Create Home Directories and Set NTFS Permissions with a Web Script

Help desks often are responsible for creating home directories and setting NTFS permissions. Here's a script that provides a Web form that your Help desk staff or a similar group can use to perform these common tasks. The Web form uses Active Server Pages (ASP), Windows Management Instrumentation (WMI), and the Scripting Runtime Library's FileSystemObject object. (If you're unfamiliar with these technologies, see the Web exclusive sidebar "Resources for the Script's Technologies.")

You can find the script HomeFolderPerms.asp and its style sheet, StyleSheet.css, in the Code Library on the Windows Scripting Solutions Web site (http://www.winscriptingsolutions.com). Here's a look at how HomeFolderPerms.asp works and how you customize the script and the scripting environment so that you can use the Web form in your Windows 2000 network.

Taking the Bird's-Eye View
The Web scripting environment needed to create home directories and set NTFS permissions from a Web form is fairly complex. The complexity results from ensuring that only authorized personnel can run the script. By default, any member of the Administrators group in the domain can run the script, but making all your Help desk staff members part of this group is unrealistic and unsafe. Thus, I designed the script and set up the scripting environment so that a small group of Help desk staff members have enough privileges to successfully run the script. I call this group the HelpDesk group.

When a HelpDesk group member enters the script's URL in a browser, HomeFolderPerms.asp runs and displays the Web form that Figure 1 shows. After that person enters data into the form and clicks Submit, the script checks the form for appropriate and complete entries.

If the entries are OK, the script establishes two WMI namespace connections. The first connection is to the CIMv2 namespace on the file server containing the home directories. The second connection is to the Lightweight Directory Access Protocol (LDAP) namespace on the domain controller (DC) that contains the user accounts. After establishing the connections, the script checks whether the user account exists in the LDAP namespace. If the user account doesn't exist or the HelpDesk group member doesn't have sufficient privileges to access the LDAP namespace, the script informs the HelpDesk group member of the problem, then exits.

When the user account exists and the HelpDesk group member has sufficient privileges, the script checks whether the parent directory exists. If it doesn't or if the HelpDesk group member doesn't have sufficient permissions to the file system, the script informs the HelpDesk group member of the problem, then exits. When the parent directory exists and the HelpDesk group member has sufficient privileges, the script checks whether the home directory exists. If it doesn't, the script creates it.

With the home directory in existence, the script prepares a Security Descriptor (SD) that will eventually contain the discretionary ACL (DACL) for the home directory. The DACL is simply an array of access control entries (ACEs). The script then prepares the ACE, which contains the user account (i.e., the trustee) and the home-directory permissions that you want to assign the trustee.

At this point, the script assigns to a home directory the SD that contains the ACE, then applies the SD to the home directory. The action of replacing the default SD with the new SD removes inheritance from the parent directory. You'll likely want the parent directory's rights to flow to the users' home directories so that the script updates the home directory's DACL to allow inheritance. If you don't want to allow inheritance from the parent directory to users' home directories, you can have the HelpDesk group members clear the Allow inheritable permissions from parent to propagate to this directory check box that appears at the bottom of the form in Figure 1.

Taking a Closer Look
Now that you have an overall picture of how HomeFolderPerms.asp works, we'll take a closer look at the script. Let's examine the user-defined functions and subroutines that the script uses to

build the form
validate and assign the form's data
connect to the provider
perform file-system operations
create the SD and its ACE
assign the SD to the home directory
allow inheritance from the parent directory

Building the Form
To build the Web form, the script uses the Form subroutine. The Form subroutine uses a mixture of VBScript and HTML code to create ASP pages; %> and <% tags enclose the VBScript code. You'll see that the %> tag appears right before the HTML form begins. Although you could use ASP syntax to write the form, I find that it's simpler to exit the scripting language, use HTML syntax to build the form, then return to VBScript to end the procedure. I used the style sheet (i.e., StyleSheet.css) to enhance the form's appearance.

Validating and Assigning the Data
After a HelpDesk group member completes the form, he or she clicks Submit. The Submit event prompts the FeedbackForm_OnSubmit function into action. This function determines whether the person has filled in the three required text boxes (i.e., Local domain controller, User account name, and Path to parent directory). If a required text box is empty, the function displays a message box that details the information the person needs to provide. The FeedbackForm_OnSubmit function also determines whether the Path to parent directory text box contains a properly formatted path. If the path is incorrect, the function displays a message box that provides the proper format for the path. After the HelpDesk group member clicks OK in the message box, the FeedbackForm_OnSubmit function places the cursor in the appropriate text box in the form so that the person can enter or modify the information.

After validating the data, the script assigns the data to variables. Before assigning the string in the Path to parent directory text box to a variable, the script uses the AdjustPathSpec subroutine to remove any backslash at the end of the string. Although a backslash at the end of a path is syntactically legal, the script uses paths without them.

