Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » User home directory - admin questions
User home directory - admin questions [message #159800] Sun, 09 August 2009 13:14 Go to next message
totalnet32  is currently offline totalnet32  United States
Messages: 8
Registered: August 2009
Junior Member
What would be a decent quota enforced on users home directory.?

I would like to give all my users a home directory - right now only a
few have - Anyone have any suggestions on how this should be
attacked? Just goes down AD and match up names to folders , on
servers?

thanks
Re: User home directory - admin questions [message #159804 is a reply to message #159800] Sun, 09 August 2009 14:22 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"totalnet32" <totalnet32@hotmail.com> wrote in message
news:36dcb744-f154-408f-a27b-01dc471ecfd0@o13g2000vbl.googlegroups.com...
> What would be a decent quota enforced on users home directory.?
>
> I would like to give all my users a home directory - right now only a
> few have - Anyone have any suggestions on how this should be
> attacked? Just goes down AD and match up names to folders , on
> servers?
>
> thanks
>


My preferences, and everyone has their own,

1. Create a top level folder, called Users. Share it as "Users$" (without
the quotes). The "$" makes it hidden.

2. Set Share Permissions to Domain Admins - FC. Remove Everyone. This is
only for administrative purposes. No user accounts will access their home
folders through this share.

3. In NTFS (Security tab) permissions, Advanced, Uncheck Inheritance. Choose
Copy when prompted. For NTFS permissions, set the following.
Domain Admins = FC
System = FC
Remove any other existing user or groups.

4. Create subfolders for each individual user account. Name them based on
the user's logon IDs.

5. Share each subfolder invidually with a "$" on the end of the sharename.
For example, if the userID = JSmith, call the folder "jsmith," and share it
as "jsmith$" (without the quotes).

6. Set Share permissions to Domain Admins = FC, and JSmith = FC. Remove
Everyone.

7. In NTFS (Security tab) permissions, Advanced, Uncheck Inheritance. Choose
Copy when prompted. For NTFS permissions of each individual subfolder, set
the following (using JSmith as an example):
Domain Admins = FC
System = FC
JSmith = FC
Remove any other existing users or groups.

8. In each individual user's Active Directory account property, Profile
tab, towards the bottom for the Home folder location, choose a letter for
the drive mapping (I like H: for home), and type in the following:
\\servername\%username%$. This will map directly to the user's home folder.
The %username% is a variable used for the UserID (samAccountName), or better
known as the Logon UserID.

9. In each user's logon script, specify to map H: to
\\servername\%username%$. For example, if using a batch file (.bat), the
command, and the line before it to disconnect h: if someone else may have
accidentally created a mapping using the letter h: to something else, would
look like this:
net use h: /d
net use h: \\servername\%username%$


That's the basics. I'm sure others will have their own versions or use the
Active Directory's default method of simply creating the top level folder,
share it as Domain Admin = FC and Authenticated users = FC, and System = FC,
where the system automatically creates the subfolders based on user accounts
once you've entered the path in step8 as \\servername\%username%. But it
won't let you use the hidden character. You can actually use this method to
create the folders automatically for you if you have many users, then go
through my steps to change the share and permissions. Or you can script the
changes.

