none
Scripting for users home folder new subdirectory

    Question

  • We have an upcoming archiving project which will
    archive, stub and remove the contents of our users' home folders (U:\ drive).
    The is an option to exclude a private folder. I've been able to create a new
    folder in a users home folder which they cannot rename or remove but they have
    full control of the contents of the new private folder which will not be
    archived.

    The private folder permissions are set as follows:
    • No inheritance
    • Domain Admin = Allow Full Control
    • %username% = Deny everything except "List folder /read data", "Create files
      / write data", "Create folders / append data" and "Delete Subfodlers and files"
      (This folder only)
    • %username% = Allow Full Control (Subfolders and files only)
    I need
    to be able to replicate the creation of this private folder to all of our users
    and lock down the folder so that only the Domain Admins can remove or rename the
    folder from their U:\ drive. The users need to be able to store whatever they do
    not want archived in this folder.

    I'm new to scripting and could use some
    assistance. Can anyone offer any suggestions?
    • Moved by Bill_Stewart Thursday, January 02, 2014 7:30 PM Abandoned
    Thursday, October 31, 2013 9:06 PM

All replies

  • Create a folder with all correct settings. Copy folder to target and set user as owner. Use copy and SetOwner to accomplish this.

    Look at how user folders are created by the system when a folder is copied via GP.  This is the exact same thing.


    ¯\_(ツ)_/¯

    Thursday, October 31, 2013 10:04 PM
  • Step by step instructions for setting up root folder and user folders: http://www.grouppolicy.biz/2010/08/best-practice-roaming-profiles-and-folder-redirection-a-k-a-user-virtualization/


    ¯\_(ツ)_/¯

    Thursday, October 31, 2013 10:08 PM
  • I appreciate the reply.  However, the users cannot own the private folder in their home directory since owners have the ability to deleted the folders they own.

    Monday, November 04, 2013 4:52 PM
  • I appreciate the reply.  However, the users cannot own the private folder in their home directory since owners have the ability to deleted the folders they own.

    if you set the folders up correctly then that is not he case.

    We use GPO to redirect the folders.  GPO set this up correctly and can move the folders anytime you need to move folders around.  Take a look at how GPO sets the folders.  It is also in the link I posted.


    ¯\_(ツ)_/¯

    Monday, November 04, 2013 4:59 PM
  • Link to same question in File Services Area.

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/8cfb65e1-6032-4859-b30c-b69ccbca99e5/scripting-for-users-home-folder-new-subdirectory



    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Even if you are not the author of a thread you can always help others by voting as Helpful. This can be beneficial to other community members reading the thread.


    Oscar Virot

    Monday, November 04, 2013 5:07 PM
  • All of my users have had the proper home folders for years.  I'm not trying to change that or add any additional redirection.  I need to add an additional folder as a container within their existing home folders which can be used by the users to prevent the automatic archiving which will occur on the remainder of their home folder.  The archiving solution will be looking for that specific folder by name in order to identify it as an exception to the archiving tasks.

    Monday, November 04, 2013 5:08 PM
  • All of my users have had the proper home folders for years.  I'm not trying to change that or add any additional redirection.  I need to add an additional folder as a container within their existing home folders which can be used by the users to prevent the automatic archiving which will occur on the remainder of their home folder.  The archiving solution will be looking for that specific folder by name in order to identify it as an exception to the archiving tasks.

    I don't know what the issue is.  Why can't you just create the folder and remove users ability to delete it.  Just use PowerShell or ICACLS to set the DACL.  Of course how best to do this depends on  having the original folder  set up correctly or propagating permissions will be hard.

    Don't you think this is really more an issue of how to manage the file system than it is a scripting issue.


    ¯\_(ツ)_/¯

    Monday, November 04, 2013 5:12 PM
  • The File Server group suggested that I post the question in this forum.

    I'm new to scripting and don't know what tools are available within the OS.  Since I have over 500 users for which we need to create this private folder, it would be very time consuming to manually create the new folders and set the permissions.  This is why we are looking for a script to do this.  I was hoping that someone here had some experience with this kind of procedure.

