Server 2008 - Home Directory
Im running WHS 2008 and active directory. That works fine, but I'm having trouble setting up home directories for users and applying the appropriate permissions.
On a users profile tab -> home folder, I set it to connect G: to \\tdloal1\homedir$\jane_smith which is the home dir i want for that user. When jane logs in, the drive is mapped to her fine, but I need help with setting the permissions, no matter what
I do, nothing seems to work right.
I think the problem is that on advanced sharing permessions on the homedir folder. If I set that to Full control for everyone, users can manage their homedir, if I set it to read only, users cant. How can I get around this?
March 5th, 2011 9:44pm
If you want AD users and computers (ADUC) to create the folder and permissions you need to do this.
1) Assign Everyone - Full Control over the Share
2) Assign Everyone - Full controll , and SYSTEM - Full Control to the NTFS permissions
ADUC will create the folder and assign only the USER - full control to the user folder. This is MS standard, but is not administratively friendly.
If you want an Administrative friendly environment you must manually setup permissions so you can properly manage the permissions for long term maintenance.
Suggested Reading
Axioms of Permissions Administration
http://networkadminkb.com/Shared%20Documents/Axioms%20of%20Permissions%20Administration.aspx
The Golden Rules of Permissions Administration
http://networkadminkb.com/Shared%20Documents/The%20Golden%20Rules%20of%20Permissions%20Administration.aspx
Differences between Authenticated Users, Domain Users, and Everyone groups
http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Differences%20between%20Authenticated%20Users,%20Domain%20Users,%20and%20Everyone%20groups.aspx
Recommended NTFS Permissions for New Drives
http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/Recommended%20NTFS%20Permissions%20for%20New%20Drives.aspx
Creator Owner Explained
http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Creator%20Owner%20Explained.aspx
Doing security is about creating an devloping a philosophy, there are many out there. The one below is mine and works for most situations, this is just a simplified explanation of the Axioms and Golden Rules listed above specifically written for Home
Folders.
For the Home Share you should do the following
1) Everyone - Read (optional not really needed but a nice just in case)
2) Authenticated Users - Change
3) Local Administators - Full Control
4) File Strucutre Administrators - Full Control
For Home Shares note the following:
Alway limit Authenticated Users to Change at the Share to pervent non-admin users from accidently being given Full Control to the file structure. Allowing users to modify NTFS permissions....very bad.
You should always configure Local Adminsitrators Full Control at the Share so they can administrate it remotely
You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every share. This allows them to remotely administrater shares without being local administartors.
Configure the follow NTFS Permsisions to the folder used as the Home Share
1) Authenticated Users - Read and execute
2) Local Administators - Full Control
3) File Strucutre Administrators - Full Control
4) SYSTEM - Full Control
For NTFS in this situation note:
Alway limite Authenticated Users to Read and execute to pervent non-admin users changing folders and creating files here.
You should always configure Local Adminsitrators Full Control at the folder so they can administrate it remotely
You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every folder. This allows them to remotely administrater shares without being local administartors.
For the actual User Home folder you manually create you should configure the following NTFS permissions by stopping inheritance, copy permissions and replace Authenticated users with the individual user account as shown below.
1) userID - Modify
2) Local Administators - Full Control
3) File Strucutre Administrators - Full Control
4) SYSTEM - Full Control
For NTFS in this situation note:
Always remove Authenticated Users so the appropriate user account limits access
Always assign the USERID NTFS Modify permissions to prevent them from changing NTFS Permissions on their folder.
You should always configure Local Adminsitrators Full Control at the folder so they can administrate it remotely
You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every folder. This allows them to remotely administrater shares without being local administartors.
How to change the default owner for new NTFS files and folders
http://networkadminkb.com/kb/Knowledge%20Base/Windows2008/How%20to%20change%20the%20default%20owner%20for%20new%20NTFS%20files%20and%20folders.aspx
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2011 10:13pm
So when you say give Everyone full control over the share, do you mean give everyone full control over "\\tdlocal1\homedir" ?
March 5th, 2011 10:42pm
So when you say give Everyone full control over the share, do you mean give everyone full control over "\\tdlocal1\homedir" ?
Specifically, goto Adminitrative tools...Computer Manager....Shared Folders....Shares...Right click the Share (homedir) in the right pane, click the Share Permissions tab. Assign the group
Everyone the Full Control permission.
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2011 11:40pm
Alright thanks, everything is working fine now!
March 6th, 2011 2:56pm