Solved

Set permission on users home directory.

Posted on 2009-04-09
5
744 Views
Last Modified: 2012-06-27
Hello,

I am trying to set permissions on the users home directory to only allow users to view their own created directory. I have set the permissions as follows
Shared folder called users$ set permissions to domain admins/full  and domain users/ read+change
under security I have set the same I click advanced, select domain users and click edit make sure that traverse, list, read permissions are set and make sure that allow inheritable is unchecked, i check the replace permissions entries...
When I select a user and windows explorer and manually type in \\server\users$ i can open all folders the user is a test user and allow belongs to the domain users group.

I need to block access to all users they should have access of their own folders only even if they manually type in the address in windows explorer.

Any ideas?

Thanks
0
Comment
Question by:sammy_bull
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 84

Expert Comment

by:oBdA
ID: 24109226
Set the permissions so that you have the least effort with it, for example like this for user JDoe:
Users: Local(!) Administrators:Full, System:Full, Local(!) Users:Read ("This folder only" in Advanced properties);
  +-- JDoe: Local Administrators:Full (inherited), System:Full (inherited), JDoe:Full (or Change)
0
 

Author Comment

by:sammy_bull
ID: 24110052
Sorry!

I am having difficulty understanding what you suggested. Do I set the permissions on the share tab or on the security tab. I think you mean security tab. Do you also mean I would have to do the joe part on each user folder?

Thanks
0
 

Author Comment

by:sammy_bull
ID: 24110092
I am creating an empty folder called users$ on another server. What would i need to set for the permissions. So that way when i log in with a user it is automatically set.

Thanks
0
 
LVL 84

Accepted Solution

by:
oBdA earned 250 total points
ID: 24110667
Name the folder just Users; you can add the $ at the end of the share name, but note that hiding a share does *not* add any security.
Share the folder, and give Everyone Full Control in the *share* permissions (no need to use both Share and NTFS permissions).
Open the NTFS permissions of the folder, go to the Advanced tab, disable the permissions inheritance for the folder, click OK to close the Advanced dialog.
Remove all accounts that currently have permissions except the local(!) Administrators group (should have Full Control), the local System account (should have Full Control), and the local(!) Users group (should have Read); click Apply.
Re-open the Advanced properties, highlight "Users", and change the "Apply to" dropdown box to "This folder only". Close the permission dialogs.
When you now add a user folder, you only have to add the user account, without having to break inheritance, and you still have the ability to add, for example, a helpdesk group to Users, with the permissions being inherited down to the user folders.
A home folder will never be created upon logon. If one doesn't exist, it will be created as soon as you specify the path in the user's properties in ADUC, but the permissions given there usually aren't that usable. In the long run, you're better off simply creating the home folder before you create the user, and add the account to the permissions as soon as the user is created (or create the user, including the home drive and other default settings it needs, with a script).
0
 
LVL 18

Expert Comment

by:Americom
ID: 24116117
I would suggest you follow oBdA's suggestion above.
Manage permission by Security(NTFS) and leave full control on the Share permission.
If you care what permission user has on his/her own folder, don't even bother to create the folder via the profile tab under the user account properties as that will allow users with full control to their folder that would make your life miserable. So, setting up \\server\users or \\server\users$ will be the root, then user home folder will be under.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question