Personal Folders in file server

Hi,

At the moment our users save files on their my documents on local computer. But I need to implement personal folder for each user in a server and map their user folder as a drive using the variable %username%.

I have installed a file server and need to add home directory (\\server1\personalshare\user1) for each user from Active Directory. In the folder personalshare I have given read and write permission for authentic users and full permission for only local Administrator and nothing for domain administrator as I need to restrict domain admin access these personal folders.

Now when I tried to add a home folder from AD for a user, I get a error message saying no permission to create the folder in the file server. (I have login to AD server as domain admin and I think this is why I get this message)

I also need to stop user's access someone else's personal folder as \\server1\personalshare\user2.

Could someone guide me on how to implement these personal folders with the right security? My file server is windows 2012 and Domain controller is Wndows 2008 R2.

Thanks in advance.
LVL 1
SHALINDRAAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel HelgenbergerCommented:
To stop users viewing the other's folders on a home folder share, you are looking for something called 'access based enumeration', here is the TechNet article.

Basically this changes the name of a share according to the user accessing it. You can then just map a folder called '\\server\home' for user john's home dir, on filesystem level this will be Drive:\home\john.
This way you do not need the %username% variable any more, because the user is authenticated via active directory anyway and therefore known.

You can find this in the advanced settings of a share / DFS folder when creating the share.

For the permissions you need to take a look not only on share permissions but on the file system permissions as well.
Look in the 'security' tab of your shared folder's properties on that particular file system.
0
SHALINDRAAuthor Commented:
Thanks  helge000. I will do and let you know the outcome.
0
SHALINDRAAuthor Commented:
Hi,

I have read articles on access based enumeration and have enabled this, but still users can view other user's home folders.

Also what permission should I set-up on personalshare folder (My example: \\server1\personalshare\user1)

Thanks
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Daniel HelgenbergerCommented:
Hello,

Access based enumeration (ABE) works in conjunction with file system permissions.
First you need to get these right to have it working. It may still be you can see the folder, but not its contents. This depends on your configuration and access.

If you want this to be more advanced and hide the other folders, you need to implement ABE with DFS.

the permissions for the root home share need to be:
- read, list and create for domain members only for this folder
- the special CREATOR OWNER needs full control for subfolders and files
See this technet article:
http://blogs.technet.com/b/migreene/archive/2008/03/24/3019467.aspx
http://www.petenetlive.com/KB/Article/0000739.htm

There are numerous reasons why ABE could not be working for you. Check out this article for troubleshooting:
http://technet.microsoft.com/en-us/library/cc733154.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SHALINDRAAuthor Commented:
Hi helge000,

Thanks for your reply. Regards to your comment 'If you want this to be more advanced and hide the other folders, you need to implement ABE with DFS.', I do not need to hide folders, but I need to stop users access other user's personal folders. In this case do I need to still configure DFS?

Eg: User A, login to system and can see his personal folder. Then I need stop user A trying to access user B's folders as \\server1\personalshare\userB

Thanks in advance.
0
SHALINDRAAuthor Commented:
Hi helge000,

I have setup the folder security exactly as mention in the below link provided by you and  just enabled ABE without DFS and it works fine now.

http://blogs.technet.com/b/migreene/archive/2008/03/24/3019467.aspx

Thank you very much

xx
0
Daniel HelgenbergerCommented:
Sorry I could not get back earlier. And glad you were able to get this working!
0
SHALINDRAAuthor Commented:
No problem, Thank you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.