file server/2003 - only want a user to have permissions to create home folders on server
Hello guys and thanks in advance for your time and expertise.
I have four or five users that I would like to have permissions to create home folders for users on our network (on our file server) and that's it.
The server is 2003 and we are at the functional level of 2003.
I have the file server in a servers OU and I went through the delegation of control wizard and that doesn't seem to be the answer for me. I guess I could give the users permissions on the root drive (where our home folders are located), but I just wanted to check here to see if I'm handling this in the best way. I guess what these users will need to do is log onto the fille server and then create home folders for users and that's all I want them to do. The previous admin had them in the Domain Admins group which is just nuts but that's the way it was. Anyway, please let me know your input and recommendations for handling this operation. Your help is greatly appreciated.
I have four or five users that I would like to have permissions to create home folders for users on our network (on our file server) and that's it.
The server is 2003 and we are at the functional level of 2003.
I have the file server in a servers OU and I went through the delegation of control wizard and that doesn't seem to be the answer for me. I guess I could give the users permissions on the root drive (where our home folders are located), but I just wanted to check here to see if I'm handling this in the best way. I guess what these users will need to do is log onto the fille server and then create home folders for users and that's all I want them to do. The previous admin had them in the Domain Admins group which is just nuts but that's the way it was. Anyway, please let me know your input and recommendations for handling this operation. Your help is greatly appreciated.
ASKER
Thanks spec01. THat definitely helped and gave me some tips. Here's what I'm thinking of doing.: create an administrative ou. I would put the home folder administrators in this administrative ou. I would then create a sub ou to the servers ou and nest the file servers in the file servers ou. I would then delegate control on the file servers ou and give the home folder administrators control over only shared objects because that's all they're going to be working with. I also had to add the users to the Terminal users group so they could rdp into the servers. Home you agree with that.
I was testing this and security wise it seemed to work. The users really couldn't do anything except work with shared folders. I could create a new folder, and delete the folder. However, I couldn't delete any of the existing folders and that would be a problem. I guess this is where you're saying I have to give these users additional ntfs permissions on the root of these home folders. Would that be correct? Please let me know what you think of the way I have this laid out. Your help is greatly appreciated.
I was testing this and security wise it seemed to work. The users really couldn't do anything except work with shared folders. I could create a new folder, and delete the folder. However, I couldn't delete any of the existing folders and that would be a problem. I guess this is where you're saying I have to give these users additional ntfs permissions on the root of these home folders. Would that be correct? Please let me know what you think of the way I have this laid out. Your help is greatly appreciated.
Im not sure why we have to delegate OU permissions but i do agree wiith the suggestion to create a group. By default the ntfs permissions would give them access to the users group which they would probably be members of. I would suggest editing permissions at the root of the drive to remove the users group and add the group you created. For the permissions, assign special permissions to only create folders. Of course you would then have to make sure the users home folders allow them the access they need to create and delete files for their own folder. http://support.microsoft.com/kb/308419
You delegate control so that they can setup the home folder within the users AD account.
For the NTFS permissions, just set allow inheritance on all of the folders they do not have access to. You should be able to do this from the top level Shared folder.
You are on the right track.
For the NTFS permissions, just set allow inheritance on all of the folders they do not have access to. You should be able to do this from the top level Shared folder.
You are on the right track.
ASKER
OK - Here's where I'm at now. As you guys no, I want these four or five users to create home folders/delete home folders on our file server. That's it. Spec01, you bring up a good point about setting up the home folder within the users (user population) AD accounts. With that in mind, do I have to delegate control of the user's OU and give my home folder administrators control over ACCOUNT OBJECTS OR CONTROL OVER THE ABILITY TO CREATE, MANAGE, AND DELETE ACCOUNT OBJECTS.. Additionally, do I have to delegate control over the file servers ou and then give the home folder administrators control over SHARED FOLDERS. And then finally give the hiome folder administrators ntfs permissions on the root of the home folders share. Hope that makes sense and thanks for the help.
ASKER
Here's something that I found strange. I gave my test user full control of the home folder share. This is the share that has all of the home folders. I can create a new folder and then delete this new folder. However, I'm unable to delete any of the existing home folders or view their contents. What am I missing here as I gave this user full control of the home folder share. Thanks.
ASKER
my problem now is the ntfs permissions are not propogating to the child shares and the files therein. The guys who set them up previously turned off inheritance on these child folders. I could force new permissions via replace but I don't want to do that because each folder has permissions specific to a user and I can't simulate that at the top level of the share. The only user that has the access I need is the administrator but I hate to give these people that kind of access on this server. If anyone knows of a way to propogate the ntfs permissions - I've love to hear it. Thanks.
