home folder/group drive permissions

jhaff used Ask the Experts™
i'm trying to establish an internal file structure for our users.  my questions is more best practice and how to appropriate permissions.

i have a file server and my home directory of a user at the following location "D:\Shared\Admin\user1home" for user1 and "D:\Shared\Admin\user2home" for user two, where my share point is 'Admin' and the AD Home Folder h: points to the path "\\filerserver\admin\user%home".  i'm trying to figure out if that is the right share point (as opposed to \\fileserver\user%home) and what NTFS permissions i need to apply to my sharepoint (i.e. the directory 'Admin') so that users with homes in that directory/share do not have access to other users' homes also in that directory/share and still have full access to their own home.

To accomplish my goal, I believe i can give 'read/list folders/read attribute/read extended attributes' to the group of users in that directory/share then let AD take care of permissions on each users' home.  Is that correct?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
using your example:
You could create the folder structure as D:\Shared\Admin
Then create user1 and user 2 as subfolders and share them. As far as permissions, you can grant "everyone" full control on the Sharing tab and then lock down access to the folder for each user using the "Security" or NTFS permissions tab.
You would then assign the appropriate permissions the respective user folders for the user (user1 and user2)
This way when you connect to the share it would be \\servername\user1 and \\servername\user2
The rest of the structure (D:\Home\Admin) would not need to be seen or used (because you shared out the user folder.
You would then just allow list folder and read to the top level folders and the users should be all set.

Hope this helps!
Sorry for the typo -- I meant D:\Shared\Admin  -- not D:\Home\Admin..


then i'd have to have a share for each user on my file server which leaves me assigning both NTFS and file permissions to each share, besides the fact that when i go to \\fileserver i see 200+ shares...  where with the help of ad, make 3-5 share points for all my 200 users (based upon AD organization and user role in the organization) and let AD take care of the rest.  isn't that a simpler model? is there a best practice for this scenario?
Did not realize how many shares you were referring to it sounded small based on the description ... As far as the shares - that is why you can just use everyone full control for the "sharing" tab and set permissions with the NTFS tab -
However, if you are going to have groups of individuals accessing the shares then yes, you could create groups in AD and assign them to the resource at a higher level and propagate down-  but if you require granular permissions on any of the files / folders - you would then need to stop inheritence and then set the permissions on the appropriate folder then and send permissions downward, where apporpriate -- subfolders/files etc. -- so depending on the scenario you may still find yourself setting individual permissions -

Hope this helps ...
On-Site IT Technician
I don't know if it's best practice or not, but this works pretty well for us.

We share the HOME folder as Home$ so it's a hidden share.  We grant "Everyone" group full access to the Share, but only grant the user group in question "list contents" only access to that root folder in NTFS permissions.

Then, in AD, we set it up like this:
    Home folder:   \\Server\Home$\%username%

In AD, you can highlight multiple users, click on Properties and change the home folder path for all using that %username% variable: AD will understand that & automatically change the path to match the user's logon name.

The home folder would be created & permissions set on the Home folder when that H: drive setting is applied in AD for each user.  If the folder already exists, you will be prompted to grant the user full rights to the folder.

This way you only have one share.  Way back when, we used to create a separate share for each user but that became unmanageable after a few years because we grew from a few hundred users to a few thousand and had way too  many shares to manage easily.  That's when we re-designed the folder structure: this works a lot better for us.

I hope this helps.

thanks, i like the idea of the hidden share.  the permissions that i was looking for that will give user access to the share point, but no access to sibling folders within the directory are: traerse/execute, read attributes, read extended attributes, read permissions.  those NTFS privileges along with the appropriate share permissions give the users access to their home folder, but no one else's.


no one gave me the exact answer i was looking for.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial