I am trying to create User Home Folders for one of our subdomains. This is something I have done in the past for our other subdomains however on this particular one im hitting a brick wall.
On the domain controller of this domain, I created a folder called users. I shared this folder and you can see the share permissions in the screenshot below;
The NTFS Permissions on this folder are as follows; (Include Inheritable Permissions from this objects parent is UNCHECKED)
• CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
• System - Full Control (Apply onto: This Folder, Subfolders and Files)
• Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
• Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
• Everyone - List Folder/Read Data (Apply onto: This Folder Only)
• Everyone - Read Attributes (Apply onto: This Folder Only)
• Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)
I then begin to add the Home Folder path into the Active Directory Users Profile
Connect L: To: \\Server.domain.com\$users
Once this has been done I enter the Users folder. As I expected the users home folders have been created;
All of these users, are in an isolated OU and are members of Domain Users only nothing else.
I now switch over to my client machine logged on as test user tony.stark to check the drive mapped etc. Yes this all went well L: is now mapped on all of the test users. Everything is going exactly as I expect.
However now from the client machine I browse to the $users$ share where tony.stark can see all the other shares for other users. James.rhodes / steve.rogers etc I do expect this however I wouldn’t expect that tony.stark could enter any of these folders.
But he can, he can enter / edit and or delete anything he wishes in these other folders. Which Is obviously not good considering he’s not an admin etc.
As I said previously I followed the exact same procedure on another domain controller for another domain and this outcome was exactly as I expected it to be. The users could not browse other users home folders. Let alone add/edit/delete files from them.
Again these users are all a member of domain users only. Not domain admins etc.
We have had a permissions problem on this server previously with AdminSDHolder - Inheritable Permissions. The only thing I can think of is this is some how related to that incident. After a bit of googling I came across this on all the users on this particular domain
This attribute isn’t present on any other user outside of this domain controller and not sure if this may be something to do with the problem. I have tried to manually unset this however it just reset back to 1 after a few minutes.
Any help would be greatly appreciated as this normally trivial task is becoming quite annoying to say the least.
Please see a possibly related topic I mentioned here; http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27860722.html