2

I'm trying (without success) to get help with setting up User Home Folder\Directory permissions on server 2012. What I would like to know is what permission do I need so that each user can access his/her files etc but CANNOT view\access other users home folders.

I have already created folders on the server called "UserProfiles" and "UserData". When a user logs on for the first time, their home folder would be created as a subfolder in the "UserData" folder i.e. \server01\UserData$\%username%

LondonGuy
  • 61
  • 1
  • 2
  • 3

2 Answers2

6

Unless something drastic has changed in 2012, the following should work.

Set the share on the server (in your case UserData$) with Full Control for the Admins/Domain Admins, and Everyone as "Change and Read".

On the NTFS folder "UserData" set the permissions explicit without inheritance and only grant Domain Admins Full control, along with anyone outside of Domain Admins that needs to see all folders.

Then when you create the user in AD and set their home folder that subfolder %username% will automically be granted Full Control for that user. Since they can traverse the UserData folder to map a drive to \server01\UserData$\%username% they get access to only that folder. Mapping a drive to \server01\UserData$ will be useless for them.

That's how we've always set ours up over the years.

Now with 2012 you can easily enable ABE http://heineborn.com/tech/enable-access-based-enumeration-in-windows-server-2012/ where the users only see folders they have rights to, but this isn't even necessary if you do the above.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • Yeah, that tried and true method still works in Server 2012. – HopelessN00b Dec 20 '12 at 14:55
  • Many thanks TheCleaner & HopelessNoob for your speedy replies. I'm a complete noob too and trying to get to grips with this using a virtual servers2012 on VBox. Will let you know how i get on. – LondonGuy Dec 20 '12 at 15:05
  • From what I can see, the subfolder %username% can be deleted by the user (since he has full control). Is there any way to prevent users from deleting their own home folders? – Reyhn Dec 08 '15 at 19:49
0

Okay, here is an answer.... Flamebait lol... Since you have backward folks in the industry with upside down logic, just think in terms of reverse. So Grant permissions at a higher level that you really do not want your users to have before you limit them at a lower level. Coming out of the box, unlike NT, when you create a user and setup their homefolder, they will not by default be able to write to it. When you look at the permissions to try and identify why, there is nothing that indicates it shouldnt work. But then again, when you are told system files go on a boot partition and boot files go on the system partition, you can understand why it doesnt add up. The same people who say you park on a driveway and driveway on a parkway are running things. Solve that problem and you will solve the worlds problems. :0)

user488278
  • 1