Setting up Home Folder Permissions Server 2008r2

On our network I create a user folder for all employees.  Ideally I would like each employee to have access to their folder only and that nobody could save files to the root folder.

Here is how it is layed out :  \\servername\\User\Username.  So when I set permissions to read only at the user folder level and full control at the username folder level.  

the user at this point is not able to create new documents in their individual folders, but if there are existing files in the folder they can open them no problem.

What am I doing wrong?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Make sure the Share Permissions are set to Everyone - Full control
Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:

I will not give everyone full control to the Shared permission but Read and Change to the Authenticated users.

at the \\server\user level have creator/owner (full) (subfolders and files), system (Full) (Fubfolders and files), a common group that all users are a part of (list)(This folder only), administrators (Full) (subfolders and files)

Remove all other groups. that might include everyone, authenticated users, etc.

If the folders are precreated as in not through AD Profile tab of user properties. Ensure that the user has full control. to his folder only. You may also need to rewrite the permissions on subfolders and files.


For share permissions have modify, to a common group that the users of the home folder belong to. NTFS will ensure that the security is not compromised.

Avoid use of authenticated users at all costs. Create a custom group if necessary to facilitate the above.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Giving Everyone full access to the share is perfectly fine. You can then use the Security tab to define your access control lists (acl). This is more granular and will control access to resources.
AD should automatically put the correct permissions on the users home folder.

MS Technet...
 Replacing Everyone with Authenticated Users

It is quite common for security "experts" to get very nervous when they see ACLs specified for the Everyone group in Windows. In Windows NT 4.0 and earlier, this was one of the most common ACEs, and it literally meant everyone. In those days it was justified to be worried about Everyone in many cases. Since Windows XP, however, these concerns are almost always unwarranted. By default the anonymous user is not included in Everyone any longer. That means that Everyone is functionally identical to Authenticated Users in Windows XP and Windows Server 2003 unless the "Everyone includes anonymous" setting has been changed from its default value. Therefore, there are few instances where replacing ACEs with Everyone is worthwhile.

One recent issue that arose was a customer that wanted to contain users from other domains in the forest by replacing Everyone with Domain Users. This is troublesome not only because of the issue with blanket ACL replacement discussed earlier, but also because it achieves very little in the way of security. The real security boundary is the forest, not the domain. Therefore, users with advanced privileges in one domain in a forest can escalate to higher privileges in other domains fairly easily. Domains within a forest were never designed to serve as a security boundary, they were merely designed to serve as convenient containers and management units.

Several times I have faced an argument that if you have to change the default value of "Everyone includes anonymous" to allow Everyone to include anonymous users then you have a legitimate reason to perform blanket replacement of Everyone with Authenticated Users. However, such reasoning is flawed. First, allowing Everyone to include anonymous opens up a very large set of holes, not all of which can be closed using ACL replacement on the file system and in the registry. Second, if you have a reason to do this kind of replacement, it is often with the intent of deliberately turning off some security. Selectively turning security back on by changing ACLs is essentially taking a position counter to that which forced you to open up the holes in the first place. Finally, if anonymous access is what you need, then grant access to the user ANONYMOUS. Doing so achieves very granularly controlled anonymous access without opening unnecessary holes.

One final thought on Everyone before moving on: Up through Windows XP the default DACL on shares was for Everyone with Full Control. This caused great consternation with many users who believe that this means anyone can do anything to all the data in that share. That is not actually true. The permissions the user has on objects in a share is the most restrictive combination of the permissions on the share and the permissions on the objects themselves. In other words, if the DACL on the share says "Everyone:Full Control" what it really means is "I don't want to manage permissions here." The permissions on the share are meaningless in that situation. Only the permissions on the file system control access. The advice, therefore, is that unless you have a reason to restrict people further when they are accessing files from the network than when they are accessing them locally there is no reason to change the default permission on a share. You may want to use share ACLs to protect against potentially incorrect file DACLs, but in that case, you probably should fix the file DACLs instead.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
Why will you avoid the use of authenticated users for  the shared permission?

If you create the group, the GUID will need to be added to the user SID upon log on this makes it to be authenticated user.

GSLElectricAuthor Commented:
Let me clarify.  

At the \\servername\User - I want them to see their folder, but not be able to open any of the other user folder that are located in the same root folder.  

At the \\servername\user\username(their folder) I want them to be able to add what they please in this folder)

Is that clearer now?
The reasoning is that since someone accessing the share has to deal with BOTH share level and NTFS level permissions, why create the headache and confusion of assigning share level permissions when you can just use the NTFS level permissions for a choke point. By setting "Everyone=Full Control" at the share level, you never need to worry about it when performing trouble shooting, auditing or administration. You manage everything at the NTFS level, whether for local access or network access.

Also, since W2k3, Anonymous Users were left out of the Everyone group.
What you are doing makes sense.
Just make sure the \\Servername\User folder has the correct permissions set at the Share Level first.
Then make sure the security permissions are correct at the  \\servername\user\username level. Each user should have full access to their own folders.
Active Directory should handle this for you. If it doesn't, you will have to apply the security settings yourself.
Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
My prefer setting would be

\\Servername\User ------------------------Shared folder permission for Authenticated Users (Read and Change)

\\servername\user\username ---------------NTFS permission on the username folder for the owner ( Change for the owner, Full Control for System, Domain or Local Administrator, Full Control)

If your company policy does not allow Domain Administrator, you can remove this and take ownership as when needed.)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.