• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 533
  • Last Modified:

Setting up home directory on the network

Hi

I am in the process of setting up a new domain using Windows 2000 Server.  I have successfully setup AD and DNS.  I have a test client PC.  I have setup a test user in AD called testing.

I created a folder on the domain called network_shares and shared it out.  I then went to the properties of the user testing and went to the profile tab, within the profile tab I entered the following: \\domain.name\network_Shares\%username%

I log on to the domain using the client pc using the testing username, when I check network_shares a folder called testing appears.  So far so good.

 My problem comes when I try and view this folder and its contents from the domain server.  I get a access denied message.  I am able to right click on the testing folder go to properties, security tab and I am able to add a administrator user and then I am able to see the folder, however I have to do this for every folder within testing so I can see each one, I dont want to have to do this for every user that is added to the domain.

There must be a easier way of allowing me to see the folders from the domain server?

Thxs
Gareth
0
garethcummings
Asked:
garethcummings
  • 9
  • 4
  • 3
  • +3
1 Solution
 
jkrCommented:
Just use

cacls \\domain.name\network_Shares\%username% -E -G Domain\Administrator:F

for these folders
0
 
jkrCommented:
BTW, to elaborate - the above edits the foldre's ACL to grant the domain admin full access.
0
 
justinm99Commented:
I've set this up for my domain as well. When I was in the profile tab for each user I typed:

\\servername\sharename\%username%

Notice I didn't type the domain name, I think that could be your error. If I were you I wouldn't follow the directions above because you'll have to do this for each user in the domain.

furthermore - even though the users directories will be secure by default (only that user and admins have access to it) you may want to share the directory as \\servername\sharename$. This will prevent users from being able to just browse to it.

Let me know if this works for you.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
Fatal_ExceptionCommented:
Yes..  do not type in the domain name in the home folder attribute..  just as justin outlines, all you need is the servername\sharename\%username%   From this, the ACE's should be created automatically..  
0
 
4auHukCommented:
To add Administrators group to new profile yse this policy:
-----------------------
"Add the Administrators security group to roaming user profiles"
Location:
Computer Configuration\Administrative Templates\System\UserProfile
Description:
Adds the Administrator security group to the roaming user profile share.
After an administrator has configured a user's roaming profile, the profile will be created at the user's next login. The profile is created at the location specified by the administrator.
For Windows 2000 and later operating systems, the default file permissions for the newly generated profile are full control, or read and write access for the user, and no file access for the Administrators group. By configuring this policy, you can alter this behavior.
If you enable this policy, the Administrator group is also given full control to the user's profile folder.
If you disable or do not configure this policy, only the user is given full control of their user profile, and the Administrators group has no file system access to this folder.
------------------------

Regarding \\domain.name vs \\server or \\server.domain.name. I'm not sure previous posters make clear for you why exactly you shouldn't use \\domain.name for profiles. The point is that domain.name is resolved to domain controller(s) IP addresses. "(s)" is where problem lies. If you add additional controllers, change FSMO roles, reconfigure your DNS server etc etc then the order of IPs may change so clients will try to access profiles on wrong server.

hth,
4auHuk
0
 
4auHukCommented:
Note that this policy will not change NTFS permissions of already created profiles.
0
 
Fatal_ExceptionCommented:
Interesting explanation 4au..  never really asked why, but good to know..  thanks.

FE
0
 
froddofregCommented:
When you create a home directory the user is the only entry added to the ACL for that folder. Hence you can't browse the folders even if you are logged in as administrator.

You need to add the administrator user (or administrators group) to the ACL. JTR's solution will work or you can right click on the folder in Windows Explorer, select properties, then select the security tab and add administrator to the list. You can do this even if you can't browse the folder.
0
 
4auHukCommented:
Uhm, Resource Kit lists incorrect policy path... Actual location is:
Computer Configuration\Administrative Templates\System\Logon
0
 
4auHukCommented:
Btw, FE,
"4auHuk"  does not splits to first and second part. "H" looks like "n" in my language and since there's no small "H" in english I use upper letter :)

4auHuk
0
 
justinm99Commented:
Froddofreg, you are wrong. When you create the folder the following groups have full access:

adminstrators, the user, and the system account.

There is no need to run any command line utilities. I've done this all myself.
0
 
4auHukCommented:
Froddofreg,
If you create a new folder by yourself, default permissions depend on parent folder permissions and may vary depending on where you create a new folder.
When a roaming folder is created by client OS at the moment user logs in first time, default permissions are "User - full access" as froddofreg described.

4auHuk
0
 
Fatal_ExceptionCommented:
4au..  What language is that..??   you might want to fill in your profile so we can 'see' a little more about you..  I find it interesting to know where everyone is from and their background..  

BTW:  sorry for going off topic here...

Gareth.. are you still with us, or are we overwhelming you with these comments..??

FE
0
 
4auHukCommented:
FE,
It's russian. As for profile, i'll think about it... :)
0
 
garethcummingsAuthor Commented:
Hi

Firstly tried jkr's idea, this only created a folder called testing -E -G Domain on the domain server, nothing was added to this folder even when I created a few text docs on the client PC and saved them to my documents.

4auHuk, your fix seems to make the most sense to me but I am unsure on what you mean when you say you add the admin permissions to Computer Configuration\Administrative Templates\System\Logon, what exactly do I have to do to assign these permissions?

Thxs
Gareth
0
 
4auHukCommented:
Gareth,
It's a policy called "Add the Administrators security group to roaming user profiles" located under "Computer Configuration\Administrative Templates\System\Logon" node of group policy object (e.g. Default Domain Policy).
Open default domain policy, navigate to path above and configure mentioned policy.
To open Default Domain Policy GPO:
- Open "Active Directory Users and Computers" snap-in (Start>Programs>Administrative Tools)
- Right click youd domain node and select "Properties".
- In "Group Policy" tab select "Default Domain Policy" and click "Edit" button.

If you create a new GPO, note that this policy must be applied to domain computers since it is domain computers who initially create and comfigure user profile folders on server.

4auHuk

 
0
 
garethcummingsAuthor Commented:
Thats great 4auHuk, it worked a treat,

thxs
Gareth
0
 
garethcummingsAuthor Commented:
One quick last thing, this worked for any new folders that were created when a new user logged on, however the old folders and still not accesable, can't remove them either, any why around this?

Thxs
Gareth
0
 
4auHukCommented:
Yes, this is because this policy takes place at the time profile is created. I mentioned this behaviour in my second post. It is also described in policy explanation ("Explain" tab in policy editing window)

Glad to help, and thanks :)
0
 
4auHukCommented:
For old profiles you will need to change ownership of folders/files to add NTFS permission for Administrators group.
0
 
garethcummingsAuthor Commented:
opps, sorry should have read the old posts fully first :)

Thxs again
Gareth
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now