Solved

Setting up home directory on the network

Posted on 2004-03-25
21
520 Views
Last Modified: 2010-04-13
Hi

I am in the process of setting up a new domain using Windows 2000 Server.  I have successfully setup AD and DNS.  I have a test client PC.  I have setup a test user in AD called testing.

I created a folder on the domain called network_shares and shared it out.  I then went to the properties of the user testing and went to the profile tab, within the profile tab I entered the following: \\domain.name\network_Shares\%username%

I log on to the domain using the client pc using the testing username, when I check network_shares a folder called testing appears.  So far so good.

 My problem comes when I try and view this folder and its contents from the domain server.  I get a access denied message.  I am able to right click on the testing folder go to properties, security tab and I am able to add a administrator user and then I am able to see the folder, however I have to do this for every folder within testing so I can see each one, I dont want to have to do this for every user that is added to the domain.

There must be a easier way of allowing me to see the folders from the domain server?

Thxs
Gareth
0
Comment
Question by:garethcummings
  • 9
  • 4
  • 3
  • +3
21 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 10679730
Just use

cacls \\domain.name\network_Shares\%username% -E -G Domain\Administrator:F

for these folders
0
 
LVL 86

Expert Comment

by:jkr
ID: 10679740
BTW, to elaborate - the above edits the foldre's ACL to grant the domain admin full access.
0
 
LVL 1

Expert Comment

by:justinm99
ID: 10679850
I've set this up for my domain as well. When I was in the profile tab for each user I typed:

\\servername\sharename\%username%

Notice I didn't type the domain name, I think that could be your error. If I were you I wouldn't follow the directions above because you'll have to do this for each user in the domain.

furthermore - even though the users directories will be secure by default (only that user and admins have access to it) you may want to share the directory as \\servername\sharename$. This will prevent users from being able to just browse to it.

Let me know if this works for you.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10679958
Yes..  do not type in the domain name in the home folder attribute..  just as justin outlines, all you need is the servername\sharename\%username%   From this, the ACE's should be created automatically..  
0
 
LVL 7

Expert Comment

by:4auHuk
ID: 10681367
To add Administrators group to new profile yse this policy:
-----------------------
"Add the Administrators security group to roaming user profiles"
Location:
Computer Configuration\Administrative Templates\System\UserProfile
Description:
Adds the Administrator security group to the roaming user profile share.
After an administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at the location specified by the administrator.
For Windows 2000 and later operating systems, the default file permissions for the newly generated profile are full control, or read and write access for the user, and no file access for the Administrators group. By configuring this policy, you can alter this behavior.
If you enable this policy, the Administrator group is also given full control to the user's profile folder.
If you disable or do not configure this policy, only the user is given full control of their user profile, and the Administrators group has no file system access to this folder.
------------------------

Regarding \\domain.name vs \\server or \\server.domain.name. I'm not sure previous posters make clear for you why exactly you shouldn't use \\domain.name for profiles. The point is that domain.name is resolved to domain controller(s) IP addresses. "(s)" is where problem lies. If you add additional controllers, change FSMO roles, reconfigure your DNS server etc etc then the order of IPs may change so clients will try to access profiles on wrong server.

hth,
4auHuk
0
 
LVL 7

Expert Comment

by:4auHuk
ID: 10681377
Note that this policy will not change NTFS permissions of already created profiles.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10681528
Interesting explanation 4au..  never really asked why, but good to know..  thanks.

FE
0
 

Expert Comment

by:froddofreg
ID: 10681544
When you create a home directory the user is the only entry added to the ACL for that folder. Hence you can't browse the folders even if you are logged in as administrator.

You need to add the administrator user (or administrators group) to the ACL. JTR's solution will work or you can right click on the folder in Windows Explorer, select properties, then select the security tab and add administrator to the list. You can do this even if you can't browse the folder.
0
 
LVL 7

Expert Comment

by:4auHuk
ID: 10682075
Uhm, Resource Kit lists incorrect policy path... Actual location is:
Computer Configuration\Administrative Templates\System\Logon
0
 
LVL 7

Expert Comment

by:4auHuk
ID: 10682118
Btw, FE,
"4auHuk"  does not splits to first and second part. "H" looks like "n" in my language and since there's no small "H" in english I use upper letter :)

4auHuk
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 1

Expert Comment

by:justinm99
ID: 10682464
Froddofreg, you are wrong. When you create the folder the following groups have full access:

adminstrators, the user, and the system account.

There is no need to run any command line utilities. I've done this all myself.
0
 
LVL 7

Expert Comment

by:4auHuk
ID: 10682625
Froddofreg,
If you create a new folder by yourself, default permissions depend on parent folder permissions and may vary depending on where you create a new folder.
When a roaming folder is created by client OS at the moment user logs in first time, default permissions are "User - full access" as froddofreg described.

4auHuk
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 10682986
4au..  What language is that..??   you might want to fill in your profile so we can 'see' a little more about you..  I find it interesting to know where everyone is from and their background..  

BTW:  sorry for going off topic here...

Gareth.. are you still with us, or are we overwhelming you with these comments..??

FE
0
 
LVL 7

Expert Comment

by:4auHuk
ID: 10683162
FE,
It's russian. As for profile, i'll think about it... :)
0
 

Author Comment

by:garethcummings
ID: 10687757
Hi

Firstly tried jkr's idea, this only created a folder called testing -E -G Domain on the domain server, nothing was added to this folder even when I created a few text docs on the client PC and saved them to my documents.

4auHuk, your fix seems to make the most sense to me but I am unsure on what you mean when you say you add the admin permissions to Computer Configuration\Administrative Templates\System\Logon, what exactly do I have to do to assign these permissions?

Thxs
Gareth
0
 
LVL 7

Accepted Solution

by:
4auHuk earned 250 total points
ID: 10688185
Gareth,
It's a policy called "Add the Administrators security group to roaming user profiles" located under "Computer Configuration\Administrative Templates\System\Logon" node of group policy object (e.g. Default Domain Policy).
Open default domain policy, navigate to path above and configure mentioned policy.
To open Default Domain Policy GPO:
- Open "Active Directory Users and Computers" snap-in (Start>Programs>Administrative Tools)
- Right click youd domain node and select "Properties".
- In "Group Policy" tab select "Default Domain Policy" and click "Edit" button.

If you create a new GPO, note that this policy must be applied to domain computers since it is domain computers who initially create and comfigure user profile folders on server.

4auHuk

 
0
 

Author Comment

by:garethcummings
ID: 10688863
Thats great 4auHuk, it worked a treat,

thxs
Gareth
0
 

Author Comment

by:garethcummings
ID: 10688935
One quick last thing, this worked for any new folders that were created when a new user logged on, however the old folders and still not accesable, can't remove them either, any why around this?

Thxs
Gareth
0
 
LVL 7

Expert Comment

by:4auHuk
ID: 10689561
Yes, this is because this policy takes place at the time profile is created. I mentioned this behaviour in my second post. It is also described in policy explanation ("Explain" tab in policy editing window)

Glad to help, and thanks :)
0
 
LVL 7

Expert Comment

by:4auHuk
ID: 10689600
For old profiles you will need to change ownership of folders/files to add NTFS permission for Administrators group.
0
 

Author Comment

by:garethcummings
ID: 10702517
opps, sorry should have read the old posts fully first :)

Thxs again
Gareth
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now