Avatar of Bumm
Bumm
 asked on

Domain users personal File folders permissions

Ok Folks,

Just updated Domain to Win Server 2008 R2. I have created normal shares and a Users folder for our local users to place company docs in. Each user has been allocated a folder, however i cannot seem to get the permissions correct. in security settings i have do not inherit rights from parent and is as follows. creator owner,system,domain user and administrator. They can ope folder but cannot create new folders or copy data to it. I know this should be "know your AD 101 but I have slept since that class. ..Could someone let me know the proper protocol fo allowing access to the particule user without opening u to the worls. Thanks in advance
Active DirectoryMicrosoft Legacy OSMicrosoft Server Apps

Avatar of undefined
Last Comment
Bumm

8/22/2022 - Mon
Todd Gerbert

Each user has their own folder and they shouldn't be able to access each others' folder?  Or they each have their own folder over which they have full control, and read-only to others?
Bumm

ASKER
Each user has thier own folder that should not be viewed from any grp other than admin...and each user should have full control read/write/modify at will.
Bumm

ASKER
I have created the folder in Active Directory under users profile connect to: mapped drive directing
Your help has saved me hundreds of hours of internet surfing.
fblack61
Todd Gerbert

And I understand these folders are not part of the normal hierarchy of their profile (e.g. C:\CompanyDocs\Bob, C:\CompanyDocs\John, etc)?

So, I would make C:\CompanyDocs have full control for SYSTEM and Domain Admins, Read/Execute for Domain Users.  Each folder under that should inherit permissions, plus add the applicable user with Full Control.
Todd Gerbert

Sorry - meant for read/execute to only apply to the parent folder, you need to use the "Advanced" security settings to change how an individual permission is propogated or not.

So,
C:\HomeFolders
  SYSTEM: Full Control
  Domain Admins: Full Control
  Domain Users: Read/Execute (this folder only)

  C:\HomeFolders\John
    SYSTEM: Full Control (Inherited)
    Domain Admins: Full Control (Inherited)
    John: Full Control
Bumm

ASKER
funny thing is i have tried it both ways. this is the setup : \\server\Users\name .

the root directory admin grp and system does have full control however the users still could not create or modify anfolders or sub folders. I have been wondering if i should delete the directory and start over since i have manipulated it so much ...i need a permissions for dummies refresher course to show me how to setup permissions from basic
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Bumm

ASKER
should this be setup as a share?
Todd Gerbert

Have you modified any of the permissions on C:\Users on your server?
Bumm

ASKER
yes...i just took it down to administrator being the owner of root
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Todd Gerbert

Actually, let me back up a little bit.  What is it that you wish to accomplish?

1: Roaming profiles - the users' entire profile is stored on a central server, so that no matter what computer they log into they get the same Documents folder, Desktop folder, Favorites, etc, etc. This requires the profile to be copied to/from the server with each logon/logoff.

2: Redirect the users' "My Documents" to a centrally located store, so that when they double-click "My Documents" they're transparently taken to \\someserver\someshare instead, documents always reside on the network share.

3: Create home directories, to which a drive letter will be mapped. Users will need to manually save documents to this drive.
Bumm

ASKER
create home directories with mapped drive. roaming profiles take too long to load...and redirect my docs have too much persoanl info that does not need to be backed up
Todd Gerbert

You need to restore default permissions to C:\Users, that's for the user profiles on the server and should be considered a system directory not to be messed with.  Make sure you have Show Hidden Files and Folders turned on.  Everyone and Domain Users: Read & Execute, SYSTEM and Administrators: Full Control.  You should probably only have a couple of profiles on the server, just the users to have ever logged on at that server, e.g. Administrator, Administrator.YOURDOMAIN, and Default. Default should inherit all it's permissions from C:\Users. Other folders there, i.e. Administrator, should not inherit and will have full control for SYSTEM, Administrators and whatever user the folder is for.

Okay, so log into your server and create a new folder that is to be shared, e.g. C:\HomeFolders.  Share this folder as "Home", for example.  Right click the folder, go to Security tab and click Advanced. Clear the "Include inheritable permissions" check box, and when prompted choose to have existing permissions removed. Click Add, type "Domain Users" and click OK. Change "Apply to" to "This folder only", select the Traverse Folder and List Folder permissions, click OK three times - back to the basic security settings tab. Add Administrators and SYSTEM with full control.

Create folder under that for each user, right click on each one and leave the inherited permissions as they are, just add the applicable user with Full Control.

The in Active Directory Users & Computers, for each user, set their home to connect X: to \\server\home.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Bumm

ASKER
Thank you tgerbert.....working the magic as we type.
Bumm

ASKER
ok Tegbert tried creating new Home folder as a share created a couple of new users folders underneath....still the user does not have access to create or modify new folder
Todd Gerbert

Do they have read/write access on the Share permissions?  
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Bumm

ASKER
yes they have full permissions to the folder/files/subfolders...they cannot create a folder...i created a folder for them and we attempted to scan images to the folder which was successful. Howerver they cannot create new folders to organize
ASKER CERTIFIED SOLUTION
Todd Gerbert

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Bumm

ASKER
Tgerbert, man I appreciate the help and info...now folks are able to create and modify folders and files...and i went back and fixed permissions on the Users directory folder share and now they can do the same there. Thanks for your help.