Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

What account is used to auto create a user profile/home directory in Windows Server 2008?

Posted on 2010-09-18
3
804 Views
Last Modified: 2012-05-10
I have a Windows Server 2008 Terminal Server and a separate Windows 2008 File Server. The User Profile and Home directories are specified in the Server Group Policy to a DFS share that is on the File Server. When the user logs into the Terminal Server for the first time, it creates the profile and home directory for the user only if the folder parent Home and Profile folders on the file server have create folder permissions for Authenticated Users. I don't want the user to be able to create files/folders at the root home and profile folder level. What account is used by the server to create the user profile and home directories?

The parent folders "Homes" and "Profiles" have the following security settings
 
SYSTEM - Full
Domain Admins - Full
Administrators (on local file server) - Full
CREATE OWNER - Full on SubFolders and Files
Domain Users - Read Permissions, Read Attributes, List Folder -

--User Home directory location
\\DFSSHARE\Homes\user1
\\DFSSHARE\Homes\user2

--Roaming Profile location
\\DFSSHARE\Profiles\user1
\\DFSSHARES\Profiles\user2

If I also set
Authenticated Users - Create Folder (This Folder Only)

The directories are created fine when the user logs into the Terminal Server but the user also has the ability to create other folders/files in their home root folder which I don't want

What account is the Windows Server 2008 using to create the user home/profile folders so I can specifically assign the create folder permissions to this account and not the users?

Thanks in advance for any help
0
Comment
Question by:gslit
  • 2
3 Comments
 
LVL 8

Accepted Solution

by:
McNetic earned 500 total points
ID: 33716216
The user account is used to create those folders; which is why authenticated users have to have permissions here.
0
 

Author Comment

by:gslit
ID: 33718425
Ok in that case is there anyway to lock down or hide the parent folder of all the homes and profiles in the DFS share path so that the user can't create other folders/files there after their initial home and profile folders are created?
The DFS path to the home/profile parent is
\\DFSSHARE\Shares\RDS\TS\Homes
\\DFSSHARE\Shares\RDS\TS\Profiles
The DFS share point link is to \\DFSSHARE\Shares\RDS which maps to a physical share on a file server D:\FILESERVER\PhysicalShare\RDS.  The \TS\Homes and \TS\Profiles are subfolders from this share point.
If I can't stop the users from creating files and folders in the parent folders then is there way to just hide the folder tree at some point so they can't navigate to the location from the DFS share?
 
 
0
 
LVL 8

Expert Comment

by:McNetic
ID: 33720733
I don't think this is possible; if s.o. has permissions to the folder, you can't stop them from going there.

Maybe it's possible to precreate (empty) folders in the profiles share and remove the permissions to create folders on the top-level. I don't know if windows will accept this empty folders and create the profile therein.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question