Solved

User Home Folders Permission Problems

Posted on 2013-05-10
7
493 Views
Last Modified: 2013-05-15
Hi Guys,
I am trying to create User Home Folders for one of our subdomains. This is something I have done in the past for our other subdomains however on this particular one im hitting a brick wall.

On the domain controller of this domain, I created a folder called users. I shared this folder and you can see the share permissions in the screenshot below;

Share Permissions
The NTFS Permissions on this folder are as follows; (Include Inheritable Permissions from this objects parent is UNCHECKED)
•      CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
•      System - Full Control (Apply onto: This Folder, Subfolders and Files)
•      Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
•      Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
•      Everyone - List Folder/Read Data (Apply onto: This Folder Only)
•      Everyone - Read Attributes (Apply onto: This Folder Only)
•      Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)

I then begin to add the Home Folder path into the Active Directory Users Profile

Connect L: To: \\Server.domain.com\$users$\%username%
Once this has been done I enter the Users folder. As I expected the users home folders have been created;

User Folders Created
All of these users, are in an isolated OU and are members of Domain Users only nothing else.

I now switch over to my client machine logged on as test user tony.stark to check the drive mapped etc. Yes this all went well L: is now mapped on all of the test users. Everything is going exactly as I expect.
However now from the client machine I browse to the $users$ share where tony.stark can see all the other shares for other users. James.rhodes / steve.rogers etc I do expect this however I wouldn’t expect that tony.stark could enter any of these folders.

But he can, he can enter / edit and or delete anything he wishes in these other folders. Which Is obviously not good considering he’s not an admin etc.
As I said previously I followed the exact same procedure on another domain controller for another domain and this outcome was exactly as I expected it to be. The users could not browse other users home folders. Let alone add/edit/delete files from them.

Again these users are all a member of domain users only. Not domain admins etc.

We have had a permissions problem on this server previously with AdminSDHolder - Inheritable Permissions. The only thing I can think of is this is some how related to that incident. After a bit of googling I came across this on all the users on this particular domain

Attributes of one of the test users
This attribute isn’t present on any other user outside of this domain controller and not sure if this may be something to do with the problem. I have tried to manually unset this however it just reset back to 1 after a few minutes.

Any help would be greatly appreciated as this normally trivial task is becoming quite annoying to say the least.

Please see a possibly related topic I mentioned here; http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_27860722.html
0
Comment
Question by:deepslalli
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 11

Expert Comment

by:netballi
ID: 39155143
Simply Remove all the NTFS permission from the Users folder for Everyone
and change it to Authenticated users with following permission


Authenticated Users -  - List Folder/Read Data (Apply onto: This Folder Only)
0
 

Author Comment

by:deepslalli
ID: 39155161
Hi Netballi

When i did this, i applied the changes to $users$ deleted the older folders within $users$ and headed back to active directory to add the path into the profile again so that the objects will be recreated

\\domain.com\$users$\%username%

And i was presented with directory not created as the account doesn't have the rights on the server.





Regards
Jamie Harrison
0
 
LVL 11

Expert Comment

by:netballi
ID: 39155193
Just add the following permission to authenticated user

Create Folder/Append Data (Apply onto: This Folder Only)

It is easy to add permission latter on as compared to removing permission and something not working.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:deepslalli
ID: 39155212
Hi Netballi,

I have done the following as you instructed. when i returned to active directory to add the profile path this time AD was able to create the files. However when logged onto the client machine, the test users can still browse/edit other users home folders.
0
 

Author Comment

by:deepslalli
ID: 39155245
An Update: I Ran these commands in PS to show all protected groups under Admin SDHolder

Import-Module ActiveDirectory
Get-ADGroup -LDAPFilter "(objectcategory=group)(admincount=1)"

And it appears that Domain Users is showing as a protected group? Im not entirely sure if this is meant to be there?
0
 

Accepted Solution

by:
deepslalli earned 0 total points
ID: 39155292
Problem Solved;



Firstly id like to explain that this was an inherited server and i no longer get to communicate with the people originally looking after this server.



It appears that for some bizzare reason the Domain Users group was a member of Doamin Admins & Admins Group.

I have no idea why anyone would do this and so it was the last place i thought of checking but it seems to have resolved the issue.



Thanks for all your help.



Regards

Jamie
0
 

Author Closing Comment

by:deepslalli
ID: 39167393
I Fixed the issue myself
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question