Saturday, 16 August 2014

Setting up a user home using Windows 8 RSAT part 1 – Server 2008 R2 server without WinRM 3.0

There are 3 main steps to configuring user home directories

1. Create a new share eg home$ with domain users having Full Control of the share but the "users" group is removed entirely from NTFS permissions

            This leaves Creator Owner with full permissions, Administrators with full permissions and I also add domain admins with full permissions also.

2. In ADUC* modify the users home H: drive mapping to \\FileServer\home$\%username% - on clicking apply a new folder will be created by ADUC with the users name in the home$ share with the NTFS permissions defined above AND the user being added explicitly with full control - thus granting just this one user access to his home folder but not any other standard user

3. Move the users data from any previous share/local drive into their new folder

*ADUC = Active Directory Users and Computers

Add your file server to Windows Server Manager:

Right click on “All Servers” and click Add Server

Type the name of your server and click Find Now and press the > button to move it over to the Selected pane and then click on OK

The process on Windows Server 2008 R2

Server 2008 R2 does not have WinRM3.0 installed by default so server manager probably shows something like this next to the server

This means that we will need to use the older share wizard in Computer Management to complete the task

Right click on your server in server management and select Computer Management

Expand System Tools > Shared Folders > Shares


Right Click on Shares and select New Share

I am creating a new folder “home” on the D: drive to house users documents etc

On the next screen I have provided a share name

The $ at the end of the share name means that the share is hidden – if a user happens to browse the server looking for shares it will not appear

On the next screen click Customize permissions and then click Custom

By Default the Everyone group has access to this folder (share tab), lets change that to domain users have full control

We now need to edit the NTFS permissions to lock down the users home folder so that only the user it belongs to and the IT staff can access it so click on the Security Tab

Click Advanced at the bottom of the Security Tab

On the advanced screen we need to Disable inheritance and then Convert inherited permissions into explicit permissions on this object

Next highlight the Users group and click Remove – that will leave your advanced security settings looking something like this

Now if you go into ADUC and select a user

Go to the profile tab

Under home folder click Connect, select a drive letter from the drop down box and then set the home directory to \\FileServer\share$\%username% (replace the server and share name as appropriate but the %username% variable will auto populate with the users name when you click OK)

My TestHomeShare user immediately creates this shared folder after setting his home drive mapping in ADUC which I can see by browsing to the folder that I created

Now when the user logs in they have got a H:\ drive which is automatically mapped to the path that we setup earlier

 

No comments:

Post a Comment