Code/Function/Public/New-NetworkDrive.ps1
|
Function New-NetworkDrive { <# .SYNOPSIS Create folder an ad group for network drive .DESCRIPTION This function creates folders and groups for network drives. The groups can be used to give access via gpo. .PARAMETER Name Array object of names which will be the new network drives. .PARAMETER Path Path in which the folders will be created. .PARAMETER GroupDriveOrganizationalUnit AD Organizationl Unit to safe new AD group. Those groups can be used to give users the folder as network drive (GPO). .PARAMETER GroupAccessOrganizationalUnit AD Organizationl Unit to safe new AD group. Those groups can be used to give users access to the folder. .INPUTS Array String .OUTPUTS None .EXAMPLE New-NetworkDrive -Name @("drive1", "drive2") -Path "D:\data" -GroupDriveOrganizationalUnit (Get-ADOrganizationalUnit -Identity "OU=Drives,OU=Groups,OU=test,DC=test,DC=local") -GroupAccessOrganizationalUnit (Get-ADOrganizationalUnit -Identity "OU=Access,OU=Groups,OU=test,DC=test,DC=local") .LINK https://github.com/gisp497/psgisp #> [CmdletBinding(SupportsShouldProcess)] param ( [Parameter( Mandatory = $true, HelpMessage = "Name of the Folders/Networkdrives" )] [Array]$Name, [Parameter( Mandatory = $true, HelpMessage = "Path in which the folders should be created." )] [String]$Path, [Parameter( Mandatory = $true, HelpMessage = "AD Organizationl Unit to safe new AD group. Those groups can be used to give users the folder as network drive (GPO)." )] $GroupDriveOrganizationalUnit, [Parameter( Mandatory = $true, HelpMessage = "AD Organizationl Unit to safe new AD group. Those groups can be used to give users access to the folder." )] $GroupAccessOrganizationalUnit ) Begin { } Process { $Name | ForEach-Object { #create folder $folder = New-Item -Path $Path -Name $_ -ItemType Directory #create groups $drivegroup = New-ADGroup -Name ('d_' + $_) -GroupScope Global -GroupCategory Security -Path $GroupDriveOrganizationalUnit -PassThru $accessreadgroup = New-ADGroup -Name ('a_' + $_ + '_r') -GroupScope Global -GroupCategory Security -Path $GroupAccessOrganizationalUnit -PassThru $accesswritegroup = New-ADGroup -Name ('a_' + $_ + '_rw') -GroupScope Global -GroupCategory Security -Path $GroupAccessOrganizationalUnit -PassThru #add access groups to drive group Add-ADGroupMember -Identity $drivegroup -Members $accessreadgroup,$accesswritegroup #format group to correct syntax $netbios = (Get-ADDomain).NetBIOSName $accessreadgroup = $netbios + '\' + $accessreadgroup.Name $accesswritegroup = $netbios + '\' + $accesswritegroup.Name #get current access rights $permission = Get-Acl $folder.FullName #disable inheritance but let permissions the same $permission.SetAccessRuleProtection($true,$true) Set-Acl -AclObject $permission -Path $folder.FullName $permission = Get-Acl $folder.FullName #create new permissions for both groups $accessread = New-Object System.Security.AccessControl.FileSystemAccessRule($accessreadgroup,"ReadAndExecute, Synchronize","ContainerInherit,ObjectInherit", "None","Allow") $accesswrite = New-Object System.Security.AccessControl.FileSystemAccessRule($accesswritegroup,"DeleteSubdirectoriesAndFiles, Modify, Synchronize","ContainerInherit,ObjectInherit", "None","Allow") $permission.SetAccessRule($accessread) $permission.SetAccessRule($accesswrite) #remove permission for builtin users $builtinusers = New-Object System.Security.Principal.Ntaccount ("BUILTIN\Users") $permission.PurgeAccessRules($builtinusers) #set permissions to folder Set-Acl -AclObject $permission -Path $folder.FullName } } End { } } |