Solved

How to create a proper user share in AD?

Posted on 2008-10-17
4
604 Views
Last Modified: 2008-10-18
I have walked into a mess with configurations of shares and the servers in general.   My current problem has to do with the creation of accounts in AD and user security.  The goal is to have a share for each user that the user is the only one that has full access. When creating an account.  Here is what I have so far.

1.      Created a share on the server c:\profile
2.      Share name is profile$  (\\phx-server1\profile$)
3.      After creating the above share the Shared Permissions are
a.      Everyone (read)
b.      Domain\Administrator  (I added this and gave full control)
4.      In AD Users and Computers
a.      Created account Test
b.      Properties  Profile  under Home Folder
i.      Connect: U:   \\phx-server1\profile$\%username%  (the folder is created \\phx-server1\profile$\test
5.      Logon as test I am mapped with a U drive to the proper location.
a.      When I try to create a folder or save a file I get Access denied.
b.      Permissions on folder Profile$ is the same as above
c.      The folder Test (which is the user) permissions are as follows:
i.      Domain\Administrator (Full control)
ii.      Creator Owner (Special)
iii.      System (special)
iv.      Test (Full control)
v.      Domain\Users  (read & Execute) & (Special  Create files /write data  and create Folders / Append Data   are both checked and grayed out)
I could be wrong but since the user Test is a member of the Domain users group they can only read and execute.  I have the liberty of playing with the permissions on this at will since it is a test setup.  How do I get this so the users have full control over this folder?
0
Comment
Question by:JaysonJackson
  • 2
4 Comments
 
LVL 1

Expert Comment

by:cristides
ID: 22741125
Hi,
you must to allow NTFS permission for that user(from Users group).
For this you must to click that folder go to share, and then add the users; then select user and click advanced button . And there you have a lot's of stuff for permission.
0
 

Author Comment

by:JaysonJackson
ID: 22742752
Creating 200 folders and changing permissions on each is not something I want to do.

How do  I set it up so that the New users folder is created from the user profile with the correct permmison.
0
 
LVL 18

Accepted Solution

by:
Americom earned 500 total points
ID: 22749500
Your access denied is expected.
Here's what you need to do:
Share permission for profile$--Everyone(or Domain Users) grant "FULL"
NTFS permission for profile--Administrators(or Domain Admins) grant "FULL"

When you specified the path for \\phx-server1\profile$\%username% and click on apply under the test AD Object, the share will created in \\phx-server1\profiles$\test with the following permissions:
Share permission for profile$--same as above
NTFS permission for profile--same as above
NTFS permission for test--automatically granted Administrators(or Domain Admins) FULL and test FULL.

The resultant permission is the most restricted rights from share+NTFS. In this case, it's FULL. So user will be able to access their own folder but not other and Administrators(or Domain Admins) will have access to anything folder in \\phx-server1\profile$.

You have access denied was mainly due to the READ was granted on the share, and the resultant rights will be the most restrictive READ, therefore you cannot delete or create any file or folder.

A few comments:
c:\profile--Bad practice. Unless you only have C: and no other partition, which is also bad practice
"profile"--why use the word profile, you are doing user's home folder. Why not Users?
Domain\Administrator--You shoul always grant permission by group such as Administrators or Domain Admins.
If you user individual account for the root folder, if you ever decided to change this it will update all the files and folder underneath...if you have millions of file and folders...it could take a long time and may even affect your differential or incremental backup :], yes, even it's one admin, you should still create group or use existing group. The only time you grant permission by individual account is only that user should have access such as the above user folder.
Hope this help.
0
 

Author Comment

by:JaysonJackson
ID: 22750705
this is a test box and only has a single partation.  the production server users will only be allowed on a different partiation.

Thanks.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question