Solved

How to create a proper user share in AD?

Posted on 2008-10-17
4
601 Views
Last Modified: 2008-10-18
I have walked into a mess with configurations of shares and the servers in general.   My current problem has to do with the creation of accounts in AD and user security.  The goal is to have a share for each user that the user is the only one that has full access. When creating an account.  Here is what I have so far.

1.      Created a share on the server c:\profile
2.      Share name is profile$  (\\phx-server1\profile$)
3.      After creating the above share the Shared Permissions are
a.      Everyone (read)
b.      Domain\Administrator  (I added this and gave full control)
4.      In AD Users and Computers
a.      Created account Test
b.      Properties  Profile  under Home Folder
i.      Connect: U:   \\phx-server1\profile$\%username%  (the folder is created \\phx-server1\profile$\test
5.      Logon as test I am mapped with a U drive to the proper location.
a.      When I try to create a folder or save a file I get Access denied.
b.      Permissions on folder Profile$ is the same as above
c.      The folder Test (which is the user) permissions are as follows:
i.      Domain\Administrator (Full control)
ii.      Creator Owner (Special)
iii.      System (special)
iv.      Test (Full control)
v.      Domain\Users  (read & Execute) & (Special  Create files /write data  and create Folders / Append Data   are both checked and grayed out)
I could be wrong but since the user Test is a member of the Domain users group they can only read and execute.  I have the liberty of playing with the permissions on this at will since it is a test setup.  How do I get this so the users have full control over this folder?
0
Comment
Question by:JaysonJackson
  • 2
4 Comments
 
LVL 1

Expert Comment

by:cristides
Comment Utility
Hi,
you must to allow NTFS permission for that user(from Users group).
For this you must to click that folder go to share, and then add the users; then select user and click advanced button . And there you have a lot's of stuff for permission.
0
 

Author Comment

by:JaysonJackson
Comment Utility
Creating 200 folders and changing permissions on each is not something I want to do.

How do  I set it up so that the New users folder is created from the user profile with the correct permmison.
0
 
LVL 18

Accepted Solution

by:
Americom earned 500 total points
Comment Utility
Your access denied is expected.
Here's what you need to do:
Share permission for profile$--Everyone(or Domain Users) grant "FULL"
NTFS permission for profile--Administrators(or Domain Admins) grant "FULL"

When you specified the path for \\phx-server1\profile$\%username% and click on apply under the test AD Object, the share will created in \\phx-server1\profiles$\test with the following permissions:
Share permission for profile$--same as above
NTFS permission for profile--same as above
NTFS permission for test--automatically granted Administrators(or Domain Admins) FULL and test FULL.

The resultant permission is the most restricted rights from share+NTFS. In this case, it's FULL. So user will be able to access their own folder but not other and Administrators(or Domain Admins) will have access to anything folder in \\phx-server1\profile$.

You have access denied was mainly due to the READ was granted on the share, and the resultant rights will be the most restrictive READ, therefore you cannot delete or create any file or folder.

A few comments:
c:\profile--Bad practice. Unless you only have C: and no other partition, which is also bad practice
"profile"--why use the word profile, you are doing user's home folder. Why not Users?
Domain\Administrator--You shoul always grant permission by group such as Administrators or Domain Admins.
If you user individual account for the root folder, if you ever decided to change this it will update all the files and folder underneath...if you have millions of file and folders...it could take a long time and may even affect your differential or incremental backup :], yes, even it's one admin, you should still create group or use existing group. The only time you grant permission by individual account is only that user should have access such as the above user folder.
Hope this help.
0
 

Author Comment

by:JaysonJackson
Comment Utility
this is a test box and only has a single partation.  the production server users will only be allowed on a different partiation.

Thanks.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now