The point is not have permissions inheritance from the parent so other users cant read a different users files. What you need to do is give the person that is assigned to the folder fulll permissions to this folder that is to contain their files.
ASKER
OriNetworks - these people that I'm trying to setup are going to be home folder administrators. I need them to create/delete and view user's home folder contents if necessary, because as I said, they are going to manage this data. I would need this level of permissions to be inherited on all the home folders but it's not happening because inheritance is turned off on all the child objects (shares.) And I can't replace permissions because then I loose the individuals user's permissions on their shares. I think my only hope is to make these users administrators on the server. I hate to do it but I will let you know how what works.
ASKER
Here's what I've done. This solution so far, based on your recommendations and my testing, is the best I've been able to come up with. I created a domain local security group and gave that group full control of the top level share. I then created a global security group, composed of my home folder admins, and nested that group in my domain local security group.
However, because of inheritance and because explicit permissions having to stay put on the child objects (home folders -the specific user permissiions on their shares) I was unable to replace permissions and set them up as I would like and let them propogate because then I would loose my explicit permissions. There just doesn't seem anyway around that.
So for these home folder administrators to do what they need to do: create folders/delete folders and view the contents of folders - I had to put my home folder admins in the local admins group which has permissions on all of the releveant objects. I'm not thrilled with these guys having such rights on my file server but we have to start delegating some of this data management as our user population is huge. Anyway, this is the only way this process works. And it is much better than having these guys with domain admin rights. Now they can only screw up my fille server, and while that would suck, at least they can't screw up the entire domain.
If anyone has a better way with less permissions for these guys on my file server - I'd love to implement it. Appreciate any comments on the way I've handled this. Thanks very much.
However, because of inheritance and because explicit permissions having to stay put on the child objects (home folders -the specific user permissiions on their shares) I was unable to replace permissions and set them up as I would like and let them propogate because then I would loose my explicit permissions. There just doesn't seem anyway around that.
So for these home folder administrators to do what they need to do: create folders/delete folders and view the contents of folders - I had to put my home folder admins in the local admins group which has permissions on all of the releveant objects. I'm not thrilled with these guys having such rights on my file server but we have to start delegating some of this data management as our user population is huge. Anyway, this is the only way this process works. And it is much better than having these guys with domain admin rights. Now they can only screw up my fille server, and while that would suck, at least they can't screw up the entire domain.
If anyone has a better way with less permissions for these guys on my file server - I'd love to implement it. Appreciate any comments on the way I've handled this. Thanks very much.
Sorry for the misunderstanding, I was thinking they only needed to create the users home folder and not have to view the contents. Since you have a large user base the first thing that comes to mind is scripting and the easiest way would be powershell. Personally i'm not familiar enough to be able to generate an entire script specifically for this purpose but its rather easy to find script and compile them to accomplish this. It sounds like you need
Lookup a list of all child folders and | (pipe) the results to set permissions to add your admin group.
Here are a few linnks to get started
http://www.powershell.nu/2009/02/13/set-folder-permissions-using-a-powershell-script/
http://blogs.msdn.com/b/johan/archive/2008/10/01/powershell-editing-permissions-on-a-file-or-folder.aspx
and for checking existing permissions: http://powershell.com/cs/blogs/tips/archive/2009/03/05/checking-file-and-folder-permissions.aspx
I hope this helps.
Lookup a list of all child folders and | (pipe) the results to set permissions to add your admin group.
Here are a few linnks to get started
http://www.powershell.nu/2009/02/13/set-folder-permissions-using-a-powershell-script/
http://blogs.msdn.com/b/johan/archive/2008/10/01/powershell-editing-permissions-on-a-file-or-folder.aspx
and for checking existing permissions: http://powershell.com/cs/blogs/tips/archive/2009/03/05/checking-file-and-folder-permissions.aspx
I hope this helps.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your time and patience in helping me resolve this problem. Much appreciated.
In order to have proper delegation you will to set the delegation on the OU but you also need to make sure that the group or user is also in this OU when you set the delegation.
I would recommend creating a group call "home folder administrators" and added your 4-5 users to this group and put it in the Servers OU. Then set the delegation on this group.
Here is some more helpful info from techtarget.com
http://searchenterprisedesktop.techtarget.com/generic/0,295582,sid192_gci1050027,00.html
Hope this helps~!