User home folder permissions problem

[wb8wbn]

Added Active Directory to an existing 2000 server. The users have home folders: C:\users\[login]. In the user properites, the map folder box is checked to map drive F: to the users filder. The user has full control of the folder, nobody else. With the user as a member of the domain users group, drive F: is mapped to C:\users, all of the user folders are visible, but access is denied to any folder (including the users home folder). Changing the user to the domain admin group, drive F: is then mapped to the correct folder C:\users\[login], with full access. No other folders in the tree are visible.

What am I missing ?

 

[svsawkar]

Users have complete control of their home folders- admins can see all the folders, but can't go into them without taking ownership. For users, they can't see any other folders, but they have ownership of their own folders.

Remember that taking ownership is audited (if you have it turned on). The point of this is to prevent a rouge admin from taking ownership of another user's home drive, changing a doc, and then giving the folder right back to the user.

What you are seeing is perfectly normal!

/Sidharth

 

[wb8wbn]

Logging in as the user, and a member of the domain users group, the mapping is incorrect as above, and the user does NOT have access to the folder. How do I map the folder properly and give the user full access ?

Logging in as the user, and a member of the domain admins group, it works properly. I don't want the user to have any elevated permissions.

 

[svsawkar]

What are the permissions on the Users folder?

 

[wb8wbn]

Full control on the folder. No other users have rights to the folder.

 

[minxca]

Hi,
AFAIK, if you let windows create the user home folder (from user properties), only that user has full access to his/her folder. If you created user folder before you setup home folder in user properties, you have to setup the permission manually.
Make sure c:\users is shared with full control for authenticated users (if you don't wan't everyone)

 

[wb8wbn]

I set the permissions in the sharing tab on the folder properties. It was there before the AD install. The user has full control of the folder. But when the user tries to access the folder he is denied access. The mapping is also incorrect, the F: drive is mapped to the user root folder, not the individual folder.

I have tried to map the drive with both the check box in user properties and using a login script.

 

[minxca]

Hi,

Is it for all users or only particular user?
How many DC do you have? If it more than one, is the user's properties same on both DC?

 

[wb8wbn]

All user that are domain users. The 2 users in the domain admins gruop work fine. Only 1 DC.

 

[minxca]

You said the folder & sharing exist before you add AD so try eliminate the problem: create new user, use user properties instead of login script and then check what is the NTFS permission for c:\user\[login]. It should work.

 

[dholbrook]

Something else to consider is the backup of the user data.

I normally set up all user directories giving the administrator ownership of the folder, with the user having full control. That way the backups will run and will not be denied access to the folder, but the user can allow access to folders and files he creates in his directory if he so desires.

Since the main purpose of having home directories is to put them where they can be effectively backed up and protected, remember this in your design. Do not build in problems by giving users sole access to the directories or you will find it a very painful experience when there is a failure and you discover that none of the critical user data can be restored because the nightly backups always skipped these files due to being denied access.

Remember, you can not prvent the administrator from taking ownership of anything on the server, so what is the point of compounding the issue by giving users admin access? With that access they can go anywhere else also. You have other serious problems if you do not trust your admin staff anyway, and you can still audit all access if you want to.

Part of the issue here is how the mapping is done. Since you built the Home directory before you had AD, it sounds like the C:\users is where the actual share point is located, so this is what the users will see when they browse the network (ie., they can list the subdirectories, but can not see the contents of these subdirectories). Since an Admin has the ability to create a share, from your description it sounds like this is what the users are doing, ie, they are creating a new share point to the subdirectory in the Home directory.

If you do not want to start over from AD, then I suggest you change the Home directory to put a level between the share point and the user home directory so users do not have to see a complete listing of all home directories. Insert another level between C:\users and the home directory by dividing up the users into alphabetic groups like: userA-C, userD-F, etc., based on the numbers of users in each group. This way none of the user actual home directories will be visiable directly from the share point, and users will be able to find their specific directory quickly without having to scroll down through the entire list of all users to find theirs.

HTH

David