Posts Tagged ‘permissions’

Setting up user home directories in a Windows file server – 2

October 13, 2012

In Part 1 of this post, I explained some of the importan factors that you need to be considered when setting up home directories for users in  a Windows file server. In this post, I will explain step by step how a setup a home drectory strucure in Server 2008 file server, using a test scenario.

1. If you haven’t already setup the file server, you need to add the File Server role from the server manager.

You will notice File Server role service is automatically selected and in this case, I have selected File Server Resource Manager which is an optional role service. The  File Server Resource Manager  is useful in setting up notifications and disk quotas etc …

2. Now we need to set up a folder that will be the root folder for user home directories. Each user will have individual sub folders under this root folder with active directory user id as the folder name. For this example, I have created a folder called “Home” in the E drive of my test file server. Next we need to Share this folder.

3. To share the folder, go to folder properties and select File Sharing. At this stage you need to give only local administrators the share permissions to the folder. I prefer to set up rest of the permissions in the Share and Storage Management tool.

4. Go to administrative tools and open Share and Storage Management. You will notice that the shared folder that was created in step 3 among the list of shared. Go to the properties of this shared folder. In properties click Permissions tab and click  Share permissions. In this example, I would like all the Domain Users to have individual home directories and Helpdesk group to have the ability to create home directories. Also, I would like to give local administrators of the server full permissions. Accordingly following are my share permissions;

Helpdesk (is an Active Directory Group) – Full permissions.
Domain Users – Change and Read permissions.
Administrators – Full Permissions.

Click Apply button to apply the permissions.

Now click the NTFS permissions button. I have assigned the following NTFS permissions according the test scenario explained above.

Local System – Full Control
Helpdesk – Modify
Administrators – Full Control.

Note that Domain Users do not have NTFS permissions to the root folder and that’s fine. Users only need to have permissions to their own home directories. Click OK to Apply NTFS permissions and click the sharing tab.

5. In the sharing tab, click Advanced and make sure “Enable access-based enumeration” is selected. When the access-based enumeration is enabled, the folder becomes hidden to the users who do not have permissions to the folder. I prefer this option enabled in a file server, however, it’s an optional setting.

6. Now open the Active Directory Users and Computers and create a new user (or open the properties of an existing user). In this example, I use an account with user id “testuser”. In the user properties, go to Profile tab and specify the home directory as shown below.

Click Apply and OK. This creates a new folder called “testuser” under the root Home and gives the “testuser” full permissions to the directory. No manual work required. Now if you open the UNC path of the home directory, you will notice that a new folder called “testuser” have been created under the “Home” folder. Note the permissions of this folder.

7. Now, go to a workstation and login as the “testuser”. You will notice that a new personal drive has been mapped to the user.

There are two more points I would like to mention before closing this post;

1. You can make this process further simple for creating new users by using a user account template. User account template is just another active directory account and  when you create a new user, you can right-mouse click on the template account and click copy. This copies the default settings of the template account to the new user being created. Now to make the home directory creation process simpler, go to the properties of the template user account and in the profile tab, assign the home folder in the following format;

Now, when you create a new user using this template, %USERNAME% is replaced by the user name of the new account being created and home directory gets  automatically setup.

2. Second point is, if you migrating existing home directories (may be from a NetWare server) to a new Windows file server, you can first copy all the directories under the root home folder and then you can use a PowerShell script to change the user profile settings and assign permissions as a bulk process.

Thanks

Dilruk Jayanetti

Advertisements