Search code examples
powershellactive-directorywindows-server-2016home-directorynetwork-shares

Why can't I map drive to users that was created by PowerShell script

I tried to automatically map drive to users using a PowerShell script.

The script create the user with the command:

New-ADUser -Name $userName -GivenName $userName -Surname $userName -DisplayName $userName -Path "OU=Eng,DC=lovely,DC=Local" -SamAccountName $userName -AccountPassword (ConvertTo-SecureString $pass -AsPlainText -Force) -UserPrincipalName ($userName + '@lovely.local') -Enable $true -HomeDrive 'H:' -HomeDirectory "\\DC01\Private\$userName"

the user is created, but when I log on to the user account the drive isn't mapped, the user folder inside the "private" share isn't created.

Then I tried to manually map it from the client and I get this error message:

The mapped drive could not be created because the following error has occurred: The specified network resource or drive is no longer available

So I created the user folder in the server (path: C:\Private\user1) and I can map it manually.

So I disconnected the drive, and opened the user profile tab (AD Users and Computers → OU → user1 → profile) and manually typed again the same path:

\\DC01\Private\user1

and the drive is mapped once I log on again!

Why is that happening?

  • The server (2016 standard) is installed as VM on VirtualBox, the client is Windows 8, also a VM.
  • Windows firewall is disabled, also Windows Defender.
  • The Windows 8 machine is a member in the domain.

  • The "Private" share properties:

    Share permissions "\DC01\Private": Authenticated Users (Full Control)

    NTFS permissions "C:\Private": SYSTEM (Full Control), Administrators (Full Control), CREATOR OWNER (Full Control, subfolders and files only), Authenticated Users (Full Control)

And again, when I create a new user manually the mapping process is working just fine.

The complete Script: 

Import-Module ActiveDirectory

#-----------------#
# Global Var
#-----------------#
$pass = 'Pa$$w0rd'
$drive_letter = 'H:'
$dir_path = '\\DC01\Private'

#-----------------#
# Eng department
#-----------------#
$totalusers = 9
$uname = "Eng"
$ou = "Eng"

for ($i=0; $i -lt $totalusers; $i++) {
    $userID = "{0:00}" -f ($i + 1)
    $userName = "$uname$userID"
    Write-Host "Creating AD user" ($i + 1) "of" $totalusers ":" $userName
    New-ADUser -Name $userName -DisplayName $userName -Path "OU=$ou,DC=lovely,DC=Local" -SamAccountName $userName -AccountPassword (ConvertTo-SecureString $pass -AsPlainText -Force) -UserPrincipalName ($userName + '@lovely.local') -HomeDrive $drive_letter -HomeDirectory "$dir_path\$userName" -Enable $true
}
Solution

  • As Rohin Sidharth and eckes wrote in the comment the problem solved when i created the directory for each user within my script. the GUI have some function that create the folder once the user is logging for the first time.

    and now each user that logs on can see his home folder automatically

    EDIT:

    i added a for loop to create each department directory. now each user have access only to his directory, inside a directory with is department name (and only the department users have access to the directory) .

    foreach ($o in $ous){

Write-Host "Creating OU: " $o
NEW-ADOrganizationalUnit $o

Write-Host "Create Group $o"
New-ADGroup -Name "$o" -SamAccountName $o -GroupCategory Security -GroupScope Global -DisplayName "$o" -Path "CN=Users,DC=lovely,DC=local" -Description "$o department"  

# Create department dir
New-Item -Path "$dir\$o" -ItemType Directory   

$colRights = [System.Security.AccessControl.FileSystemRights]"Read, Write,Traverse"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None 
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly 
$objType =[System.Security.AccessControl.AccessControlType]::Allow 
$objUser = New-Object System.Security.Principal.NTAccount("$o") 
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) 
$objACL = Get-ACL "$dir\$o" 
$objACL.AddAccessRule($objACE) 
Set-ACL "$dir\$o" $objACL

    }

    Here i create the users in one department for example:

    $totalusers = 6
$uname = "Manager"
$ou = "Projects"
for ($i=0; $i -lt $totalusers; $i++) 
 { 
 $userID = "{0:00}" -f ($i + 1)
 $userName = "$uname$userID"
Write-Host "Creating AD user" ($i + 1) "of" $totalusers ":" $userName

# create user folder inside the share
CreateUserHomeDir -dir $dir -ou $ou -userName $userName 
New-ADUser -Name $userName -DisplayName $userName -Path "OU=$ou,DC=lovely,DC=Local" -SamAccountName $userName -AccountPassword (ConvertTo-SecureString $pass -AsPlainText -Force) `
-userPrincipalName ($userName + '@lovely.local') -Enable $true -HomeDrive $drive_letter -HomeDirectory "$dir_path\$ou\$userName"


SetDirPermissions -ou $ou -userName $userName -dir $dir 

# add to group
AddToGroup -groupName $ou -userName $userName
}

    Functions: 

    function AddToGroup ($groupName, $userName)
 {
 Add-ADGroupMember $groupName $userName
}
function CreateUserHomeDir ($dir, $ou, $userName) {

New-Item -Path "$dir\$ou\$userName" -ItemType Directory
}

function SetDirPermissions ($ou,$userName,$dir) {
    $colRights = [System.Security.AccessControl.FileSystemRights]"Read, Write,Traverse"
    $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None 
    $PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly 
    $objType =[System.Security.AccessControl.AccessControlType]::Allow 
    $objUser = New-Object System.Security.Principal.NTAccount("$userName") 
    $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) 
    $objACL = Get-ACL "$dir\$ou\$userName" 
    $objACL.AddAccessRule($objACE) 
    Set-ACL "$dir\$ou\$userName" $objACL

}