Securing Home Folders through Profile Settings in Active Directory

Posted on 2007-07-25
Last Modified: 2011-08-18
Is there a way to have the Active Directory's Profile Home Folder creation process automatically assign NTFS permissions only to the given user's account?

According to this MS article,, and my experience, when using Active Directory Users and Computers > Profile > Home Folder > Connect > "Drive Letter" > \\"servername"\%username%, the user's home folder is created and the user is assigned to their home folder, but this folder inherits the permission from its parent folder.

I want that user to be isolated to their folder, so that others cannot access their folder and vise versa without having to manually assign NTFS permissions on each user's home folder.

I know Group Policy does this; that is, with Group Policy and My Documents Redirection, it creates a user's home folder on the server and only gives NTFS permission to that user's account, so that the folder is secure from everyone else.

Can this be done with the Profile Home Folder settings in a user's account?
Question by:CecilAdmin
    LVL 30

    Accepted Solution

    By default, when a folder is created by AD based on information that you drop in the Profile tab, the user receives Full Control permission to that folder. Any other permissions come from inheritance, based on permissions that you yourself have assigned to higher-level folders in the hierarchy.  So if you have a folder called e:\personal, shared as \\servername\personal, under which you want your users' home folders to reside:

    * Assign Users-->Modify share permissions to ~\Personal
    * Assign Users-->Read to e:\personal, being sure to specify "This folder ONLY" and not "this folder, all sub-folders and files"

    This will allow all users to Read only the top-level ~personal folder, while individual users will have Full Control of their own folders only.

    While you're at it, use Access-Based Enumeration (google, it's a free download from the MS website) so that users will not even be able to -see- any folders that they don't have permissions to.

    Expert Comment

    I'm going to ask another question based on this -

    "[b]the user receives Full Control permission to that folder[/b]. Any other permissions come from inheritance, based on permissions that you yourself have assigned to higher-level folders in the hierarchy."

    We don't want our users to have full access to their folder, just everything but full access.

    Is there anyway you can change the default security applied to the folder?



    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now