User directory creation
ADMan can create per-user directories in any number of base directories on remote SMB servers. It will configure permissions and can even create a default set of subdirectories.
Actions
For each configured userdirs entry, ADMan will:
Create a directory under
basepath
for each user, as limited by theonly
specificationSet the owner a according to
owner
andgroup
Add templated access control entries to the ACL according to
acl
Create a set of subdirectories under the user directory, and set the owner, group, and ACL
Configuration
userdirs
is a list of entries, each (starting with a hyphen) with the
following sub-keys:
Config Key |
Type |
Default |
Description |
---|---|---|---|
|
string |
(required) |
UNC path of the directory in which to create each userdir |
|
|
LDAP containers for which userdir creation will be limited |
|
|
string |
None |
The user account name to set as the owner of each userdir.
If None, left as-is after creation.
Can include template variables:
${user} |
|
string |
None |
The group account name to set as the group of each userdir
If None, left as-is after creation.
Can include template variables:
${user} |
|
list<tmpl_ace> |
A list of access control entries.
|
(empty)
| Can include template variables: |
|
list<subdir> |
(empty) |
A list of additional subdirectories to create in each user’s directory |
subdirs – A mapping with the following sub-keys:
Config Key |
Type |
Default |
Description |
---|---|---|---|
|
string |
(required) |
Name of the directory to create (in each user directory) |
|
list<tmpl_ace> |
(empty) |
A list of access control entries.
Can include template variables:
${user} |
tmpl_ace – A string, representing an Access Control List Entry (ACE), with the following format:
sid_or_name:type/flags/mask
sid_or_name
– Either a SID (e.g.S-1-5-21-1004336348-1177238915-682003330-512
) or principal name (e.g.Domain Users
), to which the ACE applies. Can include template variables:${user}
type
– The type of ACE (see ACE_HEADER)0
– Access Allowed (typical ACE usage)1
– Access Denied
flags
– A decimal integer of ACE flags which can be ORed together (see ACE_HEADER)0x01
–OBJECT_INHERIT
0x02
–CONTAINER_INHERIT
0x04
–NO_PROPAGATE_INHERIT
0x08
–INHERIT_ONLY
Example:
11
(OBJECT_INHERIT | CONTAINER_INHERIT | INHERIT_ONLY
)mask
– A hexadecimal integer of access flags which can be ORed together (see ACCESS_MASK)0x00000001
– File: Read data / Directory: List0x00000002
– File: Write data / Directory: Add file0x00000004
– File: Append data / Directory: Add subdirectory0x00000008
– File/Directory: Read extended attributes0x00000010
– File/Directory: Write extended attributes0x00000020
– File: Execute / Directory: Traverse0x00000040
– Directory: Delete child0x00000080
– File/Directory: Read attributes0x00000100
– File/Directory: Write attributes0x00010000
– Delete an object0x00020000
– Read the security descriptor of an object0x00040000
– Change the access control list of an object0x00080000
– Change the owner of an object0x00100000
– Synchronize or wait on the object
Common combinations:
0x00120089
–SEC_RIGHTS_FILE_READ
/SEC_RIGHTS_DIR_READ
0x001200a0
–SEC_RIGHTS_FILE_EXECUTE
/SEC_RIGHTS_DIR_EXECUTE
0x00120116
–SEC_RIGHTS_FILE_WRITE
/SEC_RIGHTS_DIR_WRITE
0x001f01ff
–SEC_RIGHTS_FILE_ALL
/SEC_RIGHTS_DIR_ALL
Example configuration
userdirs:
# basepath is the directory in which to create each userdir
- basepath: '//dc1.ad-test.vx/netlogon/users/'
# Limit to these users
only:
OU=ADTest People:
scope: one
# owner is the account name to set as the owner of each userdir
owner: Fileshare Owner
group: Storage Admins
acl:
- "${user}:0/0/0x001201ff" # Basically everything but delete
- "${user}:0/11/0x001f01ff" # Everything (inherit only)
- "Domain Users:0/0/0x001200a9" # Users can... traverse? (Requires access-based enumeration)
# additional subdirectories to create in each user's directory
# owner and group are inherited from above
subdirs:
- name: 'public'
acl:
- "${user}:0/0/0x001f01ff" # Everything
- "Domain Users:0/0/0x001200a9" # TODO
Commands
Relevant CLI commands: