PowerShell/NewUserSetup.ps1 at main · oldelpasosnowplow/PowerShell · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# Script Created by Oldelpasosnowplow
# On Wednesday, February 23rd, 2022 @ 16:45 UTC
# This is completely open to any and all that want to use it, modify it to meet the needs of your network.
# This script will prompt for a user's AD SAM Account and employee clock number, set the clock number to the AD account.
# Then created documents folder giving the user modify permissions and then prompting to remove any permissions
# given by inheritence if it isn't needed.
# Enjoy and I hope this helps others

# Received this function from https://jpearson.blog/2019/11/08/prompting-the-user-for-input-with-powershell/
# Thank you James
# Published Nov 8th, 2019
function Get-SelectionFromUser
{
    param ([Parameter(Mandatory=$true)][string[]]$Options,[Parameter(Mandatory=$true)][string]$Prompt)

    [int]$Response = 0;
    [bool]$ValidResponse = $false

    while (!($ValidResponse)) {
        [int]$OptionNo = 0

        Write-Host $Prompt -ForegroundColor DarkYellow
        Write-Host "[0]: Cancel"

        foreach ($Option in $Options) {
            $OptionNo += 1
            Write-Host ("[$OptionNo]: {0}" -f $Option)
        }

        if ([Int]::TryParse((Read-Host), [ref]$Response)) {
            if ($Response -eq 0) {
                return ''
            }
            elseif($Response -le $OptionNo) {
                $ValidResponse = $true
            }
        }
    }

    return $Options.Get($Response - 1)
}

# Loop through until valid AD account is found
$valid = $false
while (!($valid))
{
    $username = Read-Host -Prompt "Enter username (samAccountName)"


    # Find user
    try
    {
        $aduser = Get-ADUser -identity $username
        $valid = $true
    }
    catch
    {
        Write-Output "User Doesn't Exist"
    }
}

# Set Employee Clock Number in AD
$employeeID = Read-Host -Prompt "Enter Employee Clock Number"
$aduser | Set-ADUser -EmployeeID $employeeID

# Values to change to meet your needs
$domain = "yourdomainhere"
$basedirpath = "C:\Temp"


# Create Documents Folder and set permissions
$dept = Get-SelectionFromUser -Options ('Accounting','Administration','Human Resources','Information Systems') -Prompt 'Select Department Folder' #Add as many options as you like
$docPath = "$basedirpath\$dept\$username"

# If Directory exists exit the script
if (-not (Test-Path $docPath -PathType Container))
{
    New-Item -Path $docPath -ItemType Directory
}
else
{
    Write-Output "Directory Exists"
    Exit
}

# SET Modify permissions on the created directory for the user
$acl = Get-Acl $docPath
$acl.SetAccessRuleProtection($True, $True)
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domain\$username", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl $docPath

# Loop through all the ACLs to find any inheritence that isn't needed on the directory
foreach($identity in $acl.Access)
{
    $idname = $identity.IdentityReference
    $in = Read-Host -Prompt "Do you want to remove this $idname (y/n)"

    if ($in -eq "y")
    {
        $dAcl = get-Acl $docPath
        $uID = New-Object System.Security.Principal.NTAccount($identity.IdentityReference)
        $dAcl.PurgeAccessRules($uID)
        Set-Acl -Path $docPath -AclObject $dACl
    }
}