    I'm not familiar with ICACLS but will look into it.  Thanks for pointing me in that direction.

    Monday, November 04, 2013 6:53 PM
  • Hi,

    Sorry that was me, but my point if you create more than one thread please at least share the links.

    Well icacls is quite simple.

    icacls <enterpathtoPrivateFolderhere> /deny "Authenticated Users":(D)



    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Even if you are not the author of a thread you can always help others by voting as Helpful. This can be beneficial to other community members reading the thread.


    Oscar Virot

    Monday, November 04, 2013 7:07 PM
  • The File Server group suggested that I post the question in this forum.

    I'm new to scripting and don't know what tools are available within the OS.  Since I have over 500 users for which we need to create this private folder, it would be very time consuming to manually create the new folders and set the permissions.  This is why we are looking for a script to do this.  I was hoping that someone here had some experience with this kind of procedure.

    I'm not familiar with ICACLS but will look into it.  Thanks for pointing me in that direction.

    There are a number of approaches to doing this.  I would use Group Policy to create the folders and set the permissions.  This would be easiest.  YOU will need Windows Server 2008 AD or later.  GPP can do all of this I am sure.  We would use "User level targeting"

    The Domain Admin or Network Admins would be able to help you with this.

    YOU do not want to do it with a script as the script would have to be constantly run every time you create a new user.  Maintenance would be a headache.  That is why this has been added to GP. 

    This cannot be done via a user logon script.  It would not be able to set the security correctly or would run into complexity issues.


    ¯\_(ツ)_/¯

    Monday, November 04, 2013 7:14 PM
  • I checked GPP.  It can create the folder but cannot set the security.  Only the system an set security on system level files.

    If you do it with a script you will need to rerun the script for each new user.

    I would create the folder with all correct stings then copy the empty folder to each users profile.  If the security is set correctly it should pick up the user as the owner on a copy.  You will have to experiment to get the settings you want.  You can add the OWNER pseudo account and deny "delete" on the folder while still allowing full control on all files and  folders within the new folder.


    ¯\_(ツ)_/¯

    Monday, November 04, 2013 7:28 PM
  • The icacls command worked for adding the denial for Authenticated Users.  However, the users inherted the Full Control rights on the private folder from the parent home folder when the private folder was created.

    The following seems to work okay:

    icacls \\NAS_Share\Home_Folder\Private_Folder /grant "Domain Admins":(OI)(CI)F /inheritance:r
    
    icacls \\NAS_Share\Home_Folder\Private_Folder /deny "Domain Users":(X,RA,REA,WA,WEA,D,WDAC,WO) /inheritance:r
    
    icacls \\NAS_Share\Home_Folder\Private_Folder /grant "Domain Users":(OI)(CI)(IO)F /inheritance:r

    What is the best way to apply this to all of my existing users?  Is there a script for that or is this something for a GPO?

    Monday, November 04, 2013 9:15 PM
  • I stand corrected.  By applying the explicit deny to the Domain Users, it also denies the Domain Admins from reading the folder which prevents any automated processes from copying the folder to the other users.  Using an individual account name in place of Domain Users does not restrict the account from deleting the folder even though the effective rights indicate that they are denied Delete on the folder.  I still have work to do on this.

    In either case, I still need a method of mass producing the results across all of my users once I get it ironed out.

    Monday, November 04, 2013 10:11 PM
  • I stand corrected.  By applying the explicit deny to the Domain Users, it also denies the Domain Admins from reading the folder which prevents any automated processes from copying the folder to the other users.  Using an individual account name in place of Domain Users does not restrict the account from deleting the folder even though the effective rights indicate that they are denied Delete on the folder.  I still have work to do on this.

    In either case, I still need a method of mass producing the results across all of my users once I get it ironed out.

    I said to deny the specific OWNER the delete option.  You must set the owner as the user.   The permission will say "CREATOR OWNER"

    Once this is set and you transfer ownership to the user they should have full control and no delete privilege.  You are denying everything to everyone everywhere.


    ¯\_(ツ)_/¯

    Monday, November 04, 2013 10:17 PM