1. Create a new share eg home$ with domain users having Full Control of the share but the "users" group is removed entirely from NTFS permissions
This leaves Creator Owner with full permissions, Administrators with full permissions and I also add domain admins with full permissions also.
2. In ADUC* modify the users home H: drive mapping to \\FileServer\home$\%username% - on clicking apply a new folder will be created by ADUC with the users name in the home$ share with the NTFS permissions defined above AND the user being added explicitly with full control - thus granting just this one user access to his home folder but not any other standard user
3. Move the users data from any previous share/local drive into their new folder
*ADUC = Active Directory Users and Computers
Add your file server to Windows Server Manager:
Right click on “All Servers” and click Add Server
Type the name of your server and click Find Now and press the > button to move it over to the Selected pane and then click on OK
The process on Windows Server 2008 R2
Server 2008 R2 does not have WinRM3.0 installed by default so server manager probably shows something like this next to the server
This means that we will need to use the older share wizard in Computer Management to complete the task
Right click on your server in server management and select Computer Management
Expand System Tools > Shared Folders > Shares
Right Click on Shares and select New Share
I am creating a new folder “home” on the D: drive to house users documents etc
On the next screen I have provided a share name
The $ at the end of the share name means that the share is hidden – if a user happens to browse the server looking for shares it will not appear
On the next screen click Customize permissions and then click Custom
By Default the Everyone group has access to this folder (share tab), lets change that to domain users have full control
We now need to edit the NTFS permissions to lock down the users home folder so that only the user it belongs to and the IT staff can access it so click on the Security Tab
Click Advanced at the bottom of the Security Tab
On the advanced screen we need to Disable inheritance and then Convert inherited permissions into explicit permissions on this object
Next highlight the Users group and click Remove – that will leave your advanced security settings looking something like this
Now if you go into ADUC and select a user
Go to the profile tab
Under home folder click Connect, select a drive letter from the drop down box and then set the home directory to \\FileServer\share$\%username% (replace the server and share name as appropriate but the %username% variable will auto populate with the users name when you click OK)
My TestHomeShare user immediately creates this shared folder after setting his home drive mapping in ADUC which I can see by browsing to the folder that I created
Now when the user logs in they have got a H:\ drive which is automatically mapped to the path that we setup earlier
No comments:
Post a Comment