Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to create a proper user share in AD?

Posted on 2008-10-17
4
Medium Priority
?
612 Views
Last Modified: 2008-10-18
I have walked into a mess with configurations of shares and the servers in general.   My current problem has to do with the creation of accounts in AD and user security.  The goal is to have a share for each user that the user is the only one that has full access. When creating an account.  Here is what I have so far.

1.      Created a share on the server c:\profile
2.      Share name is profile$  (\\phx-server1\profile$)
3.      After creating the above share the Shared Permissions are
a.      Everyone (read)
b.      Domain\Administrator  (I added this and gave full control)
4.      In AD Users and Computers
a.      Created account Test
b.      Properties  Profile  under Home Folder
i.      Connect: U:   \\phx-server1\profile$\%username%  (the folder is created \\phx-server1\profile$\test
5.      Logon as test I am mapped with a U drive to the proper location.
a.      When I try to create a folder or save a file I get Access denied.
b.      Permissions on folder Profile$ is the same as above
c.      The folder Test (which is the user) permissions are as follows:
i.      Domain\Administrator (Full control)
ii.      Creator Owner (Special)
iii.      System (special)
iv.      Test (Full control)
v.      Domain\Users  (read & Execute) & (Special  Create files /write data  and create Folders / Append Data   are both checked and grayed out)
I could be wrong but since the user Test is a member of the Domain users group they can only read and execute.  I have the liberty of playing with the permissions on this at will since it is a test setup.  How do I get this so the users have full control over this folder?
0
Comment
Question by:JaysonJackson
  • 2
4 Comments
 
LVL 1

Expert Comment

by:cristides
ID: 22741125
Hi,
you must to allow NTFS permission for that user(from Users group).
For this you must to click that folder go to share, and then add the users; then select user and click advanced button . And there you have a lot's of stuff for permission.
0
 

Author Comment

by:JaysonJackson
ID: 22742752
Creating 200 folders and changing permissions on each is not something I want to do.

How do  I set it up so that the New users folder is created from the user profile with the correct permmison.
0
 
LVL 18

Accepted Solution

by:
Americom earned 2000 total points
ID: 22749500
Your access denied is expected.
Here's what you need to do:
Share permission for profile$--Everyone(or Domain Users) grant "FULL"
NTFS permission for profile--Administrators(or Domain Admins) grant "FULL"

When you specified the path for \\phx-server1\profile$\%username% and click on apply under the test AD Object, the share will created in \\phx-server1\profiles$\test with the following permissions:
Share permission for profile$--same as above
NTFS permission for profile--same as above
NTFS permission for test--automatically granted Administrators(or Domain Admins) FULL and test FULL.

The resultant permission is the most restricted rights from share+NTFS. In this case, it's FULL. So user will be able to access their own folder but not other and Administrators(or Domain Admins) will have access to anything folder in \\phx-server1\profile$.

You have access denied was mainly due to the READ was granted on the share, and the resultant rights will be the most restrictive READ, therefore you cannot delete or create any file or folder.

A few comments:
c:\profile--Bad practice. Unless you only have C: and no other partition, which is also bad practice
"profile"--why use the word profile, you are doing user's home folder. Why not Users?
Domain\Administrator--You shoul always grant permission by group such as Administrators or Domain Admins.
If you user individual account for the root folder, if you ever decided to change this it will update all the files and folder underneath...if you have millions of file and folders...it could take a long time and may even affect your differential or incremental backup :], yes, even it's one admin, you should still create group or use existing group. The only time you grant permission by individual account is only that user should have access such as the above user folder.
Hope this help.
0
 

Author Comment

by:JaysonJackson
ID: 22750705
this is a test box and only has a single partation.  the production server users will only be allowed on a different partiation.

Thanks.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question