Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to create a proper user share in AD?

Posted on 2008-10-17
4
Medium Priority
?
610 Views
Last Modified: 2008-10-18
I have walked into a mess with configurations of shares and the servers in general.   My current problem has to do with the creation of accounts in AD and user security.  The goal is to have a share for each user that the user is the only one that has full access. When creating an account.  Here is what I have so far.

1.      Created a share on the server c:\profile
2.      Share name is profile$  (\\phx-server1\profile$)
3.      After creating the above share the Shared Permissions are
a.      Everyone (read)
b.      Domain\Administrator  (I added this and gave full control)
4.      In AD Users and Computers
a.      Created account Test
b.      Properties  Profile  under Home Folder
i.      Connect: U:   \\phx-server1\profile$\%username%  (the folder is created \\phx-server1\profile$\test
5.      Logon as test I am mapped with a U drive to the proper location.
a.      When I try to create a folder or save a file I get Access denied.
b.      Permissions on folder Profile$ is the same as above
c.      The folder Test (which is the user) permissions are as follows:
i.      Domain\Administrator (Full control)
ii.      Creator Owner (Special)
iii.      System (special)
iv.      Test (Full control)
v.      Domain\Users  (read & Execute) & (Special  Create files /write data  and create Folders / Append Data   are both checked and grayed out)
I could be wrong but since the user Test is a member of the Domain users group they can only read and execute.  I have the liberty of playing with the permissions on this at will since it is a test setup.  How do I get this so the users have full control over this folder?
0
Comment
Question by:JaysonJackson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 1

Expert Comment

by:cristides
ID: 22741125
Hi,
you must to allow NTFS permission for that user(from Users group).
For this you must to click that folder go to share, and then add the users; then select user and click advanced button . And there you have a lot's of stuff for permission.
0
 

Author Comment

by:JaysonJackson
ID: 22742752
Creating 200 folders and changing permissions on each is not something I want to do.

How do  I set it up so that the New users folder is created from the user profile with the correct permmison.
0
 
LVL 18

Accepted Solution

by:
Americom earned 2000 total points
ID: 22749500
Your access denied is expected.
Here's what you need to do:
Share permission for profile$--Everyone(or Domain Users) grant "FULL"
NTFS permission for profile--Administrators(or Domain Admins) grant "FULL"

When you specified the path for \\phx-server1\profile$\%username% and click on apply under the test AD Object, the share will created in \\phx-server1\profiles$\test with the following permissions:
Share permission for profile$--same as above
NTFS permission for profile--same as above
NTFS permission for test--automatically granted Administrators(or Domain Admins) FULL and test FULL.

The resultant permission is the most restricted rights from share+NTFS. In this case, it's FULL. So user will be able to access their own folder but not other and Administrators(or Domain Admins) will have access to anything folder in \\phx-server1\profile$.

You have access denied was mainly due to the READ was granted on the share, and the resultant rights will be the most restrictive READ, therefore you cannot delete or create any file or folder.

A few comments:
c:\profile--Bad practice. Unless you only have C: and no other partition, which is also bad practice
"profile"--why use the word profile, you are doing user's home folder. Why not Users?
Domain\Administrator--You shoul always grant permission by group such as Administrators or Domain Admins.
If you user individual account for the root folder, if you ever decided to change this it will update all the files and folder underneath...if you have millions of file and folders...it could take a long time and may even affect your differential or incremental backup :], yes, even it's one admin, you should still create group or use existing group. The only time you grant permission by individual account is only that user should have access such as the above user folder.
Hope this help.
0
 

Author Comment

by:JaysonJackson
ID: 22750705
this is a test box and only has a single partation.  the production server users will only be allowed on a different partiation.

Thanks.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question