none
best practice folder redirection and regular folders

    Frage

  • Guys,

    Am looking for a best practice for setting up folder redirection for profile and homefolder. Anyone who can direct me to the right place? Am finding a lot of blogs that are telling different stories.

    Second, is there a best practice available for sharing folders through the network with groups?

    regards,

    Freitag, 18. Mai 2018 06:29

Antworten

Alle Antworten

  • hold on, found this:

    https://blogs.technet.microsoft.com/askds/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders/

    curious if i can use that in my dfs environment

    Freitag, 18. Mai 2018 06:35
  • Hi!

    I just wanted to share how I do things :-)

    Share Permissions

    I usually go with the default, in short (Everyone, Authenticated Users or Domain Users having Full Control or Change permissions), and then rely upon NTFS for the "real" permissions control. 

    NTFS Permissions

    I always assign permissions to security groups, rather than to specific individual users, I think this should be a best practice if it's not written somewhere. 

    Therefore, make sure you review, modify and create security groups as necessary to reflect how permissions within the file system are to be assigned (for example, IT , Sales Business, HR... etc.), and assign permissions to the appropriate group(s).

    I always create a top-level folder that will serve as a "root storage folder" for all user-created data (for example, D:\Data.)  After that I create sub-folders within this folder to segregate and organize data according to job roles and security requirements.  (If you are using using Windows Server, you might consider using DFS (Distributed File System) to enable abstraction between the physical storage of the data, and the logical hierarchical view presented to end-users.
    With DFS, files can be stored on any number of different servers, but presented to users as a single cohesive namespace.)

    Assign permissions as generally as possible at the upper-level folders, and then refine the permissions more narrowly at lower-level folders. 

    Example: 
    Consider assigning Authenticated Users the List Files permission at the very topmost data folder (for example, at D:\Data), this will allow everyone to see folder and file names and also traverse the entire folder structure, but they will not be able to do modifications or open any items.

    At the lower-level folders, create and assign additional permissions to the appropriate department groups (for example, assign the Modify permission to the HR security group to the D:\Data\HR folder.)

    Try to avoid changing inheritance or permissions on lower-level folders.

    Sometimes there's of course cases in which changing lower-level permissions may be the best course of action.

    If the group that has permissions to higher-level folders shouldn't be able to access what's in a lower-level folder, that might be an indication that that data might be better located elsewhere within the folder structure.

    Kind regards,
    Leon


    Blog: https://thesystemcenterblog.com  LinkedIn:   

    Freitag, 18. Mai 2018 07:00
  • Hi enlil,

    Based on my knowledge, you could use dfs combine with folder redirection and roaming profile.

    But since dfs replication can cause some potential inconsistent issue. You may need to consider it before you deploy.

    Here is an example.

    https://social.technet.microsoft.com/forums/windowsserver/en-US/390e72dc-aedc-46fb-80c0-74fab598fc17/folder-redirection-dfs

    For now, I haven't find the official documents to describe  best practice for setting up folder redirection for profile and homefolder  from Microsoft. You could follow the guides to design your environment.

    https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj649076(v%3dws.11)

    https://blogs.technet.microsoft.com/askds/2010/09/01/microsofts-support-statement-around-replicated-user-profile-data/

    Best Regards,

    Mary


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Freitag, 18. Mai 2018 09:08
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Mary


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Montag, 21. Mai 2018 07:17
    Moderator
  • Hi,
    Could the above reply be of help? If yes, you may mark it as answer, if not, feel free to feed back
    Best Regards,
    Mary

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Dienstag, 22. Mai 2018 07:52
    Moderator
  • thanks for the help and the info.
    Donnerstag, 7. Juni 2018 07:53
  • ok, noticed already something that went wrong.
    When reading this tutorial:

    https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles

    i need to do this:

    Required permissions for the file share hosting roaming user profiles

    But at the share level, i cannot chose 'applies to this folder only' or List folder / read data1

    Create folders / append data1

    Any help would be apreciated.

    Also,

    i cannot enable the roaming profile through a policy for all the users? I noticed i can only enable the folder redirection


    • Bearbeitet enlil Donnerstag, 7. Juni 2018 08:47
    Donnerstag, 7. Juni 2018 08:07
  • Are you logged in as an Administrator? What options do you have?


    Blog: https://thesystemcenterblog.com  LinkedIn:   

    Donnerstag, 7. Juni 2018 08:30
  • am logged in as admin. Have the permissions|share|auditing|effective access and in the share i can chose add, select a principal, type and permissions(full control, change, read,special permissions). But i cannot chose the special permissions. 
    Donnerstag, 7. Juni 2018 10:53
  • You don't have special permissions in the Share tab, the special permissions are located in the Security tab.

    By default "Everyone" has Full Control share permissions.


    Blog: https://thesystemcenterblog.com  LinkedIn:   

    Donnerstag, 7. Juni 2018 21:15
  • correct , but that means the tutorialis wrong because it is telling me this:

    Required permissions for the file share hosting roaming user profiles

    Also, sharing with everyone FC, is that wise?

    Freitag, 8. Juni 2018 08:05
  • Remember that it's the NTFS permissions which determine who has access to files and folders.

    For shares you should do the following
    1) Everyone - Read  (optional not really needed but a nice just in case)
    2) Authenticated Users - Change
    3) Local Administators - Full Control
    4) File Strucutre Administrators - Full Control

    For Shares note the following:
    Alway limit Authenticated Users to Change at the Share to pervent non-admin users from accidently being given Full Control to the file structure.
    You should always configure Local Adminsitrators Full Control at the Share so they can administrate it remotely
    You should always create and use a Files Strucutre Adminsitrators groups and assign them full control to every share.  This allows them to remotely administrater shares without being local administartors.

    For your high level directories NTFS Permsisions where no files reside and only read access to folders is needed to get to the data in lower directories.
    1) Authenticated Users - Read
    2) Local Administators - Full Control
    3) File Strucutre Administrators - Full Control
    4) SYSTEM - Full Control


    Blog: https://thesystemcenterblog.com  LinkedIn:   

    Freitag, 8. Juni 2018 08:24