In our company a user’s home directory is created through a script. Unfortunately, the script had been somewhat broken for at least a few months. Home directories created during that time have wrong permissions and need to be fixed.
With hundreds of home directories this needs to be scripted – so I thought why not use Pester for that.
Describing Tests ACL of [\\homedrive\home$\jsp\] Context jsp [+] ACL should contain only 3 ACEs 66ms [+] ACL should contain [mydomain\fileradmins] 14ms [+] ACL should contain [mydomain\Domain-Admins] 13ms [+] ACL should contain [mydomain\jsp] 14ms Describing Tests ACL of [\\homedrive\home$\jsp\MyScans] Context jsp [+] [\\homedrive\home$\jsp\MyScans] should exist 83ms [+] ACL should contain only 4 ACEs 9ms [+] ACL should contain [mydomain\printerserviceaccount] 15ms Tests completed in 219ms Passed: 7 Failed: 0 Skipped: 0 Pending: 0 Describing Tests ACL of [\\homedrive\home$\pfisterer\] Context pfisterer [-] ACL should contain only 3 ACEs 65ms Expected: {3} But was: {4} at line: 10 in \\homedrive\home$\megamorf\gitlab\HomedrivePermissions\HomedrivePermissions.Tests.ps1 10: $Acl.Access.Count | Should Be 3 [-] ACL should contain [mydomain\fileradmins] 14ms Expected: {FullControl} But was: {} at line: 18 in \\homedrive\home$\megamorf\gitlab\HomedrivePermissions\HomedrivePermissions.Tests.ps1 18: $ACE.FileSystemRights | Should Be 'FullControl' [-] ACL should contain [mydomain\Domain-Admins] 13ms Expected: {FullControl} But was: {} at line: 30 in \\homedrive\home$\megamorf\gitlab\HomedrivePermissions\HomedrivePermissions.Tests.ps1 30: $ACE.FileSystemRights | Should Be 'FullControl' [-] ACL should contain [mydomain\pfisterer] 14ms Expected: {Modify, Synchronize} But was: {} at line: 42 in \\homedrive\home$\megamorf\gitlab\HomedrivePermissions\HomedrivePermissions.Tests.ps1 42: $ACE.FileSystemRights | Should Be 'Modify, Synchronize' Describing Tests ACL of [\\homedrive\home$\pfisterer\MyScans] Context pfisterer [+] [\\homedrive\home$\pfisterer\MyScans] should exist 110ms [-] ACL should contain only 4 ACEs 10ms Expected: {4} But was: {5} at line: 66 in \\homedrive\home$\megamorf\gitlab\HomedrivePermissions\HomedrivePermissions.Tests.ps1 66: $Acl.Access.Count | Should Be 4 [+] ACL should contain [mydomain\printerserviceaccount] 16ms Tests completed in 244ms Passed: 2 Failed: 5 Skipped: 0 Pending: 0
By default our home directories have Access Control Entries (ACEs) for the domain admins and storage admins groups with full access and the respective user account with modify permissions. For our printers’ “scan to home directory”-feature we have to ensure that a folder called MyScans exists in the user’s home directory. That folder needs an additional ACE of the printing service account with write permissions.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
param($samaccountname) | |
Describe "Tests ACL of [\\homedrive\home$\$samaccountname\]" { | |
$ACL = Get-ACL "\\homedrive\home$\$samaccountname\" | |
Context "$samaccountname" { | |
It 'ACL should contain only 3 ACEs' { | |
$Acl.Access.Count | Should Be 3 | |
} | |
It 'ACL should contain [mydomain\fileradmins]' { | |
$ACE = $ACL.Access | where {$_.IdentityReference -Like 'mydomain\fileradmins'} | |
$ACE | Should Not Be Null | |
$ACE.FileSystemRights | Should Be 'FullControl' | |
$ACE.AccessControlType | Should Be 'Allow' | |
$ACE.IsInherited | Should Be $False | |
$ACE.InheritanceFlags | Should Be 'ContainerInherit, ObjectInherit' | |
$ACE.PropagationFlags | Should Be 'None' | |
} | |
It 'ACL should contain [mydomain\Domain-Admins]' { | |
$ACE = $ACL.Access | where {$_.IdentityReference -Like 'mydomain\Domain-Admins'} | |
$ACE | Should Not Be Null | |
$ACE.FileSystemRights | Should Be 'FullControl' | |
$ACE.AccessControlType | Should Be 'Allow' | |
$ACE.IsInherited | Should Be $False | |
$ACE.InheritanceFlags | Should Be 'ContainerInherit, ObjectInherit' | |
$ACE.PropagationFlags | Should Be 'None' | |
} | |
It "ACL should contain [mydomain\$samaccountname]" { | |
$ACE = $ACL.Access | where {$_.IdentityReference -Like "mydomain\$samaccountname"} | |
$ACE | Should Not Be Null | |
$ACE.FileSystemRights | Should Be 'Modify, Synchronize' | |
$ACE.AccessControlType | Should Be 'Allow' | |
$ACE.IsInherited | Should Be $False | |
$ACE.InheritanceFlags | Should Be 'ContainerInherit, ObjectInherit' | |
$ACE.PropagationFlags | Should Be 'None' | |
} | |
} | |
} | |
Describe "Tests ACL of [\\homedrive\home$\$samaccountname\MyScans]" { | |
$ScanDir = "\\homedrive\home$\$samaccountname\MyScans" | |
$ACL = Get-ACL $ScanDir -ErrorAction SilentlyContinue | |
Context "$samaccountname" { | |
It "[\\homedrive\home$\$samaccountname\MyScans] should exist" { | |
Test-Path $ScanDir | Should Be $true | |
} | |
It 'ACL should contain only 4 ACEs' { | |
$Acl.Access.Count | Should Be 4 | |
} | |
It 'ACL should contain [mydomain\printerserviceaccount]' { | |
$ACE = $ACL.Access | where {$_.IdentityReference -Like 'mydomain\printerserviceaccount'} | |
$ACE | Should Not Be Null | |
$ACE.FileSystemRights | Should Be 'Write, Synchronize' | |
$ACE.AccessControlType | Should Be 'Allow' | |
$ACE.IsInherited | Should Be $False | |
$ACE.InheritanceFlags | Should Be 'ContainerInherit, ObjectInherit' | |
$ACE.PropagationFlags | Should Be 'None' | |
} | |
} | |
} |