How to configure Home Folder with extra security

If you are having a domain controller, and decided to give a personal drive for all users, then home folder configuration is the best way to do it.

But if you want to make it secure for every users, then you have to configure something extra with ntfs security and share security.

Our current requirement as follows:

  • Deploy home folder for 500+ users
  • Make it secure, so that one user can not view others home folder from home share. Browse option should be disabled.

First option was easy and simple, but I have to think a lot on second option.

You can get the overview on how ntfs permission works on network share from following:

USERS

NTFS PERMISSION

SHARE PERMISSION

EFFECTIVE PERMISSION

USER A

R

R

R

USER B

F

R

R

USER C

R

F

R

USER D

F

F

F

USER E

F

N

N

USER F

N

F

N


So, if I want to create a network share for Home Folder, it will be bit difficult for blocking read only permission for all Authenticated users, except owner. I have to give full permission to Authenticated Users on network share, and read only access to NTFS permission for browsing their own home folder via network share.

But after some experiment with permission, I found a solution where only owner can have the permission of their folder and no one can browse root folder of network share.

First you have to create a folder on your file server, here we create Home$ and share it as Home$. Here we use $ share to hide the share from network share.

Share Permission will be:
Authenticated Users : FULL PERMISSION
SYSTEM : FULL PERMISSION

NTFS Permission will be:

Administrators : FULL PERMISSION
CREATOR OWNER : FULL PERMISSION
SYSTEM : FULL PERMISSION



Now when you apply home folder path (\servershare$%username%) from user property, a folder will create automatically on home folder root.

Newly created folder NTFS permission will set automatically as follows:
Administrators : FULL PERMISSION
CREATOR OWNER : FULL PERMISSION
USER : FULL PERMISSION
SYSTEM : FULL PERMISSION


Now to check the security, if you want to browse the \servershare$ from users system, you will get Access is denied error, as Authenticated Users don’t have NTFS permission on that folder.

But, you can access \servershare$%username% folder from users system, as users have full permission on that folder.


Also above folder will be mapped on users system as H drive, which already set on user’s property in AD.

Now home folder permission will be as follows, which is exactly the same as per my requirement.

USERS

HOME FOLDER PERMISSION

HOME FOLDER ROOT PERMISSION

USER A

FULL

NO ACCESS

Authenticated Users

NO ACCESS

NO ACCESS

Administrators

FULL

FULL

NOTE: Also make sure that you did not configure following policy, else home drive root folder will be mapped to the users system, which is not accessible.
Policy

Thanks for Reading
Saugata Datta 🙂

Disclaimer: All posts and opinions on this site are provided AS IS with no warranties. These are my own personal opinions and do not represent my employer’s view in any way.

Leave a Reply

Your email address will not be published. Required fields are marked *