Home folder permissions

Having issues company didnt use Group Policy Preferences before, have it working for H:\

Have a folder called \\servername\users

At present its share permissions are everyone full control and servername\administrators full control

In NTFS everyone is modify, the security group for the users which was added, staff has full control, system has full control

I know they shouldnt have that but am changing permissions on the staff security group without success, does anyone know what NTFS permissions i need to use in order for users not to see other folders other than their own in Users

Right now the GPP for home folder is working and I have two GPOs one for Home folder, one for mapped drive as per document below


(Run command is shut down so they wont anyway, i just want to tidy this up) Suggestions appreciated
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason CrawfordTransport NinjaCommented:
Typically home folder permissions are set to Everyone for SMB and either Modify or Full Control for the user it's assigned to.  If you don't want users to see folders they don't have permission to access you will have to enable Access Based Enumeration:


There are better means of creating home drives than logon scripts but I would need to know what server version you're using.
Indie101Author Commented:
Thanks Jason, I'm not using login scripts, but Group Policy Preferences

I am using Server 2012 and when I go into share properties ABE is ticked, I'd like to make changes after work its 4.25pm GMT here

The security group i have called staff giving access, has 100 users, what advanced NTFS permissions would you recommend i set for it in order so that users can't see other folders (only happens with admin machines, users don't have run commands visible and won't map to it etc, its been very loose trying to improve it)

Any changes i can make later that will help?
Jason CrawfordTransport NinjaCommented:
Not that it's not a valid method, but I'm curious why you're using GPP instead of just assigning a home drive during user creation with ADUC so permissions are automatically set:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Indie101Author Commented:
No you're right it was setup that way here alongside login scripts, hadnt been looked at in a while here, i only started here a few  months ago etc so first real chance i had of looking at it,

I may have to go to back to that setup if i can't get this working :) At least I know it works and is secure :)
You could use GP to set exclusive access to the assigned user, so that even administrators cannot access the users'home folders. This is typically the desired setup where security is a high concern.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.