User directory creation
ADMan can create per-user directories in any number of base directories on remote SMB servers. It will configure permissions and can even create a default set of subdirectories.
Actions
For each configured userdirs entry, ADMan will:
Create a directory under
basepathfor each user, as limited by theonlyspecificationSet the owner a according to
ownerandgroupAdd templated access control entries to the ACL according to
aclCreate a set of subdirectories under the user directory, and set the owner, group, and ACL
Configuration
userdirs is a list of entries, each (starting with a hyphen) with the
following sub-keys:
Config Key |
Type |
Default |
Description |
|---|---|---|---|
|
string |
(required) |
UNC path of the directory in which to create each userdir |
|
|
LDAP containers for which userdir creation will be limited |
|
|
string |
None |
The user account name to set as the owner of each userdir.
If None, left as-is after creation.
Can include template variables:
${user} |
|
string |
None |
The group account name to set as the group of each userdir
If None, left as-is after creation.
Can include template variables:
${user} |
|
list<tmpl_ace> |
A list of access control entries.
|
(empty)
| Can include template variables: |
|
list<subdir> |
(empty) |
A list of additional subdirectories to create in each user’s directory |
subdirs – A mapping with the following sub-keys:
Config Key |
Type |
Default |
Description |
|---|---|---|---|
|
string |
(required) |
Name of the directory to create (in each user directory) |
|
list<tmpl_ace> |
(empty) |
A list of access control entries.
Can include template variables:
${user} |
tmpl_ace – A string, representing an Access Control List Entry (ACE), with the following format:
sid_or_name:type/flags/mask
sid_or_name– Either a SID (e.g.S-1-5-21-1004336348-1177238915-682003330-512) or principal name (e.g.Domain Users), to which the ACE applies. Can include template variables:${user}type– The type of ACE (see ACE_HEADER)0– Access Allowed (typical ACE usage)1– Access Denied
flags– A decimal integer of ACE flags which can be ORed together (see ACE_HEADER)0x01–OBJECT_INHERIT0x02–CONTAINER_INHERIT0x04–NO_PROPAGATE_INHERIT0x08–INHERIT_ONLY
Example:
11(OBJECT_INHERIT | CONTAINER_INHERIT | INHERIT_ONLY)mask– A hexadecimal integer of access flags which can be ORed together (see ACCESS_MASK)0x00000001– File: Read data / Directory: List0x00000002– File: Write data / Directory: Add file0x00000004– File: Append data / Directory: Add subdirectory0x00000008– File/Directory: Read extended attributes0x00000010– File/Directory: Write extended attributes0x00000020– File: Execute / Directory: Traverse0x00000040– Directory: Delete child0x00000080– File/Directory: Read attributes0x00000100– File/Directory: Write attributes0x00010000– Delete an object0x00020000– Read the security descriptor of an object0x00040000– Change the access control list of an object0x00080000– Change the owner of an object0x00100000– Synchronize or wait on the object
Common combinations:
0x00120089–SEC_RIGHTS_FILE_READ/SEC_RIGHTS_DIR_READ0x001200a0–SEC_RIGHTS_FILE_EXECUTE/SEC_RIGHTS_DIR_EXECUTE0x00120116–SEC_RIGHTS_FILE_WRITE/SEC_RIGHTS_DIR_WRITE0x001f01ff–SEC_RIGHTS_FILE_ALL/SEC_RIGHTS_DIR_ALL
Example configuration
userdirs:
# basepath is the directory in which to create each userdir
- basepath: '//dc1.ad-test.vx/netlogon/users/'
# Limit to these users
only:
OU=ADTest People:
scope: one
# owner is the account name to set as the owner of each userdir
owner: Fileshare Owner
group: Storage Admins
acl:
- "${user}:0/0/0x001201ff" # Basically everything but delete
- "${user}:0/11/0x001f01ff" # Everything (inherit only)
- "Domain Users:0/0/0x001200a9" # Users can... traverse? (Requires access-based enumeration)
# additional subdirectories to create in each user's directory
# owner and group are inherited from above
subdirs:
- name: 'public'
acl:
- "${user}:0/0/0x001f01ff" # Everything
- "Domain Users:0/0/0x001200a9" # TODO
Commands
Relevant CLI commands: