Script repository

Grant full access to user home folder

Updated on: Jan 18, 2026, Views: 8658

Folders and profiles

The scripts grant full access permissions over the home folder of the target user account to specific users.

Script 1: Manager and additional delegates

The script grants the permissions to the user’s manager and other delegates whose usernames (sAMAccountNames) are specified in a text property. The usernames must be specified as a comma-separated list (e.g. jdoe, bstephens, jburns). To execute the script, create a business rule, custom command or scheduled task configured for the User object type.

In the script, the $additionalDelegatesPropertyName variable specifies the name of the property storing the list of additional delegates.

$additionalDelegatesPropertyName = "adm-CustomAttributeText1" # TODO: modify me

function SetFullControlPermission($userName, $domainName, $userShare)
{
    $rights = [System.Security.AccessControl.FileSystemRights]"FullControl"
    $objUser = New-Object System.Security.Principal.NTAccount($domainName, $userName)
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $rights, "ContainerInherit, ObjectInherit", "None", "Allow")
    $objACL = Get-ACL $userShare
    try
    {
        $objACL.AddAccessRule($objACE)
        Set-ACL $usershare $objACL -ErrorAction Stop
    }
    catch
    {
        $Context.LogMessage("An error occurred while adding the permissions for user '$userName'. Error: " + $_.Exception.Message, "Warning")
    }
}

# Get user home directory.
try
{
    $userShare = $Context.TargetObject.Get("homeDirectory")
}
catch
{
    $Context.LogMessage("The user does not have a home directory.", "Warning")
    return
}

# Get manager DN.
try
{
    $managerDN = $Context.TargetObject.Get("manager")
}
catch
{
    $Context.LogMessage("The user does not have a manager assigned in AD.", "Warning")
    return
}

# Get additional delegates.
try
{
    $userNames = ($Context.TargetObject.Get($additionalDelegatesPropertyName)).Split(",")
}
catch
{
    $userNames = $NULL
}

# Get user domain name.
$domainName = $Context.GetObjectDomain("%distinguishedName%")

# Get manager name and domain name.
$manager = $Context.BindToObjectByDN($managerDN)
$managerName = $manager.Get("sAMAccountName")

# Grant permissions to the manager.
SetFullControlPermission $managerName $domainName $userShare

# Grant permissions to additional delegates.
if ($NULL -ne $userNames)
{
     foreach ($userName in $userNames)
     {
         SetFullControlPermission $userName.Trim() $domainName $userShare
     }
}

Script 2: Delegate specified in a parameter

The script grants full access permissions to the account specified in a custom command parameter. The parameter must be of the Directory object picker type. Additionally, the script emails the delegate about gaining the permissions. If the delegate has no email address specified, the notification will be sent to the initiator.

Parameters

  • $delegateParameterName - the name of the parameter used to specify the delegate. The name must include the param- prefix.
  • $subject - the email notification subject.
  • $messageTemplate - a template for the email notification. In the template, the 0 placeholder will be replaced with the name of the delegate gaining the permissions.
$delegateParameterName = "param-delegate" # TODO: modify me
$subject = "Grant permissions over home folder"  # TODO: modify me
$messageTemplate = "Full access permissions were granted to user {0} over home folder of user %fullname%."  # TODO: modify me

function SetFullControlPermission($sid, $userFolderPath)
{
    $objACL = Get-ACL $userFolderPath
    $acessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($sid, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
    $objACL.AddAccessRule($acessRule)
    Set-ACL $userFolderPath $objACL
}

# Get home directory folder.
try
{
    $userShare = $Context.TargetObject.Get("homeDirectory")
}
catch
{
    $Context.LogMessage("The user does not have a home directory.", "Warning") # TODO: modify me
    return
}

# Get delegate SID and name.
$delegateDN = $Context.GetParameterValue($delegateParameterName)
$delegate = $Context.BindToObjectByDN($delegateDN)
$delegateSidBinary = $delegate.Get("objectSid")
$delegateSid = New-Object System.Security.Principal.SecurityIdentifier($delegateSidBinary, 0)
$delegateName = $delegate.Get("name")

# Get delegate email.
try
{
    $recipientEmail = $delegate.Get("mail")
}
catch
{
    $recipientEmail = "%adm-InitiatorEmail%"
}

# Set permissions
SetFullControlPermission $delegateSid $userShare

# Send mail
$message = [System.String]::Format($messageTemplate, @($delegateName))
if ([System.String]::IsNullOrEmpty($recipientEmail))
{
    $Context.LogMessage("Neither the delegate nor the initiator has an email address specified.", "Information")
    return
}

$Context.SendMail($recipientEmail, $subject, $message, $NULL)

Comments 0

You must be signed in to comment.

    Got questions?

    Support Questions & Answers

    We use cookies to improve your experience.
    By your continued use of this site you accept such use.
    For more details please see our privacy policy and cookies policy.