I use this method so each individual account as a direct mapping to their
folders, and no one else can view the top level folder and see all the user
accounts in the infrastructure. It's a little more work, and scripting will
help to automate it when a new user gets hired, but it's one of my basic
security best practices I follow, now matter how small or large the company.
You will find many companies, small and large, use this method. But like I
said, each administrator or designer may have their own methods and
opinions. It also helps when using Folder Redirection. If you want info on
Folder Redirection, let me know.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: User home directory - admin questions [message #159809 is a reply to message #159804] Sun, 09 August 2009 18:08 Go to previous messageGo to next message
lanwench  is currently offline lanwench  United States
Messages: 1684
Registered: July 2009
Senior Member
Ace Fekay [MCT] <aceman@mvps.RemoveThisPart.org> wrote:
> "totalnet32" <totalnet32@hotmail.com> wrote in message
> news:36dcb744-f154-408f-a27b-01dc471ecfd0@o13g2000vbl.googlegroups.com...
>> What would be a decent quota enforced on users home directory.?
>>
>> I would like to give all my users a home directory - right now only a
>> few have - Anyone have any suggestions on how this should be
>> attacked? Just goes down AD and match up names to folders , on
>> servers?
>>
>> thanks
>>
>
>
> My preferences, and everyone has their own,
>
> 1. Create a top level folder, called Users. Share it as "Users$"
> (without the quotes). The "$" makes it hidden.
>
> 2. Set Share Permissions to Domain Admins - FC. Remove Everyone.
> This is only for administrative purposes. No user accounts will
> access their home folders through this share.
>
> 3. In NTFS (Security tab) permissions, Advanced, Uncheck Inheritance.
> Choose Copy when prompted. For NTFS permissions, set the following.
> Domain Admins = FC
> System = FC
> Remove any other existing user or groups.
>
> 4. Create subfolders for each individual user account. Name them
> based on the user's logon IDs.
>
> 5. Share each subfolder invidually with a "$" on the end of the
> sharename. For example, if the userID = JSmith, call the folder
> "jsmith," and share it as "jsmith$" (without the quotes).
>
> 6. Set Share permissions to Domain Admins = FC, and JSmith = FC.
> Remove Everyone.
>
> 7. In NTFS (Security tab) permissions, Advanced, Uncheck Inheritance.
> Choose Copy when prompted. For NTFS permissions of each individual
> subfolder, set the following (using JSmith as an example):
> Domain Admins = FC
> System = FC
> JSmith = FC
> Remove any other existing users or groups.
>
> 8. In each individual user's Active Directory account property,
> Profile tab, towards the bottom for the Home folder location, choose
> a letter for the drive mapping (I like H: for home), and type in the
> following: \\servername\%username%$. This will map directly to the
> user's home folder. The %username% is a variable used for the UserID
> (samAccountName), or better known as the Logon UserID.
>
> 9. In each user's logon script, specify to map H: to
> \\servername\%username%$. For example, if using a batch file (.bat),
> the command, and the line before it to disconnect h: if someone else
> may have accidentally created a mapping using the letter h: to
> something else, would look like this:
> net use h: /d
> net use h: \\servername\%username%$
>
>
> That's the basics. I'm sure others will have their own versions or
> use the Active Directory's default method of simply creating the top
> level folder, share it as Domain Admin = FC and Authenticated users =
> FC, and System = FC, where the system automatically creates the
> subfolders based on user accounts once you've entered the path in
> step8 as \\servername\%username%. But it won't let you use the hidden
> character. You can actually use this method to create the folders
> automatically for you if you have many users, then go through my
> steps to change the share and permissions. Or you can script the
> changes.
> I use this method so each individual account as a direct mapping to
> their folders, and no one else can view the top level folder and see
> all the user accounts in the infrastructure. It's a little more work,
> and scripting will help to automate it when a new user gets hired,
> but it's one of my basic security best practices I follow, now matter
> how small or large the company. You will find many companies, small
> and large, use this method. But like I said, each administrator or
> designer may have their own methods and opinions. It also helps when
> using Folder Redirection. If you want info on Folder Redirection, let
> me know.

This is all good, and I used to use a similar method, but now I just use
this (and folder redirection).... it is much (!!!) easier.

See How to dynamically create security-enhanced redirected folders by using
folder redirection in Windows 2000 and in Windows Server 2003
http://support.microsoft.com/kb/274443

I don't create shares for individual users as it gets out of hand quite
easily. I map drives to "\\server\home$\%username%\My Documents"
Re: User home directory - admin questions [message #159812 is a reply to message #159809] Sun, 09 August 2009 20:15 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:eUIJC7UGKHA.3888@TK2MSFTNGP03.phx.gbl...
>
> This is all good, and I used to use a similar method, but now I just use
> this (and folder redirection).... it is much (!!!) easier.

