user rights not working in home directory

[dogday]

HI,
Heres what I have
shared f:drive as F$- domain users have full control
shared folder called netshare- domain users have read
shared folder under netshare called users- users have read List
users home directories under shared users folder
example: testuser--has full contol for testuser folder
mapped H: \users
when testuser logs on he sees h: drive
he can open users and see all users home directories
he can open the testuser folder but
he cannot create a new folder under testuser folder
error message says cannot create object.
Im sure its a rights issue but I don't know where the problem is.

 

[atreynolds]

First: Is this on an NTFS Volume? Are you using Active Directory?

If you answered yes to question number 1, verify the folder security (not to be confused with the share security) and make sure that that particular user has the appropriate rights.

Second: The best (and easiest) way to create a user's "home" directory is to allow the system to do it for you automatically when you alter that user's profile in the Active Directory Users and Computers management console.

Open the properties for that particular user and click on the Profile tab. In the "Home Folder" area, select connect, choose a drive letter to be mapped for the user when they log in, and type the full UNC path (i.e. \\server\sharename\username). As long as you have shared a folder to be used as the root for all the users home directories, the console will automatically create the user's home directory and assign their account all the necessary rights.

Follow this procedure for all your users (or select multiple accounts and use the variable %username% in place of typing their username and it will create the folders and correct permissions for everyone). Easy as as pie.

Hope that helps.

Tony Reynolds
tony.reynolds@harmoniccorp.com

 

[dogday]

OK, I have done that. I have the connect to box set to
H: \\server\sharename\%username%
it is ntfs and when you look at the testuser folder it shows full control assigned to the testuser.
It did setup the rights for the user to have full control.
So maybe I'm not understanding mapping.
Can you map to the shared folder users and then the testuser open up his folder and create or copy files to it.
example: H:\users\testuser
then the user should be able to open up the folder testuser and create a new subfolder under testuser? 0r do you have to map to the testuser folder? When I try this it says access denied.

 

[atreynolds]

Well...

As testuser, you could map to the shared folder "users" and then open up the "testuser" folder (this is assuming that you've give testuser the appropriate share and file permissions to the "users" folder - generally this is read only permission) and do whatever you like in the "testuser" folder (again assuming that you've given full permissions to testuser for his own folder).

However, you shouldn't need to do this because the user's profile should automatically map H: to the user's home directory. i.e. when testuser logs in, H: is root mapped to \\servername\users\testuser.

Lets say testuser has only one file, "report.doc", in his home directory. When he opens "My Computer", then opens up his H: drive, he should see "report.doc" and nothing else. Also, he should not be able to back up to a higher level directory because H: is root mapped to his home directory.

Just to be thorough here, these are the permissions that testuser needs to be able to access his home directory.

For the folder "users", the group EVERYONE should have "Read and Execute", "List Folder Contents" and "Read" permissions.

For the share "users", the group EVERYONE should have "Read" permission.

For the folder "testuser", the user testuser should have "Full Control" permission.

Take note of the difference between share and folder permissions. Also, some variations on these permissions is probably acceptable to open up a little or even further restrict permissions, but these are pretty standard.

And finally, and this is very important, verify that you are NOT allowing "inheritable permissions from parent to propagate to this object". This check box is found on the security tab of the properties for each folder. If this box is checked, it will wreak havoc on the specific permissions that you are trying to assign to these user directories.

Good luck.

Tony Reynolds
tony.reynolds@harmoniccorp.com

 

[dogday]

Hi again,
OK I have the rights set at you said execpt that I am using domain users groups instead of everyone. It still doesn't work. Does it have to be the everyone group?
I thought that was a security issue?
Also, at the disk partition F: level it is shared with administraive purposes only. Does it need to have everyone permissions (full control)?

 

[atreynolds]

Domain Users is fine in place of Everyone and there doesn't need to be any additional sharing or opening of permissions of the disk partition. F$ is used by the system and does not (actually, should not) be messed with.

Honestly, this one is stumping me a little bit. I find that when there is a problem like this, sometimes the best thing is to stop the method you are using to attack the problem and try a completely different angle of attack.

In this case, that means coming from the opposite direction. The strategy that you are employing now assumes that you start from a point of no permissions, opening up more and more until you achieve the desired affect. We are probably just missing something, or I suppose it could be the curse of Microsoft programming at work here, but nevertheless the desired affect is not being achieved so lets try something else.

Why don't you start from having wide open permissions, giving everyone full permissions at the "users" folder and at the "users" share. Then choose the "testuser" folder and open that up with full permissions for everyone also. (make sure if there are any subfolders underneath, that you propagate these changes down from the "testuser" level).

Then, while logged into another PC as testuser, if you still cannot gain access to their folder via \\servername\users\testuser, then you have another problem entirely. If you can't get to it after that then there is a problem with the NTFS database on the drive, or there is a problem with the Active Directory. This is probably not the case though.

If you are able to gain access to the folder after opening it up, then remove permissions one at a time until you reach the point of lost access, at which point you will know the appropriate permissions to give. A methodical approach and fastidious accounting of your actions will reveal the problem.

Good luck.
Tony

 

[dogday]

Thanks,
I had the share permissions and the security tab permissions reversed.

 

[GlenJohnson]

I'm having a similar problem. I have a user who even when I make them an administrator, when she tries to access a folder, it won't give her permission. She's a member of several older groups that were migrated from NT4.0. I know the problem stems from there, because I created a dummy user account, gave it very basic rights, (Domain user in the groups belonged to) and it the folder security options, gave it admin rights to that folder only. Test user got in with no problem. Added the groups to test user to match the problem user, still gets there with no problem. If I log onto her machine, I can access it with no problem, so it's not pc related. Ideas on where to look? Thanks.