asked on
Domain users personal File folders permissions
Ok Folks,
Just updated Domain to Win Server 2008 R2. I have created normal shares and a Users folder for our local users to place company docs in. Each user has been allocated a folder, however i cannot seem to get the permissions correct. in security settings i have do not inherit rights from parent and is as follows. creator owner,system,domain user and administrator. They can ope folder but cannot create new folders or copy data to it. I know this should be "know your AD 101 but I have slept since that class. ..Could someone let me know the proper protocol fo allowing access to the particule user without opening u to the worls. Thanks in advance
Just updated Domain to Win Server 2008 R2. I have created normal shares and a Users folder for our local users to place company docs in. Each user has been allocated a folder, however i cannot seem to get the permissions correct. in security settings i have do not inherit rights from parent and is as follows. creator owner,system,domain user and administrator. They can ope folder but cannot create new folders or copy data to it. I know this should be "know your AD 101 but I have slept since that class. ..Could someone let me know the proper protocol fo allowing access to the particule user without opening u to the worls. Thanks in advance
Active DirectoryMicrosoft Legacy OSMicrosoft Server Apps
Last Comment
Bumm
Each user has their own folder and they shouldn't be able to access each others' folder? Or they each have their own folder over which they have full control, and read-only to others?
ASKER
Each user has thier own folder that should not be viewed from any grp other than admin...and each user should have full control read/write/modify at will.
ASKER
I have created the folder in Active Directory under users profile connect to: mapped drive directing
And I understand these folders are not part of the normal hierarchy of their profile (e.g. C:\CompanyDocs\Bob, C:\CompanyDocs\John, etc)?
So, I would make C:\CompanyDocs have full control for SYSTEM and Domain Admins, Read/Execute for Domain Users. Each folder under that should inherit permissions, plus add the applicable user with Full Control.
So, I would make C:\CompanyDocs have full control for SYSTEM and Domain Admins, Read/Execute for Domain Users. Each folder under that should inherit permissions, plus add the applicable user with Full Control.
Sorry - meant for read/execute to only apply to the parent folder, you need to use the "Advanced" security settings to change how an individual permission is propogated or not.
So,
C:\HomeFolders
SYSTEM: Full Control
Domain Admins: Full Control
Domain Users: Read/Execute (this folder only)
C:\HomeFolders\John
SYSTEM: Full Control (Inherited)
Domain Admins: Full Control (Inherited)
John: Full Control
So,
C:\HomeFolders
SYSTEM: Full Control
Domain Admins: Full Control
Domain Users: Read/Execute (this folder only)
C:\HomeFolders\John
SYSTEM: Full Control (Inherited)
Domain Admins: Full Control (Inherited)
John: Full Control
ASKER
funny thing is i have tried it both ways. this is the setup : \\server\Users\name .
the root directory admin grp and system does have full control however the users still could not create or modify anfolders or sub folders. I have been wondering if i should delete the directory and start over since i have manipulated it so much ...i need a permissions for dummies refresher course to show me how to setup permissions from basic
the root directory admin grp and system does have full control however the users still could not create or modify anfolders or sub folders. I have been wondering if i should delete the directory and start over since i have manipulated it so much ...i need a permissions for dummies refresher course to show me how to setup permissions from basic
ASKER
should this be setup as a share?
Have you modified any of the permissions on C:\Users on your server?
ASKER
yes...i just took it down to administrator being the owner of root
Actually, let me back up a little bit. What is it that you wish to accomplish?
1: Roaming profiles - the users' entire profile is stored on a central server, so that no matter what computer they log into they get the same Documents folder, Desktop folder, Favorites, etc, etc. This requires the profile to be copied to/from the server with each logon/logoff.
2: Redirect the users' "My Documents" to a centrally located store, so that when they double-click "My Documents" they're transparently taken to \\someserver\someshare instead, documents always reside on the network share.
3: Create home directories, to which a drive letter will be mapped. Users will need to manually save documents to this drive.
1: Roaming profiles - the users' entire profile is stored on a central server, so that no matter what computer they log into they get the same Documents folder, Desktop folder, Favorites, etc, etc. This requires the profile to be copied to/from the server with each logon/logoff.
2: Redirect the users' "My Documents" to a centrally located store, so that when they double-click "My Documents" they're transparently taken to \\someserver\someshare instead, documents always reside on the network share.
3: Create home directories, to which a drive letter will be mapped. Users will need to manually save documents to this drive.
ASKER
create home directories with mapped drive. roaming profiles take too long to load...and redirect my docs have too much persoanl info that does not need to be backed up
You need to restore default permissions to C:\Users, that's for the user profiles on the server and should be considered a system directory not to be messed with. Make sure you have Show Hidden Files and Folders turned on. Everyone and Domain Users: Read & Execute, SYSTEM and Administrators: Full Control. You should probably only have a couple of profiles on the server, just the users to have ever logged on at that server, e.g. Administrator, Administrator.YOURDOMAIN, and Default. Default should inherit all it's permissions from C:\Users. Other folders there, i.e. Administrator, should not inherit and will have full control for SYSTEM, Administrators and whatever user the folder is for.
Okay, so log into your server and create a new folder that is to be shared, e.g. C:\HomeFolders. Share this folder as "Home", for example. Right click the folder, go to Security tab and click Advanced. Clear the "Include inheritable permissions" check box, and when prompted choose to have existing permissions removed. Click Add, type "Domain Users" and click OK. Change "Apply to" to "This folder only", select the Traverse Folder and List Folder permissions, click OK three times - back to the basic security settings tab. Add Administrators and SYSTEM with full control.
Create folder under that for each user, right click on each one and leave the inherited permissions as they are, just add the applicable user with Full Control.
The in Active Directory Users & Computers, for each user, set their home to connect X: to \\server\home.
Okay, so log into your server and create a new folder that is to be shared, e.g. C:\HomeFolders. Share this folder as "Home", for example. Right click the folder, go to Security tab and click Advanced. Clear the "Include inheritable permissions" check box, and when prompted choose to have existing permissions removed. Click Add, type "Domain Users" and click OK. Change "Apply to" to "This folder only", select the Traverse Folder and List Folder permissions, click OK three times - back to the basic security settings tab. Add Administrators and SYSTEM with full control.
Create folder under that for each user, right click on each one and leave the inherited permissions as they are, just add the applicable user with Full Control.
The in Active Directory Users & Computers, for each user, set their home to connect X: to \\server\home.
ASKER
Thank you tgerbert.....working the magic as we type.
ASKER
ok Tegbert tried creating new Home folder as a share created a couple of new users folders underneath....still the user does not have access to create or modify new folder
Do they have read/write access on the Share permissions?
ASKER
yes they have full permissions to the folder/files/subfolders...
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Tgerbert, man I appreciate the help and info...now folks are able to create and modify folders and files...and i went back and fixed permissions on the Users directory folder share and now they can do the same there. Thanks for your help.