Creating user's home folders with proper permissions

[Guest]

When we were running under Windows NT when we would create a new user we
would assign that user a "home" folder in his profile with the format
\\server\user\%username%. This would create a folder called %username% under
the user folder on that server and would assign permissions so that user had
full control of that folder and ONLY that user had any permissions on that
folder at all.

Fast forward to today...we are now running Windows 2000 AD native mode.
Basically we do the same thing in ADUC that we did with the user manager
before. Also, I have had to move the user folder from one disk to another on
that same server. Now when we create a new user with ADUC, the home folder
gets created OK under the "user" folder, but the permissions are wrong.
Instead of just the user having permisisons, the user has full control, but
so does everyone as well as the local administrator group. I assumed that I
had somehow screwed up the root permission on the drive itself or on the
"user" folder so that the wrong things were bleeding down into the %username%
folders. However, I don't see the local admin group in the higher-level
folder, but EVERYONE does have full-control security. I assume that this is
wrong. I have experimented with changing EVERYONE to read only and adding
Domain Admin group so that the sub folders can get created. That works, but
I can't get the sub-foldesrs back to the NT days where ONLY the user has
rights to his folder. We can go in manually and fix it, but before it was
totally automatic.

Does anyone have any thoughts on this?

 

[Jerold Schulman]

When we were running under Windows NT when we would create a new user we
would assign that user a "home" folder in his profile with the format
\\server\user\%username%. This would create a folder called %username% under
the user folder on that server and would assign permissions so that user had
full control of that folder and ONLY that user had any permissions on that
folder at all.

Fast forward to today...we are now running Windows 2000 AD native mode.
Basically we do the same thing in ADUC that we did with the user manager
before. Also, I have had to move the user folder from one disk to another on
that same server. Now when we create a new user with ADUC, the home folder
gets created OK under the "user" folder, but the permissions are wrong.
Instead of just the user having permisisons, the user has full control, but
so does everyone as well as the local administrator group. I assumed that I
had somehow screwed up the root permission on the drive itself or on the
"user" folder so that the wrong things were bleeding down into the %username%
folders. However, I don't see the local admin group in the higher-level
folder, but EVERYONE does have full-control security. I assume that this is
wrong. I have experimented with changing EVERYONE to read only and adding
Domain Admin group so that the sub folders can get created. That works, but
I can't get the sub-foldesrs back to the NT days where ONLY the user has
rights to his folder. We can go in manually and fix it, but before it was
totally automatic.

Does anyone have any thoughts on this?

When a user logs on, the Folder Redirection Group Policy extension creates the \\ServerName\Users\%UserName% folder and sets the owner as %UserName%. Because you cleared the Grant user exclusive rights to ..... box , the
\\ServerName\Users\%UserName% folder will inherit the ACLs from the \\ServerName\Users folder, granting:

See tip 3471 » How can I insure that administrators have access to a user's redirected folder?
in the 'Tips & Tricks' at http://www.jsifaq.com



Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com

 

[Guest]

Thanx...That did it. It's not quite the same as before but I can
automatiically create the user folder and keep all other "users" out.
Jon