I definitely do use Redirection at all of my customers. Good stuff!

>
> See How to dynamically create security-enhanced redirected folders by
> using folder redirection in Windows 2000 and in Windows Server 2003
> http://support.microsoft.com/kb/274443
>
> I don't create shares for individual users as it gets out of hand quite
> easily. I map drives to "\\server\home$\%username%\My Documents"

I used to have a script to create new users when hired, however I can't find
it. Once the structure is setup, it's easy to implement. As for logon
scripts, I have a template logon script that I create a new one from for
each new user. Previous place I contracted at with 5000 users, used the
method I outlined exclusively. I've found many other do, as well.
Personally, I like it because they're specific and hidden.

I guess it's a personal choice... :-)

Ace
Re: User home directory - admin questions [message #159879 is a reply to message #159809] Tue, 11 August 2009 06:32 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
We have ours scripted similar to you Ace and then we anchor the my documents
to a subfolder within the users home folder. Lanwrench's is probably the
way to go if you are starting from scratch but we have a long legacy so we
wouldn't want to modify it at this stage

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:eUIJC7UGKHA.3888@TK2MSFTNGP03.phx.gbl...
> Ace Fekay [MCT] <aceman@mvps.RemoveThisPart.org> wrote:
>> "totalnet32" <totalnet32@hotmail.com> wrote in message
>> news:36dcb744-f154-408f-a27b-01dc471ecfd0@o13g2000vbl.googlegroups.com...
>>> What would be a decent quota enforced on users home directory.?
>>>
>>> I would like to give all my users a home directory - right now only a
>>> few have - Anyone have any suggestions on how this should be
>>> attacked? Just goes down AD and match up names to folders , on
>>> servers?
>>>
>>> thanks
>>>
>>
>>
>> My preferences, and everyone has their own,
>>
>> 1. Create a top level folder, called Users. Share it as "Users$"
>> (without the quotes). The "$" makes it hidden.
>>
>> 2. Set Share Permissions to Domain Admins - FC. Remove Everyone.
>> This is only for administrative purposes. No user accounts will
>> access their home folders through this share.
>>
>> 3. In NTFS (Security tab) permissions, Advanced, Uncheck Inheritance.
>> Choose Copy when prompted. For NTFS permissions, set the following.
>> Domain Admins = FC
>> System = FC
>> Remove any other existing user or groups.
>>
>> 4. Create subfolders for each individual user account. Name them
>> based on the user's logon IDs.
>>
>> 5. Share each subfolder invidually with a "$" on the end of the
>> sharename. For example, if the userID = JSmith, call the folder
>> "jsmith," and share it as "jsmith$" (without the quotes).
>>
>> 6. Set Share permissions to Domain Admins = FC, and JSmith = FC.
>> Remove Everyone.
>>
>> 7. In NTFS (Security tab) permissions, Advanced, Uncheck Inheritance.
>> Choose Copy when prompted. For NTFS permissions of each individual
>> subfolder, set the following (using JSmith as an example):
>> Domain Admins = FC
>> System = FC
>> JSmith = FC
>> Remove any other existing users or groups.
>>
>> 8. In each individual user's Active Directory account property,
>> Profile tab, towards the bottom for the Home folder location, choose
>> a letter for the drive mapping (I like H: for home), and type in the
>> following: \\servername\%username%$. This will map directly to the
>> user's home folder. The %username% is a variable used for the UserID
>> (samAccountName), or better known as the Logon UserID.
>>
>> 9. In each user's logon script, specify to map H: to
>> \\servername\%username%$. For example, if using a batch file (.bat),
>> the command, and the line before it to disconnect h: if someone else
>> may have accidentally created a mapping using the letter h: to
>> something else, would look like this:
>> net use h: /d
>> net use h: \\servername\%username%$
>>
>>
>> That's the basics. I'm sure others will have their own versions or
>> use the Active Directory's default method of simply creating the top
>> level folder, share it as Domain Admin = FC and Authenticated users =
>> FC, and System = FC, where the system automatically creates the
>> subfolders based on user accounts once you've entered the path in
>> step8 as \\servername\%username%. But it won't let you use the hidden
>> character. You can actually use this method to create the folders
>> automatically for you if you have many users, then go through my
>> steps to change the share and permissions. Or you can script the
>> changes.
>> I use this method so each individual account as a direct mapping to
>> their folders, and no one else can view the top level folder and see
>> all the user accounts in the infrastructure. It's a little more work,
>> and scripting will help to automate it when a new user gets hired,
>> but it's one of my basic security best practices I follow, now matter
>> how small or large the company. You will find many companies, small
>> and large, use this method. But like I said, each administrator or
>> designer may have their own methods and opinions. It also helps when
>> using Folder Redirection. If you want info on Folder Redirection, let
>> me know.
>
> This is all good, and I used to use a similar method, but now I just use
> this (and folder redirection).... it is much (!!!) easier.
>
> See How to dynamically create security-enhanced redirected folders by
> using folder redirection in Windows 2000 and in Windows Server 2003
> http://support.microsoft.com/kb/274443
>
> I don't create shares for individual users as it gets out of hand quite
> easily. I map drives to "\\server\home$\%username%\My Documents"
>
Re: User home directory - admin questions [message #159889 is a reply to message #159879] Tue, 11 August 2009 12:35 Go to previous messageGo to next message
totalnet32  is currently offline totalnet32  United States
Messages: 8
Registered: August 2009
Junior Member
On Aug 11, 8:32 am, "Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com>
wrote:
> We have ours scripted similar to you Ace and then we anchor the my documents
> to a subfolder within the users home folder.  Lanwrench's is probably the
> way to go if you are starting from scratch but we have a long legacy so we
> wouldn't want to modify it at this stage
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Lanwench [MVP - Exchange]"<lanwe...@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
>
> news:eUIJC7UGKHA.3888@TK2MSFTNGP03.phx.gbl...
>
>
>
> > Ace Fekay [MCT] <ace...@mvps.RemoveThisPart.org> wrote:
> >> "totalnet32" <totalne...@hotmail.com> wrote in message
> >>news:36dcb744-f154-408f-a27b-01dc471ecfd0@o13g2000vbl.googlegroups.com....
> >>> What would be a decent quota enforced on users home directory.?
>
> >>> I would like to give all my users a home directory - right now only a
> >>> few have - Anyone have any suggestions  on how this should be
> >>> attacked?  Just goes down AD and match up names to folders , on
> >>> servers?
>
> >>> thanks
>
> >> My preferences, and everyone has their own,
>
> >> 1. Create a top level folder, called Users. Share it as "Users$"
> >> (without the quotes). The "$" makes it hidden.
>
> >> 2. Set Share Permissions to  Domain Admins - FC. Remove Everyone.
> >> This is only for administrative purposes. No user accounts will
> >> access their home folders through this share.
>
> >> 3. In NTFS (Security tab) permissions, Advanced, Uncheck Inheritance.
> >> Choose Copy when prompted. For NTFS permissions, set the following.
> >> Domain Admins = FC
> >> System = FC
> >> Remove any other existing user or groups.
>
> >> 4. Create subfolders for each individual user account. Name them
> >> based on the user's logon IDs.
>
> >> 5. Share each subfolder invidually with a "$" on the end of the
> >> sharename. For example, if the userID = JSmith, call the folder
> >> "jsmith," and share it as "jsmith$" (without the quotes).
>
> >> 6. Set Share permissions to Domain Admins = FC, and JSmith = FC.
> >> Remove Everyone.
>
> >> 7. In NTFS (Security tab) permissions, Advanced, Uncheck Inheritance.
> >> Choose Copy when prompted. For NTFS permissions of each individual
> >> subfolder, set the following (using JSmith as an example):
> >> Domain Admins = FC
> >> System = FC
> >> JSmith = FC
> >> Remove any other existing users or groups.
>
> >> 8.  In each individual user's Active Directory  account property,
> >> Profile tab, towards the bottom for the Home folder location, choose
> >> a letter for the drive mapping (I like H: for home), and type in the
> >> following: \\servername\%username%$. This will map directly to the
> >> user's home folder. The %username% is a variable used for the UserID
> >> (samAccountName), or better known as the Logon UserID.
>
> >> 9. In each user's logon script, specify to map H: to
> >> \\servername\%username%$. For example, if using a batch file (.bat),
> >> the command, and the line before it to disconnect h: if someone else
> >> may have accidentally created a mapping using the letter h: to
> >> something else,  would look like this:
> >> net use h: /d
> >> net use h: \\servername\%username%$
>
> >> That's the basics. I'm sure others will have their own versions or
> >> use the Active Directory's default method of simply creating the top
> >> level folder, share it as Domain Admin = FC and Authenticated users =
> >> FC, and System = FC, where the system automatically creates the
> >> subfolders based on user accounts once you've entered the path in
> >> step8 as \\servername\%username%. But it won't let you use the hidden
> >> character. You can actually use this method to create the folders
> >> automatically for you if you have many users, then go through my
> >> steps to change the share and permissions. Or you can script the
> >> changes.
> >> I use this method so each individual account as a direct mapping to
> >> their folders, and no one else can view the top level folder and see
> >> all the user accounts in the infrastructure. It's a little more work,
> >> and scripting will help to automate it when a new user gets hired,
> >> but it's one of my basic security best practices I follow, now matter
> >> how small or large the company. You will find many companies, small
> >> and large, use this method. But like I said, each administrator or
> >> designer may have their own methods and opinions. It also helps when
> >> using Folder Redirection. If you want info on Folder Redirection, let
> >> me know.
>
> > This is all good, and I used to use a similar method, but now I just use
> > this (and folder redirection).... it is much (!!!) easier.
>
> > See How to dynamically create security-enhanced redirected folders by
> > using folder redirection in Windows 2000 and in Windows Server 2003
> >http://support.microsoft.com/kb/274443
>
> > I don't create shares for individual users as it gets out of hand quite
> > easily. I map drives to "\\server\home$\%username%\My Documents"- Hide quoted text -
>
> - Show quoted text -

thank you all

THis all will help. BUT does anyone have a way to find out how many
users dont have a user directory setup? right now they are created
manually(if at all)
I need to calculate further space.
Re: User home directory - admin questions [message #159900 is a reply to message #159889] Tue, 11 August 2009 18:32 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"totalnet32" <totalnet32@hotmail.com> wrote in message
news:39eb9cef-0a39-47f3-ab5e-8ef30ca41846@c1g2000yqi.googlegroups.com...
>thank you all
>
> THis all will help. BUT does anyone have a way to find out how many
> users dont have a user directory setup? right now they are created
> manually(if at all)
> I need to calculate further space.

Manually by checking each account one by one. Have you tried the Find
function in AD? Right click the domain name in ADUC, choose Find, Advanced,
User, Home Folder, Condition = "Not Present", click Add, then click Find.

Otherwise, a script querying for the home folder attribute if populated,
will need to be used.

I found the following VBS script that may help (I have not tried it yet, nor
downloaded it. It's a direct link to the script):

AD Report 1.02 Script - Cis131This script assumes that the home folder in
the 'account will end with the .... If no folder exists "No Folder" will 'be
written to the report...
http://www.cis131.com/scripts/Active%20Directory/AD%20Report %201.02.vbs

You can then use ADModify to populate the fields for the users the script
finds without a home folder.

Introduction to ADModify.netADModify is written using Microsoft Visual C#®
..NET 2003.
Version 2.0 is improved to make the same modifications in less than half the
time of the previous ...
http://technet.microsoft.com/en-us/library/aa996216(EXCHG.65).aspx

Ace
Previous Topic:FSMO down
Next Topic:This may work...
Goto Forum:
  


Current Time: Wed Jan 17 04:15:45 MST 2018

Total time taken to generate the page: 0.03845 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software