Home Drive / User Area Setup

[burgemaster]

Hi All,
On our school network, the home drive setup on the NAS drive im sure has not been setup the best way it could be....

The Current setup is:
\\NAS\Students\Year\Username

The only share setup is on the main Student_drives folder, and this only has everyone
NTFS permissions are also show below, only admin in there.
Same for the Year folders they only have ntfs permissions for Admin/domain admin, and no share files.
On the Students folder they have no share, and NTFS they have admin and there username.

Nowhere is any mention of "creator owner" and none of the shares are hidden.

See attached below

Im having quite a few problems with this setup,

1) With Office 2007 when they try to navigate to there home drive, office crashes, the way ive temp fixed it is to add "traverse folders" for "Students" on the "Student_Drives" share...

2) When students create a new file, they then are the "owner" of this file, and thus they get automatically "change and view permissions" even though its not checked or even denied. This means the sneaky ones will try and change all their permissions trying to deny the admin etc. and also messing up folders, meaning i have to fix it all.

3) The Staff drives are setup the same, and laptop users get "Access Denied" on every single offline file when they try to synronize!!
Microsoft said: "To configure a share so that users can synchronize with a subfolder under the Home$ share, grant all of the users at least Read permissions on the Home folder" so i added staff to the "Staff_drives" folder (the only folder shared) and it seemed to fix it...

All this tells me that my drives shares arent set up correctly?
Can anyone please help

[CyberNerd]

With windows I've previously shared all users directories individually, and relied on the ntfs for security (modify for user, full for admins and read for backup/teachers)
I would traverse through the active directory and use cacls to change the permissions and then share every directory in '02'

I've had very little luck doing anything like this with the gui, so theres probably a wizard somewhere that I don't know about.
I assume username == sharename == directoryname

Code:

Directory = "d:\users\07\"

Set objParent = GetObject("LDAP://OU=yeargroup 07,DC=college,DC=com")


objparent.Filter = Array("user")

for each objUser in objParent

     strUsername = objuser.Get("sAMAccountName")



     Set objShell = CreateObject("WScript.Shell")





     ObjShell.SendKeys  "Cmd /c cacls  " & Directory  & strUsername & " /T /G " & strUsername & ":C ""domainname\domain admins"":F server\administrator:F ""domaainame\teachers"":R"

     objShell.SendKeys "{ENTER}"

     objShell.SendKeys "Y"

     objShell.SendKeys "{ENTER}"


     

next

you need calcs for this but I think subinacl does something similar.

to share you can rely on the NTFS and share each homedir as full

Code:

FOR /D %A IN (*) DO NET SHARE %A=D:\USERS\07\%A  /GRANT:Everyone,Full

add a dollar if you think its worth it (waste of time imo)

[Michael]

@burgemaster - If I've understood correctly, any pupil can browse each others folder? Doesn't sound good at all if that's the case.

The reason Office 2007 probably crashes is because of the number of folders users need to browse before reaching their own!

What I'd recommend you do is leave the folders in their existing structure (on the server), because once you share folders out properly it won't be a problem. Users will be "redirected" to their My Documents (as you'd expect), so the fact it's a network drive is completely transparent to the user.

Download AutoShare This will allow you to quickly and easily share folders, make them private (with a dollar sign), but also allocate the correct permissions. I always give users Full Control of their folder, as well as Domain Admins for administration purposes. This ensures users have complete access (only to their own folder), but also that Folder Redirection works correctly.

You will need to take a look at Folder Redirection in Active Directory, but my hunch (from what you've described), is it probably isn't even enabled to 'redirect' users files when they logon.

I use the settings "Basic - Redirect everyone's folder to the same location" and "Redirect to the user's home directory".

On the Settings tab, tick to enable "Move the contents of My Documents to the new location"

Within Active Directory (under every users Profile tab), their home drive should read \\servername\sharename$

Try creating a few test users first and by following the above advice see how you get on

[burgemaster]

thx for the replies guys.

The students cannot browse other users folders
They cannot browse the year folder as they have no permission on it.
Redirection is allready setup as in the pic below, this is the Default_Student Policy.
Just noticed on the "Setting" i also have "Grant the user Exclusive Rights to documents" and the bottom selection checked?

Could you please let me know how your structures are? ie.

\\Server\Student_Drives(shared y/n/$ & permissions)\Year(shared y/n/$ & permissions)\Username(shared y/n/$ & permissions)

"I always give users Full Control of their folder"
Do you set full control to "this folder only" ? do they have full control of their files? i.e view/change permissions? as I dont want the students messin`

I will have a play today sharing out the Students Homedrive hidden..

Whatever i do i cant seems to stop the students having permission to view/change permission on thier files and folders!! (as shown below)
As soon as they own the file/folder they get to change the permissions.

EDIT: Fixed by ZeroHour, There is a setting in the GP to hide the Security Tab.... Doh
Thanks again

[Lithium]

Ours down here are set in the same way...

students\year\username and they just go straight into the folder when mapped.

We've only given students modify access - that way they cannot change the permissions.

So on the Students & Year folder they only have traverse, staff get read access and then they get modify access on subfolders and files of the student home drive so that they cannot move the folder to another students home drive...

I think if a student creates a folder, they become the "Creator Owner" which usually has full control...

[CyberNerd]

We've only given students modify access - that way they cannot change the permissions.

Same here, if users have full control they tend to try and take ownership, restricting admins and backup operators from doing essential work - like backing their stuff up.

Could you please let me know how your structures are? ie.

d:\users\cohort\username shared as \\servername\username

[plock]

As said - the security tab should be disabled. Students can't make the permission changes then. There is a GP option to disable it.

User Configuration > Administrative Templates > Windows Explorer > “Remove Security tab” > Enabled

[CyberNerd]

As said - the security tab should be disabled. Students can't make the permission changes then. There is a GP option to disable it.

User Configuration > Administrative Templates > Windows Explorer > “Remove Security tab” > Enabled

but that just removes the gui. Setting the permissions correctly will fix the problem.

[burgemaster]

but that just removes the gui. Setting the permissions correctly will fix the problem.

Even with modfiy they can still change/view permissions i think mate.
"The owner can always change permissions even when they are not
granted the permission to change permissions or even denied it"

[plock]

but that just removes the gui. Setting the permissions correctly will fix the problem.

You're absolutely correct.

[CyberNerd]

Even with modfiy they can still change/view permissions i think mate.

maybe, but xcacls might be a better option as it can specifically deny permission changes

XCACLS Syntax

XCACLS filename [/T] [/E] [/C] [/G usererm;spec] [/R user [...]]
[/P usererm;spec [...]] [/D user [...]] [/Y]
filename Displays ACLs.
/T Changes ACLs of specified files in the current directory
and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G usererm;spec Grant specified user access rights.
Perm can be: R Read
C Change (write)
F Full control
P Change Permissions (Special access)
O Take Ownership (Special access)
X EXecute (Special access)
E REad (Special access)
W Write (Special access)
D Delete (Special access)
Spec can be the same as perm and will only be applied to a
directory. In this case, Perm will be used for file inheritence
in this directory. If not omitted: Spec=Perm. Special values
for Spec only:
T NoT Specified (for file inherit, only for dirs valid)
At least one access right has to follow!
Entries between ';' and T will be ignored!
/R user Revoke specified user's access rights.
/P usererm;spec Replace specified user's access rights.
for access right specification see /G option
/D user Deny specified user access.
/Y Replace user's rights without verify