If you are having a domain controller, and decided to give a personal drive for all users, then home folder configuration is the best way to do it.
But if you want to make it secure for every users, then you have to configure something extra with ntfs security and share security.
Our current requirement as follows:
- Deploy home folder for 500+ users
- Make it secure, so that one user can not view others home folder from home share. Browse option should be disabled.
First option was easy and simple, but I have to think a lot on second option.
You can get the overview on how ntfs permission works on network share from following:
USERS | NTFS PERMISSION | SHARE PERMISSION | EFFECTIVE PERMISSION |
USER A | R | R | R |
USER B | F | R | R |
USER C | R | F | R |
USER D | F | F | F |
USER E | F | N | N |
USER F | N | F | N |
So, if I want to create a network share for Home Folder, it will be bit difficult for blocking read only permission for all Authenticated users, except owner. I have to give full permission to Authenticated Users on network share, and read only access to NTFS permission for browsing their own home folder via network share.
But after some experiment with permission, I found a solution where only owner can have the permission of their folder and no one can browse root folder of network share.
First you have to create a folder on your file server, here we create Home$ and share it as Home$. Here we use $ share to hide the share from network share.
Share Permission will be:
Authenticated Users : FULL PERMISSION
SYSTEM : FULL PERMISSION
NTFS Permission will be:
Administrators : FULL PERMISSION
CREATOR OWNER : FULL PERMISSION
SYSTEM : FULL PERMISSION
Now when you apply home folder path (\servershare$%username%) from user property, a folder will create automatically on home folder root.
Newly created folder NTFS permission will set automatically as follows:
Administrators : FULL PERMISSION
CREATOR OWNER : FULL PERMISSION
USER : FULL PERMISSION
SYSTEM : FULL PERMISSION
[ad#av_post]
Now to check the security, if you want to browse the \servershare$ from users system, you will get Access is denied error, as Authenticated Users don’t have NTFS permission on that folder.
But, you can access \servershare$%username% folder from users system, as users have full permission on that folder.
[ad#av_post]
Also above folder will be mapped on users system as H drive, which already set on user’s property in AD.
Now home folder permission will be as follows, which is exactly the same as per my requirement.
USERS | HOME FOLDER PERMISSION | HOME FOLDER ROOT PERMISSION |
USER A | FULL | NO ACCESS |
Authenticated Users | NO ACCESS | NO ACCESS |
Administrators | FULL | FULL |
NOTE: Also make sure that you did not configure following policy, else home drive root folder will be mapped to the users system, which is not accessible.
Thanks for Reading
Saugata Datta 🙂
Disclaimer: All posts and opinions on this site are provided AS IS with no warranties. These are our own personal opinions and do not represent our employer’s view in any way.
This article currently have 15,018 views
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.