Home folder permissions

Indie101
Indie101 used Ask the Experts™
on
Having issues company didnt use Group Policy Preferences before, have it working for H:\

Have a folder called \\servername\users

At present its share permissions are everyone full control and servername\administrators full control

In NTFS everyone is modify, the security group for the users which was added, staff has full control, system has full control

I know they shouldnt have that but am changing permissions on the staff security group without success, does anyone know what NTFS permissions i need to use in order for users not to see other folders other than their own in Users

Right now the GPP for home folder is working and I have two GPOs one for Home folder, one for mapped drive as per document below

http://www.alexcomputerbubble.com/using-group-policy-preferences-gpp-to-map-user-home-drive/

(Run command is shut down so they wont anyway, i just want to tidy this up) Suggestions appreciated
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Typically home folder permissions are set to Everyone for SMB and either Modify or Full Control for the user it's assigned to.  If you don't want users to see folders they don't have permission to access you will have to enable Access Based Enumeration:

https://blogs.technet.microsoft.com/askds/2016/09/01/access-based-enumeration-abe-concepts-part-1-of-2/

There are better means of creating home drives than logon scripts but I would need to know what server version you're using.

Author

Commented:
Thanks Jason, I'm not using login scripts, but Group Policy Preferences

I am using Server 2012 and when I go into share properties ABE is ticked, I'd like to make changes after work its 4.25pm GMT here

The security group i have called staff giving access, has 100 users, what advanced NTFS permissions would you recommend i set for it in order so that users can't see other folders (only happens with admin machines, users don't have run commands visible and won't map to it etc, its been very loose trying to improve it)

Any changes i can make later that will help?
Commented:
Not that it's not a valid method, but I'm curious why you're using GPP instead of just assigning a home drive during user creation with ADUC so permissions are automatically set:

https://support.microsoft.com/en-us/help/816313/how-to-assign-a-home-folder-to-a-user

Author

Commented:
No you're right it was setup that way here alongside login scripts, hadnt been looked at in a while here, i only started here a few  months ago etc so first real chance i had of looking at it,

I may have to go to back to that setup if i can't get this working :) At least I know it works and is secure :)
You could use GP to set exclusive access to the assigned user, so that even administrators cannot access the users'home folders. This is typically the desired setup where security is a high concern.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial