+ Post New Thread
Results 1 to 12 of 12
Windows Server 2008 Thread, Best set up for new users - Home drive permissions and shares? in Technical; We currently create users with a home folder in a folder such as Year7/username$ We then give full permission on ...
  1. #1
    reggiep's Avatar
    Join Date
    Apr 2008
    Location
    In the vast area of space and time
    Posts
    1,548
    Thank Post
    517
    Thanked 56 Times in 50 Posts
    Rep Power
    29

    Best set up for new users - Home drive permissions and shares?

    We currently create users with a home folder in a folder such as Year7/username$
    We then give full permission on the folder and then restrict access through the share.
    I believe that most people do this the other way with control via security permissions and give full access through the share?

    Can anybody suggest the best set up for user home folders and security?

    I ask as I am currently playing around with bulk user creation tools and can't see how i can use any of them with my current set up!

    thanks

  2. #2

    Join Date
    Mar 2011
    Location
    Coventry
    Posts
    61
    Thank Post
    12
    Thanked 6 Times in 6 Posts
    Rep Power
    8
    I would give full access through the share and then lock it down using ntfs acls.

    there was a KB article on the suggested permissions for home folders on Microsoft. Ill see if I can find it again.

  3. #3
    reggiep's Avatar
    Join Date
    Apr 2008
    Location
    In the vast area of space and time
    Posts
    1,548
    Thank Post
    517
    Thanked 56 Times in 50 Posts
    Rep Power
    29
    Thanks, That would be good to see.

  4. #4

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    I have a new share for each year not user - i personally think having a new share for each user is slow for the FS - there was a thread where we discussed a while ago but i can't find it.

    I use \\server\intake10$\%username& then have everybody full control on the share and then restrict using NTFS

    This means AD will automagically create the home drive which it won't if its a share.

  5. #5
    reggiep's Avatar
    Join Date
    Apr 2008
    Location
    In the vast area of space and time
    Posts
    1,548
    Thank Post
    517
    Thanked 56 Times in 50 Posts
    Rep Power
    29
    Cheers Glennda, I was considering changing the share to the yeargroup but you have reassured me.

  6. #6

    Join Date
    Mar 2011
    Location
    Coventry
    Posts
    61
    Thank Post
    12
    Thanked 6 Times in 6 Posts
    Rep Power
    8
    I can't find the KB article atm (it was originally for 2003 but the principle is still the same I believe)

    Off the top of my head you will need to use the advanced section of the security tab on the root of the share, and use the following (its a good starting point at least).

    System - Full Control - This Folder, Subfolders and files
    Administrators - Full Control - This Folder, Subfolders and files (And any other security groups you wish to access the home drives)
    Authenticated Users - List Folder / Read Data & Read Attributes & Create Folders / Append Data - This Folder only
    CREATOR OWNER - I use everything but Full Control, Read Permissions, Change Permissions & Take Ownership (But it can be full control if you wish) - Subfolders and files only.

    Hopefully that makes sense. If not I shall try to elaborate slightly.

    If I do manage to find that article I shall post a link to it in this thread.

    Ash

    Edit:

    And glennda does the same, i would use a share for the year and then allow AD to create the profiles at the students first logon within that share.

  7. #7
    waldronm2000's Avatar
    Join Date
    Dec 2009
    Location
    Southend
    Posts
    129
    Thank Post
    49
    Thanked 12 Times in 11 Posts
    Rep Power
    12

  8. #8

    Join Date
    Mar 2011
    Location
    Coventry
    Posts
    61
    Thank Post
    12
    Thanked 6 Times in 6 Posts
    Rep Power
    8
    Found it............

    Its more based on folder redirection but the principle is the same.....

    How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003

  9. #9

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    Quote Originally Posted by iMash View Post
    And glennda does the same, i would use a share for the year and then allow AD to create the profiles at the students first logon within that share.
    For profiles you need to ensure a group the user is part of (say students or year group) has write permission to the root of the share - as its not AD which creates the folder it is the user on first login

  10. #10

    Join Date
    Mar 2011
    Location
    Coventry
    Posts
    61
    Thank Post
    12
    Thanked 6 Times in 6 Posts
    Rep Power
    8
    Quote Originally Posted by glennda View Post
    For profiles you need to ensure a group the user is part of (say students or year group) has write permission to the root of the share - as its not AD which creates the folder it is the user on first login
    Yes sorry, I should have been more specific. That is why you allow authenticated users permission to create a folder in the root. and then as they would be the owner they inherit the full control permissions for anything subsequently created within that folder.

    Authenticated users could be substituted with a specific security group (for example a group representing the year).

  11. #11
    reggiep's Avatar
    Join Date
    Apr 2008
    Location
    In the vast area of space and time
    Posts
    1,548
    Thank Post
    517
    Thanked 56 Times in 50 Posts
    Rep Power
    29
    We have a mandatory profile so that is one less thing to worry about!

  12. #12
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    793
    Thank Post
    80
    Thanked 130 Times in 113 Posts
    Blog Entries
    8
    Rep Power
    31
    We also have shares by graduation year, and the student's home folder created inside of that share. Permissions are handled at the NTFS level, while everyone is given full access through share level security. Students are given every permission to their respective home folders with the exception of full control. I had an issue a few years back with students taking ownership of the directory and removing access rights from administrators. Easy enough fix, but it was causing issues with the nightly backups.

SHARE:
+ Post New Thread

Similar Threads

  1. Set permissions on users folders
    By Newton in forum Scripts
    Replies: 2
    Last Post: 20th May 2010, 05:36 PM
  2. [Ubuntu] Mount users Home drive from AD to
    By jmair in forum *nix
    Replies: 3
    Last Post: 29th April 2009, 06:38 PM
  3. [Ubuntu] Setup FTP Users & Set Permissions
    By FN-GM in forum *nix
    Replies: 5
    Last Post: 18th February 2009, 12:21 PM
  4. Users Home Folder and Network Drive
    By lovelldr in forum Windows
    Replies: 6
    Last Post: 6th August 2007, 10:17 AM
  5. Replies: 9
    Last Post: 16th June 2006, 09:28 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •