Author Archive

Prevent users deleting, moving or drag and drop folders in a file share

January 1, 2013

I think it’s not uncommon for organisations having file servers to have one or more file shares mapped to end users using various drive letters. These file shares may contain several sub folders, may be for different business functions or units, which users have access depending on the security groups they belong to. One of the challenges of this folder structure is to prevent users accidentally moving or dragging or dropping folders. It may be difficult to control this in sub folder level, but it would be worthwhile to keep the root folder structure secure and intact. I hope the below simple technique can be used to accomplish this and it worked for me in my test/production environments.

For this example, let’s assume a file share that has been mapped to end users using a drive letter. This file share has two sub folders underneath, “Helpdesk” and “Public”.

post4-ntfs2

Let’s assume that domain users have modify access to the “Public” folder, NTFS permissions for the “Public” folder would appear as follows;

post4-ntfs1

Helpdesk folder is a more secure folder and only a security group called “helpdesk” (and server admins) has read and modify access to the folder. See the NTFS permissions below;

post4-ntfs3

Now, let’s assume we have a domain user called “testuser” who is a member of the “helpdesk” group. As this domain user has modify access to both “Public” and “Helpdesk” folders, the user can drag and drop or move folders with in. Therefore, what we want to achieve is to prevent this, while still providing the “testuser” access to create, delete or move sub folders with in the root folders.

To do this, go to the properties of the “Helpdesk” folder and click the security tab. Click the “Advanced” button and click “Change Permissions” button. Now, select the “helpdesk” group under the list of permission entries and click “Edit” button.

Under the permissions entry for the helpdesk folder, scroll down and de-select the allow delete permission. Select the allow “delete sub folders and files” permission. Click OK to close the windows and apply permission changes.

post4-ntfs4      post4-ntfs5

Now login to a workstation as “testuser” and try to drag and drop “Helpdesk” folder to “Public” folder, you will see the following warning message;

post4-ntfs6

Thanks
DJ

 

Advertisements

Setting up user home directories in a Windows file server – 2

October 13, 2012

In Part 1 of this post, I explained some of the importan factors that you need to be considered when setting up home directories for users in  a Windows file server. In this post, I will explain step by step how a setup a home drectory strucure in Server 2008 file server, using a test scenario.

1. If you haven’t already setup the file server, you need to add the File Server role from the server manager.

You will notice File Server role service is automatically selected and in this case, I have selected File Server Resource Manager which is an optional role service. The  File Server Resource Manager  is useful in setting up notifications and disk quotas etc …

2. Now we need to set up a folder that will be the root folder for user home directories. Each user will have individual sub folders under this root folder with active directory user id as the folder name. For this example, I have created a folder called “Home” in the E drive of my test file server. Next we need to Share this folder.

3. To share the folder, go to folder properties and select File Sharing. At this stage you need to give only local administrators the share permissions to the folder. I prefer to set up rest of the permissions in the Share and Storage Management tool.

4. Go to administrative tools and open Share and Storage Management. You will notice that the shared folder that was created in step 3 among the list of shared. Go to the properties of this shared folder. In properties click Permissions tab and click  Share permissions. In this example, I would like all the Domain Users to have individual home directories and Helpdesk group to have the ability to create home directories. Also, I would like to give local administrators of the server full permissions. Accordingly following are my share permissions;

Helpdesk (is an Active Directory Group) – Full permissions.
Domain Users – Change and Read permissions.
Administrators – Full Permissions.

Click Apply button to apply the permissions.

Now click the NTFS permissions button. I have assigned the following NTFS permissions according the test scenario explained above.

Local System – Full Control
Helpdesk – Modify
Administrators – Full Control.

Note that Domain Users do not have NTFS permissions to the root folder and that’s fine. Users only need to have permissions to their own home directories. Click OK to Apply NTFS permissions and click the sharing tab.

5. In the sharing tab, click Advanced and make sure “Enable access-based enumeration” is selected. When the access-based enumeration is enabled, the folder becomes hidden to the users who do not have permissions to the folder. I prefer this option enabled in a file server, however, it’s an optional setting.

6. Now open the Active Directory Users and Computers and create a new user (or open the properties of an existing user). In this example, I use an account with user id “testuser”. In the user properties, go to Profile tab and specify the home directory as shown below.

Click Apply and OK. This creates a new folder called “testuser” under the root Home and gives the “testuser” full permissions to the directory. No manual work required. Now if you open the UNC path of the home directory, you will notice that a new folder called “testuser” have been created under the “Home” folder. Note the permissions of this folder.

7. Now, go to a workstation and login as the “testuser”. You will notice that a new personal drive has been mapped to the user.

There are two more points I would like to mention before closing this post;

1. You can make this process further simple for creating new users by using a user account template. User account template is just another active directory account and  when you create a new user, you can right-mouse click on the template account and click copy. This copies the default settings of the template account to the new user being created. Now to make the home directory creation process simpler, go to the properties of the template user account and in the profile tab, assign the home folder in the following format;

Now, when you create a new user using this template, %USERNAME% is replaced by the user name of the new account being created and home directory gets  automatically setup.

2. Second point is, if you migrating existing home directories (may be from a NetWare server) to a new Windows file server, you can first copy all the directories under the root home folder and then you can use a PowerShell script to change the user profile settings and assign permissions as a bulk process.

Thanks

Dilruk Jayanetti

Setting up user home directories in a Windows file server – 1

October 13, 2012

Setting up home directories is one of the tasks that server admins need to perform at some stage during a file server setup. Typically, home directories (or sometimes called personal drives) are  network drives assigned to domain users mapped using a common drive letter (commonly H). Following are some of the important factors that need to be considered in setting up home directories;

1. Security: This is one of the first things that the server admins need to sort out when setting up home directories. Given that home directories are assigned to each user, for a given home directory, in addition to the server admins group, only the particular user the home directory has been assigned to should have the permissions to the directory. I will explain more about setting up permissions in part 2 of this post.

2. Storage: It can be a challenging task for server admins to manage the storage when users start storing their favourite music and kids birthday photos in their personal drives.  Some organisations tends to give more flexibility  and freedom to end users and would  expect server admins to monitor the disk space  and may inform or  arrange with users to free-up disk space on ad-hoc basis. Other option is to use disk quotas which assigns a fixed amount of megabytes or gigabytes to each user. This make server admin’s life much easier and probably a better way to manage storage.

3. Performance : Performance is one of the factors that server admins need to consider specially if the file server is migrated from one environment to another (such as NetWare to Windows). Usually, people expect network drives to perform similar to the local drives in their computers, specially when it comes to opening and saving files.  Depending on the server environment, network setup, client OS etc… certain configuration changes may be required  in the file server as well as other environments to optimise the performance. The following article explains some of the TCP/IP changes that could improve the performance, but these changes need to be considered based on the nature of the environment and specific performance issue;

http://www.speedguide.net/articles/windows-7-vista-2008-tweaks-2574

Also, worth looking at SMB packet signing issue explained in the following Microsoft article;

http://www.speedguide.net/articles/windows-7-vista-2008-tweaks-2574

Another potential performance issue may be due the authentication provider order. Especially, this is applicable if you are migrating from one enviroment to another. Usually, the Authentication Provider order can be found in the following registry location in Windows 7 and XP;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order]

If you are originally connected to a NetWare server, the order may appear as “ProviderOrder”=”NCFSD,RDPNP,LanmanWorkstation,webclient” where NCFSD represents the Netware provider. YOu can test the network drive performance by moving the NCFSD from first to last i.e. “RDPNP,LanmanWorkstation,webclient,NCFSD”.

In addition to these fixes; server monitoring, event logs and network monitoring may provide some assistance in troubleshooting issues specific to an environment.

4. Easy to Administer : provisioning personal drives for users is an ongoing and may be a regular excercise for the IT department in an organisation. Typically, creating a home directory for a user is a part of the process of creating a users account, an email address etc…  for a new employee to an organisation, usually, performed by a helpdesk officer. Therefore, it’s important that a simple and well-defined process is maintained. Also, if you are migrating home directories from an existing environment to a new environment, you may need to explore some of the tools and scripting techniques that could make the process simpler, faster and yield more accurate results.

Now that we have looked at some of the important aspects of designing home directory structure in a file server, in Part-2 of this post, I will explain step by step on how to set up a home directory structure using a  Server 2008 file server in an Active Directory environment.

Bye for now.

Dilruk Jayanetti

Set value of a SharePoint 2010 BDC External Item Picker field using JQuery

May 29, 2012

Recently, I had a requirement to pre-populate an external data field  in a SharePoint list based on value of a query string parameter. There are plenty of examples around showing how to populate regular fields such as text boxes and drop-down boxes etc… using JQuery, but, it becomes bit tricky when it comes to BDC External Item Picker field. The reason is, if you look at the HTML source for the External Item Picker Field, you will notice that it’s not a single HTML control but compose of many HTML tags. Therefore, it’s hard to determine which HTML tag value should be assigned in JavaScript in order to pre-populate the control.

Following blog post helped me to understand how different HTML tags in the browser work together to display the External Item Picker field in the browser.

http://ghamson.wordpress.com/2010/10/11/prefill-a-list-form-field-external-data/

In the same blog, there is a solution explained to accomplish this task, however, the solution did not work for me. This was what I did to get it working the way I wanted;

1. Open the list form in the browser and goto to the HTML source.

2. Find the HTML section corresponding to the External Item Picker control.

3. With in the HTML section for the External Item Picker, find the DIV tag and note the ID (see below enclosed in a green rectangle). That’s the tag you need to set the value.

4. Write a simple JQuery to assign a value to the DIV tag inner HTML (See e.g. below)

<script language=”javascript” src=”http:/……./jquery-1.7.1.min.js” type=”text/javascript”></script>
<script language=”javascript” type=”text/javascript”>
//value that you want to pre-populate
value1 =”1234″;
$(document).ready(function(){
$(“#[The ID of the DIV tag noted above]”).html(value1);
});
</script>

Add the JQuery to a Content Editor Web Part in the list form page and you will see the External Item Picker field pre-populated with the value assigned.

Thanks
Dilruk Jayanetti