none
Created Home folder via GP, but user can see other user folders

    Question

  • We went from adding a home folder for all users through the AD profile tab to using Group Policy.

    Currently the GP will map the H: drive for users as \\server\user\%username%.

    The issue we are running into is that if the user decides to go to \\server\user he is able to get into any other users folder unrestricted.

    I've attempted to lock this down, but all my efforts so far also prevent the user from getting into his H: drive.

    Is there a proper way to secure all the folders so the user only has access to his folder?

    I want to try to avoid going back to creating the user folders via AD.

    Wednesday, March 11, 2015 9:47 PM

Answers

  • > The issue we are running into is that if the user decides to go to

    > \\server\user he is able to get into any other users folder unrestricted.
     
    Have a look at the following:
     
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    These permissions work for the root level share. However, when GP creates the users home folder it does not add permission for that user specifically. This causes the user not to be able to access his H: drive at all.


    in this file server share we can use feature called "Access based enumeration".

    https://technet.microsoft.com/en-us/library/cc784710%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396


    Darshana Jayathilake

    Will not work due to the same issue as mentioned above.

    I decided we will go back to using AD to create the Home folder as it sets the folder permissions for the user correctly. This will allow me to use the proper permissions for the root share.

    Thursday, March 12, 2015 1:09 PM
  • > These permissions work for the root level share. However, when GP
    > creates the users home folder it does not add permission for that user
    > specifically. This causes the user not to be able to access his H: drive
    > at all.
     
    There's no need to "add" the user if you use Creator-Owner permissions.
    In GPP on the common tab, make sure that "run in logged on user's
    security context" is checked.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Thursday, March 12, 2015 3:39 PM

All replies