --Ethan



You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.