Previous [1] 2 3 4 Next

Awesome! But will it work on 'old' non Active Directory Win 2000 server?

sean August 28, 2001

The short answer is yes, with minor modifications it will work with a stand-alone computer running Windows 2000. You must change the QuerySid function so that it queries the SAM database on the stand-alone Windows 2000 computer rather than the Active Directory store on a domain controller. You might also have to modify the SetTrustee function because the domain name is one of its parameters.
Perhaps I could write a supplement to this article that shows the changes necessary to make this work on a stand-alone Windows 2000 computer.

Ethan Wilansky October 23, 2001

I tried putting the script into a Visual Basic component, which should not have presented any problems. However, when I try to set permission rights on the folder, I get an undefined automation error. My components run on the Web server, which is also the domain controller. However, the folders may be created on any file server within the domain. Can you tell me what the path to the folder should look like when passing it into the procedure? The path is always like this: 
 
\\SERVERNAME\Users\USERNAME 
 
where Users is a share that is located on the E: drive of the server. I have tried a few things, like 
 
\\SERVERNAME\Users$\USERNAME 
\\SERVERNAME\Users\USERNAME 
\\SERVERNAME\E:\Users\USERNAME 
 
If you can see why I get the undefined automation error, please let me know. I really need to be able to set security for the user on this folder, and I have not been able to find any other way to do it.

Inge Schepers December 05, 2001

How can I do this with multiple users? I took your script and hacked it into a VBScript file to run against a large volume of data. The problem is that I can only use one user and it overwrites the existing ACE entries for the ACL. This is the best script I have found to do this so far. I commend you on your knowledge. Thanks for any help. 
Braden - Thanks for your kind words about the article. I have to tell you, I really sweated that one out because, as you've found, the documentation on configuring DACLs using WMI is somewhat incomplete.
In answer to your first question, you should wrap the modifications to the DACL inside a script that uses either ADO and the ADSI OLE DB provider or a script that enumerates containers using the ADSI IADsContainer interface.
Here's a script that uses ADO to return all user accounts that are security principals in a domain named na.fabrikam.com. Once that result set is returned, the script modifies the company attribute of each user account to Fabrikam. What you need to do is replace the bolded lines of the script below with the script I wrote to modify the DACL of user account folders. Of course, you should also change the distinguishedName specified in the query string. I know this isn't a complete solution but hopefully it puts you on the right track. This script is part of the System Administration Scripting Guide (SASG) that I'm contributing to for the Windows .NET Server Resource Kit. To see this and many other scripts, visit: http://www.microsoft.com/technet/scriptcenter. This is the area that our team is responsible for and the scripts there are derived primarily from the scripts that will eventually appear in the SASG.
 
<pre>Set objConnection = CreateObject("ADODB.Connection") 
objConnection.Open "Provider=ADsDSOObject;" 
 
Set objCommand = CreateObject("ADODB.Command") 
objCommand.ActiveConnection = objConnection 
 
objCommand.CommandText = "LDAP://dc=NA,dc=fabrikam,dc=com;" & _ 
"(&(objectCategory=person)(objectClass=user));" & "ADsPath;subtree"
 
Set objRecordSet = objCommand.Execute 
 
While Not objRecordset.EOF 
strADsPath = objRecordset.Fields("ADsPath") 
Set objUser = GetObject(strADsPath) 
objUser.Put "company", "Fabrikam" 
objUser.SetInfo 
objRecordset.MoveNext 
Wend 
 
WScript.Echo objRecordSet.RecordCount & " user accounts modified." 
objConnect.Close</pre>
 
About not overwriting the DACL, I would have to research this before feeling comfortable with answering your question. Unfortunately, I'm swamped right now with trying to get chapters delivered for the SASG. I hope, though, that I've helped put you on the right track for now. I suggest visiting the TechNet Script Center to see what you can dig up. You might also want to download the latest WMI SDK and read about the Security Provider. --Ethan 

Braden Callahan August 28, 2002

Indeed this is the best script I've seen so far. But, one little tiny thing is missing....varType function is missing.

Remy March 29, 2004

The script is creating the users home directory but it si not giving it the necessary rights to the folder. The error I get is Unable to retrieve the Win32_LogicalFileSecurity Setting of d:\ririvera

RealBigTime November 04, 2004

I am a novice when it comes to ASP, so please bear with me. I have modified your UserCreate.asp and have it working fine, but when it comes to HomeFolderPerms.asp, the home directory on the file server is not created (although the script thinks it is) - until it tries to apply rights I have domain admin rights. I can run a test vbs script from the same directory on the domain server and create directories without a problem.

Anonymous User April 21, 2005 (Article Rating:

)

I am not able to find the entire scripts to download. Any idea. Thanks

Moongate May 24, 2006 (Article Rating:

)

You must log on before posting a comment.

If you don't have a username & password, please register now.