<#

    .SYNOPSIS  

        Reset ownership and permissions for existing user data repository..

        Intended for folder redirection, roaming profiles, or simple home directory locations.

    .DESCRIPTION  

        Runs through a parent directory that contains folders named by Active Directory

        usernames. It assumes the folder name exactly aligns with existing SAMAccountName.

        If a match to an AD user is not made it will skip the folder.

        

        Recursively takes ownership of each directory and resets them to inherit

        permissions from the parent. After that it gives the username, System,

        Creator Owner, and Domain Admins. THhn it sets ownership of each folder to the

        username.


        Giving the user ownership can be particularly important for folder redirection.

    .NOTES  

        File Name  : setProfilePermissions.ps1

        Modified   : 06/20/2019

        Author     : Andrew Schott - andrew@joletec.com

        Requires   : PowerShell V3

    .LINK

        http://www.joletec.com

#>


$target = '\\fs\Users\Staff Data'

$dir = Get-ChildItem $target -Directory


Write-Output "DANGER This script will reassign ownership and permissions in the target path. Can take hours to run due to multiple recursive operations."

Write-Output "Targeting $target"

Write-Output "Ctrl-C to quit"

PAUSE



ForEach ($d in $dir){

    If ($d.Name -match '.V\d$'){

        # This directory is a profile version folder. Ex) andrew.schott.V6


        # Extract username by removing the version qualifier from the end of the directory name

        $dFullName = $d.FullName

        $dLength = $d.Name.Length

        $i = $d.Name.Substring(0,$dLength-3)


        # icacls options

        $Path = "$dFullName"

        $Continue = "/C"

        $Grant = "/grant:r"

        $Recursive = "/T"

        $Inherit = "/inheritance:e"

        $permission = ":(OI)(CI)(F)"

        $useraccount1 = "ASHS\$i"

        $useraccount2 = "ASHS\Domain Admins"

        $useraccount3 = "SYSTEM"

        $useraccount4 = "CREATOR OWNER"


        if (!(Get-ADUser -Filter "sAMAccountName -eq '$i'")) {

            "User $i does not exist in Active Directory."

        } else {

            # Take  ownership

            Invoke-Expression -Command ('takeown /F $Path /A /R /D Y')

        

            # Reset permissions to inherited

            Invoke-Expression -Command ('icacls $Path $Reset $Continue $Recursive')

 

            # Set permissions

            Invoke-Expression -Command ('icacls $Path $Continue $Inherit $Grant "${useraccount1}${permission}" $Recursive $Inherit $Grant "${useraccount2}${permission}" $Recursive $Inherit $Grant "${useraccount3}${permission}" $Recursive $Inherit $Grant "${useraccount4}${permission}" $Recursive')

        

            # Set ownership

            Invoke-Expression -Command ('icacls $Path $Owner $useraccount1 $Continue $Recursive')

        }

    }Else{

        # Primary user profile directory. Ex) andrew.schott

        $dName = $d.Name

        $dFullName = $d.FullName


        # icacls options

        $Path = "$dFullName"

        $Continue = "/C"

        $Grant = "/grant:r"

        $Inherit = "/inheritance:e"

        $Owner = "/setowner"

        $permission = ":(OI)(CI)(F)"

        $Recursive = "/T"

        $Reset = "/reset"

        $useraccount1 = "ASHS\$dName"

        $useraccount2 = "ASHS\Domain Admins"

        $useraccount3 = "SYSTEM"

        $useraccount4 = "CREATOR OWNER"

        

        if (!(Get-ADUser -Filter "sAMAccountName -eq '$dName'")) {

            "User $dName does not exist in Active Directory."

        } else {

            # Take recursive ownership

            Invoke-Expression -Command ('takeown /F $Path /A /R /D Y')

        

            # Reset Permissions to inherited

            Invoke-Expression -Command ('icacls $Path $Reset $Continue $Recursive')

 

            # Set permissions

            Invoke-Expression -Command ('icacls $Path $Continue $Inherit $Grant "${useraccount1}${permission}" $Recursive $Inherit $Grant "${useraccount2}${permission}" $Recursive $Inherit $Grant "${useraccount3}${permission}" $Recursive $Inherit $Grant "${useraccount4}${permission}" $Recursive')

        

            # Set ownership

            Invoke-Expression -Command ('icacls $Path $Owner $useraccount1 $Continue $Recursive')

        }

    }

}