Solved

How to create a proper user share in AD?

Posted on 2008-10-17
4
606 Views
Last Modified: 2008-10-18
I have walked into a mess with configurations of shares and the servers in general.   My current problem has to do with the creation of accounts in AD and user security.  The goal is to have a share for each user that the user is the only one that has full access. When creating an account.  Here is what I have so far.

1.      Created a share on the server c:\profile
2.      Share name is profile$  (\\phx-server1\profile$)
3.      After creating the above share the Shared Permissions are
a.      Everyone (read)
b.      Domain\Administrator  (I added this and gave full control)
4.      In AD Users and Computers
a.      Created account Test
b.      Properties  Profile  under Home Folder
i.      Connect: U:   \\phx-server1\profile$\%username%  (the folder is created \\phx-server1\profile$\test
5.      Logon as test I am mapped with a U drive to the proper location.
a.      When I try to create a folder or save a file I get Access denied.
b.      Permissions on folder Profile$ is the same as above
c.      The folder Test (which is the user) permissions are as follows:
i.      Domain\Administrator (Full control)
ii.      Creator Owner (Special)
iii.      System (special)
iv.      Test (Full control)
v.      Domain\Users  (read & Execute) & (Special  Create files /write data  and create Folders / Append Data   are both checked and grayed out)
I could be wrong but since the user Test is a member of the Domain users group they can only read and execute.  I have the liberty of playing with the permissions on this at will since it is a test setup.  How do I get this so the users have full control over this folder?
0
Comment
Question by:JaysonJackson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 1

Expert Comment

by:cristides
ID: 22741125
Hi,
you must to allow NTFS permission for that user(from Users group).
For this you must to click that folder go to share, and then add the users; then select user and click advanced button . And there you have a lot's of stuff for permission.
0
 

Author Comment

by:JaysonJackson
ID: 22742752
Creating 200 folders and changing permissions on each is not something I want to do.

How do  I set it up so that the New users folder is created from the user profile with the correct permmison.
0
 
LVL 18

Accepted Solution

by:
Americom earned 500 total points
ID: 22749500
Your access denied is expected.
Here's what you need to do:
Share permission for profile$--Everyone(or Domain Users) grant "FULL"
NTFS permission for profile--Administrators(or Domain Admins) grant "FULL"

When you specified the path for \\phx-server1\profile$\%username% and click on apply under the test AD Object, the share will created in \\phx-server1\profiles$\test with the following permissions:
Share permission for profile$--same as above
NTFS permission for profile--same as above
NTFS permission for test--automatically granted Administrators(or Domain Admins) FULL and test FULL.

The resultant permission is the most restricted rights from share+NTFS. In this case, it's FULL. So user will be able to access their own folder but not other and Administrators(or Domain Admins) will have access to anything folder in \\phx-server1\profile$.

You have access denied was mainly due to the READ was granted on the share, and the resultant rights will be the most restrictive READ, therefore you cannot delete or create any file or folder.

A few comments:
c:\profile--Bad practice. Unless you only have C: and no other partition, which is also bad practice
"profile"--why use the word profile, you are doing user's home folder. Why not Users?
Domain\Administrator--You shoul always grant permission by group such as Administrators or Domain Admins.
If you user individual account for the root folder, if you ever decided to change this it will update all the files and folder underneath...if you have millions of file and folders...it could take a long time and may even affect your differential or incremental backup :], yes, even it's one admin, you should still create group or use existing group. The only time you grant permission by individual account is only that user should have access such as the above user folder.
Hope this help.
0
 

Author Comment

by:JaysonJackson
ID: 22750705
this is a test box and only has a single partation.  the production server users will only be allowed on a different partiation.

Thanks.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question