Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2476
  • Last Modified:

Securing Home Folders through Profile Settings in Active Directory

Is there a way to have the Active Directory's Profile Home Folder creation process automatically assign NTFS permissions only to the given user's account?

According to this MS article, http://support.microsoft.com/kb/817009, and my experience, when using Active Directory Users and Computers > Profile > Home Folder > Connect > "Drive Letter" > \\"servername"\%username%, the user's home folder is created and the user is assigned to their home folder, but this folder inherits the permission from its parent folder.

I want that user to be isolated to their folder, so that others cannot access their folder and vise versa without having to manually assign NTFS permissions on each user's home folder.

I know Group Policy does this; that is, with Group Policy and My Documents Redirection, it creates a user's home folder on the server and only gives NTFS permission to that user's account, so that the folder is secure from everyone else.

Can this be done with the Profile Home Folder settings in a user's account?
1 Solution
By default, when a folder is created by AD based on information that you drop in the Profile tab, the user receives Full Control permission to that folder. Any other permissions come from inheritance, based on permissions that you yourself have assigned to higher-level folders in the hierarchy.  So if you have a folder called e:\personal, shared as \\servername\personal, under which you want your users' home folders to reside:

* Assign Users-->Modify share permissions to ~\Personal
* Assign Users-->Read to e:\personal, being sure to specify "This folder ONLY" and not "this folder, all sub-folders and files"

This will allow all users to Read only the top-level ~personal folder, while individual users will have Full Control of their own folders only.

While you're at it, use Access-Based Enumeration (google, it's a free download from the MS website) so that users will not even be able to -see- any folders that they don't have permissions to.
I'm going to ask another question based on this -

"[b]the user receives Full Control permission to that folder[/b]. Any other permissions come from inheritance, based on permissions that you yourself have assigned to higher-level folders in the hierarchy."

We don't want our users to have full access to their folder, just everything but full access.

Is there anyway you can change the default security applied to the folder?



Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now