Single PowerShell Script to Create Folder, AD Groups, and Apply New Groups to Folder

Question

I'm wanting to:

• Create New Folder
• Set Share Name for folder so that users can see it
• Create AD Group FS-TESTSHARE-R
• Create AD Group FS-TESTSHARE-RW
• Apply Both groups to the new share folder
• Set Full Read permissions to FS-TESTSHARE-R
• Set Full Read/Rights permissions to FS-TESTSHARE-RW
• Set full access permissions to Domain Admins

Here is what I have now after playing around a little bit, but I wanted to make sure I didn't miss anything. I've decided (for the time being to leave out the param settings, but I can come back to that later. Does this look correct or is there a better way to write the script?

I've also ran into a bunch of errors about unexpected

New-ADGroup 
    -Name "FS-$NAME-RW" 
    -SamAccountName "FS-"+$NAME+"-RW" 
    -GroupCategory Security 
    -GroupScope Global 
    -DisplayName "$NAME Read-Write Access" 
    -Path "CN=$LOCATION,CN=SECURITY GROUPS,CN=FILE SHARE GROUPS,DC=ESG,DC=INTL" 
    -Description "Members of this group have read-write access to the test share"

New-ADGroup 
    -Name "FS-$NAME-R" 
    -SamAccountName "FS-"+$NAME+"-R" 
    -GroupCategory Security 
    -GroupScope Global 
    -DisplayName "$NAME Read Access" 
    -Path "CN=$LOCATION,CN=SECURITY GROUPS,CN=FILE SHARE GROUPS,DC=ESG,DC=INTL"
    -Description "Members of this group have read access to the test share"


# create new folder
New-Item -Path $Path -ItemType Directory

# get permissions
$acl = Get-Acl -Path $Path

#Get Security Groups
get-adobject -searchbase "CN=SECURITY GROUPS,CN=FILE SHARE GROUPS,DC=ESG,DC=INTL" -ldapfilter {(objectclass=group)}

# add a new permission
$acl.SetAccessRuleProtection($True, $False)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("esg.intl\Domain Admins","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("esg.intl\"FS-"+$NAME+"-R"","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("esg.intl\"FS-"+$NAME+"-RW"","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

# set new permissions
$acl | Set-Acl -Path $path

I'm also running into some errors and I'm not sure I understand how to fix them...

At C:\Users\A-Shane.Johnson\Desktop\ShareFolderCreation.ps1:44 char:96
+ ... " -ldapfilter {(objectclass=group)}
+                    ~
Use `{ instead of { in variable names.
At C:\Users\A-Shane.Johnson\Desktop\ShareFolderCreation.ps1:55 char:82
+ ... ule("esg.intl\"FS-"+$NAME+"-R"","FullControl", "ContainerInherit, ObjectInherit" ...
+                    ~~~~~~~~~~~~~~~~
Unexpected token 'FS-"+$NAME+"-R""' in expression or statement.
At C:\Users\A-Shane.Johnson\Desktop\ShareFolderCreation.ps1:55 char:82
+ ... ule("esg.intl\"FS-"+$NAME+"-R"","FullControl", "ContainerInherit, ObjectInherit" ...
+                    ~
Missing closing ')' in expression.
At C:\Users\A-Shane.Johnson\Desktop\ShareFolderCreation.ps1:55 char:164
+ ... "None", "Allow")
+                    ~
Unexpected token ')' in expression or statement.
At C:\Users\A-Shane.Johnson\Desktop\ShareFolderCreation.ps1:58 char:82
+ ... ule("esg.intl\"FS-"+$NAME+"-RW"","FullControl", "ContainerInherit, ObjectInherit ...
+                    ~~~~~~~~~~~~~~~~~
Unexpected token 'FS-"+$NAME+"-RW""' in expression or statement.
At C:\Users\A-Shane.Johnson\Desktop\ShareFolderCreation.ps1:58 char:82
+ ... ule("esg.intl\"FS-"+$NAME+"-RW"","FullControl", "ContainerInherit, ObjectInherit ...
+                    ~
Missing closing ')' in expression.
At C:\Users\A-Shane.Johnson\Desktop\ShareFolderCreation.ps1:58 char:165
+ ... "None", "Allow")
+                    ~
Unexpected token ')' in expression or statement.
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : OpenBraceNeedsToBeBackTickedInVariableName

Answer 1

Ok, so a couple things I see. First, string interpolation... Where you have:

"FS-"+$NAME+"-RW"

You can shorten that to simply:

"FS-$NAME-RW"

When a variable is found within double quotations like that it will try to expand the variable into a string automatically. I am not going to get into stipulations or rules, since I think that would only over-complicate this. Suffice it to say that this change alone, when applied to all instances where it can be in your script, will probably remove most of your errors. ...and possibly create new ones since several commands would then be correctly interpreted.

Next, command syntax. Your first two commands, unless you have escaped the new lines and that is simply not reflected in your question, are likely not going to execute as you would expect them. If you want to space out your parameters like you have I would suggest setting them up as hashtables, and then expanding the hashtable when executing the command. You can do that like this:

$GroupParams= @{
    'Name' = "FS-$NAME-RW" 
    'SamAccountName' = "FS-$NAME-RW" 
    'GroupCategory' = "Security"
    'GroupScope' = "Global"
    'DisplayName' = "$NAME Read-Write Access"
    'Path' = "CN=$LOCATION,CN=SECURITY GROUPS,CN=FILE SHARE GROUPS,DC=ESG,DC=INTL"
    'Description' = "Members of this group have read-write access to the test share"
}

New-ADGroup @GroupParams

Your LDAPFilter line error, well, that line looks superfluous so I'd say comment it out and move on.

Please note that you are giving FullAccess rights to the Read group, you probably want to change that to ReadAndExecute.

Lastly, if you have trouble with your ACLs then I'll give you the same advise I give anybody when dealing with ACLs on file shares. Define your settings explicitly, then apply them as an access rule. I use the following as a template:

$Rights = [System.Security.AccessControl.FileSystemRights]"FullControl" 

$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit"
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None 

$objType =[System.Security.AccessControl.AccessControlType]::Allow 

$objUser = New-Object System.Security.Principal.NTAccount("IIS_IUSRS") 

$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($objUser, $Rights, $InheritanceFlag, $PropagationFlag, $objType) 

$objACL = Get-ACL "C:\Temp" 

$objACL.AddAccessRule($objACE) 

Set-ACL "C:\Temp" $objACL

On a side note, you never really deal with the whole network share thing of declaring a share name and what not. You may want to run get-help New-SMBShare -Full to get more info on setting up the network share.