First off I apologise if this in the wrong section.
As some of you know I've inherited the school network a little over a year ago. I've not done any work on the servers as such, but concentrated on bringing the infrastructure upto spec as it's been left for 6 years. I'm now in a position to start sorting out the servers to meet mine and more over the schools needs.
That's where the problems start. My first task I want to do is sort out the students home directories. At the moment the students have to locate their own directory via My Computer - P Drive - Users and then find their own folder. I don't find this acceptable now.
So, my question is what is the easiest method of organising the students into their own folders while retaining their permissions. E.G. I would like to use the current naming method so that student A (e.g. JDoe10) who finish their GCSE's in 2010 will be in a folder called Students2010. I then want that student to be able to access their own directory through the My Documents folder on the desktop (which if I remeber correctly is done through GPO, but I would like some help on that as well).
Ultimately I want to hide the students folders from anyone browsing for it via the old method if possible as well, but that is not too urgent.
if you just copy and paste the folders into the correct locations it should keep the ACL's as they are, if not I'd setup a script to re-apply the correct perms. Then its a case of using GPO's to redirect to my docs etc - the way I've done it is to setup security groups for each year group then setup redirection based on the group ie any student within group Students2010 would have their my docs redirected to \\server\users$\students2010\%username%
If the only access they have to their folder is via my docs they won't be able to see or access any folder below their own, this is also the case for mapped home drives.
Go to Group Policy, set up a new GPO or alter the existing setup -within the GPO go to User Configuration, Redirected Folders, My Documents. Right click this, and set up the redirection as 'Basic', with 'Create a folder under the root path'. Set this path as the root location (for each year group) with the user profiles in. This should link the students to this location, as long as the folders have the same name as their login. Then set permissions on the root folder, so the students don't have read access to it, but still have read/write to their own directories (NTFS fix program for this).
Ok. First off what flavour of server are you running?
I would start by craeting a folder (called "students2010" for want on a better name) on the server and moving all the student's own home directories into it. I would have this on it's own partition so that you can enable disk quota's without effecting anything else.
Share the student2010 folder with whatever name you want but make sure that you put the dollar ($) as the last character to hide it so that people cant browse to it. (If you are using 2003 server change the share permissions so that your uses have at least "change" permissions as the default is read only)
Set the permissions on the folder so that only domain admins and the system have access.
Now I can't remember if some of the following commands are in 2000 server but if not they should be downloadable from microsoft's website. It also requires a little bit of scripting skill, though not much. A list of users/folders and some Excel skill will allow you to create some batch files very quickly to do this in baulk.
use the windows command "subinacl" to set the folders permissions for each user.
Approximate syntax: subinacl /file e:\students2010\ /grant=\=c
Use the windows command "dsmod" to change the users home directory (I THINK this it 2003 only)
Approximate syntax: dsmod user "CN=Don Funk,CN=Users,DC=Contoso,DC=Com" -hmdir \\ Check this and do some reading on the command before using it.
Then use GP to re-direct the MyDocuments to the users home folder.
Just so you know. If you move/copy the folders on the same drive they will keep their ACL's. If you move them to a different drive you will loose the ACL's
You can move folders via NTBackup to retain ACLs.
Also rather than use the 'end date' (2010) to separate year groups, I would use their intake year as this is a solid date as opposed to the 'end date' which could change in the future. It is common to be near-sighted and think that the status quo will always be that the students have a 5-year career in the school but this might not always be the case.
Not sure it matters either way does it as long as the person in question understands what they are doing and how their groups work (and presumably all the students in the same year are in the same group).
For reference however I personally feel that year of entry is better. But I do have to "Back Date" those who enter in the Lower 6th or any other middle year in the school.