none
Create a user home directory using Group Policy (Server 2008)

    Question

  • I swore I had this working at one time or another-- I had changed the test gp to do something else and can't get it to work again.

    The Goal:  To use group policy on a certain set of users where the H: drive is used to map and create a home drive with a subfolder.  In this case, \\shared resource\%username%\My Documents." 

    I want John Henry to log onto the network for the first time and have the policy create a JOHN HENRY directory and MY DOCUMENTS subfolder, mapping his H: drive into \\SHARED RESOURCE\JOHN HENRY\MY DOCUMENTS

    What I've done so far is use Group Policy Preferences to map a drive to a shared network resource.  That works just great.  For testing, both sharing and NTFS permissions are wide open on this share (I'll lock it down correctly later.)

    "\\netapp02.denbury.com\vol3\" mapping works great using a preference policy.  (Vol3 is the shared resource.)

    "\\plano-dc1a.denbury.com\test\%username%\My Documents" does not. (test is the wide-open shared resource.)  The %username% and "My Documents" folders aren't created, and the application log says something along the lines of "cannot find path specified."

    I know this can be completed by going into each and every user account and setting the home folder under the profile tab, but I want this process automated:  I can't go in and modify 300+ accounts manually.  No, I'm not looking for scripts either, I'm looking for a way to use a policy to accomplish this.

    Currently, I can not use any folder redirection policies because of some already-establish mapping issues (along with a mixed laptop and workstation environment in this OU.)

    It's frustrating, since I have a policy in place that redirects Terminal Server Profiles to another shared resource, where a folder with the user account domain name is created and several subfolders auto-created as well.  I just can't seem to emulate that function in this instance.

    Any tips or pointers are welcome!
    Wednesday, March 10, 2010 12:45 AM

All replies

  • You can use the folder redirection group policy to create the users home drive.... 

    Go to User Configuration > Policies > Windows Settings > Folder Redirection > Documents then select the "Basic" option...  Then in "Target folder location" select "Redirect to the following location" and then type \\servername\sharename\%username%\my documents in the "Root Path"


    To configured the users home drive easily... just select all the user objects in Active Directory Users and Computers and then right click properties...  click on the Profile tab and configure the users Home Folder to \\servername\sharename\%username%\my documents
    Alan Burchill http://www.grouppolicy.biz
    • Proposed as answer by Ivan Babeshko Wednesday, March 06, 2013 12:10 AM
    Wednesday, March 10, 2010 7:41 AM
  • Thanks... except for the fact I specifically said I can NOT use any folder redirection, and I did not want to manually go into the ADUC and add that home drive to the each user account under the profiles tab.  (I appreciate you taking the time to answer!)

    I'm trying to get this as automated as possible-- I'd like my help desk people to drop a user account into the OU where this GP is applied, and have the GP handle everything else.
    Wednesday, March 10, 2010 4:48 PM
  • Ah... sorry about that...

    However....

    The steps i mention in Active Directory User and Computer (ADUC) is for changin multiple users at once so you can process thousands of users in just a few minutes... If you also just set the users home drive using the ADUC (and not folder redirection) then it will create all the users folders at the same time as well.

    I know this is still a manual process however it does mean you only have to perform the task once... instead of many hundreds if not thousands of times.

    I have found the multiple select option of configured user account have save many hours and/or scripting to make changes to large number of user accounts.
    Alan Burchill http://www.grouppolicy.biz
    Wednesday, March 10, 2010 7:36 PM
  • Just some clarification needed as can't see it explicitly mentioned - Have you used the Folder preference to create the folder AND the Drive Mapping prefrence to map the drive to that folder?
    Tuesday, April 20, 2010 5:42 PM
  • I am also looking to do this.

     

    I've tried what "slow_loris" suggested by use the create folder option however this happens after the drive mapping operation. It does work but fails on the users first logon when creating the folder. When the user logs on a second time all is well, but this of course isn't ideal.

    Thursday, August 05, 2010 5:06 PM
  • Group Policy prefrences are being executed via the GPP Client Side Extensions, which does not does not always resolve Windows system variables that are not under the gobal security contetxt.  It is better to use the GPP specific variable.  When your are entering your string data into the GPP settings, you can press F3 to bring up a handy list of variables that CSE will process with descriptions.  In this particular case you will be looking for the logon user variable.  So, in order to get the desired result, your drive mapping location setting will look something like this:

    \\SERVER\SHARE\%LOGONUSER%

    The downside here is that, unlike Active Directory Home Folders or or Group Policy folder redirection, this method will ONLY map to the share, it will not create the directory or set permissions.  So, you will need to pre-create the directorys with apropriate ACLs.  PowerShell should do that pretty easily though.

    get-aduser -filter {ObjectClass -eq "user" } | foreach-object { md \\SERVER\SHARE\$($_.SamAccountName) }

    This will create directories for every user in your domain.

    So, it will be runing a PS command or jiggering ACLs, you will probably end up needing to tweak things.

     

    Have fun.




    • Edited by D.L.Hannah Thursday, November 17, 2011 6:46 PM
    Tuesday, September 13, 2011 3:12 PM
  • hi,

    can you provide the syntax for creating home folders for user objects belong to a domain group and also set the ACL permission for each user folder as well?

     

    thank you.

    Thursday, November 17, 2011 5:25 AM
  • Okay, here is your final solution.  I have tested and implimented this for a customer.

    Create a new Group Policy Object and link it to the domain.  Create a new Active Directory security group, something like "Home Drive Users". Under Group Policy security filtering, remove Authenticated Users and add your new security group.

    In the new GPO configure a new Folder under "User Configuration\Prefrences\Windows Settings\Folders".  General tab should have a Action of "Create" and the Path should read \\MYSERVER\MYSHARE\%LogonUser%\My Documents.  Do not enable any additional items under Attributes.  In the Common tab, enable the "Run in logged-on user's security context" option.

    To setup exclusive access, go to the directory location of your share.  Ensure that the Everyone or Authenticated Users groups have Full Control share permission.    In the advanced NTFS security permissions, remove the inheritable permissions and clear the current ACL.  You can then add the following ACL:

    SYSTEM = Full Control

    CREATOR OWNER = Full Control

    LOCAL\Administrators = Full Control

    Authenticated Users = [MUST HAVE ONLY:] Traverse folder; Create folder; Write attributes; Write extended attributes; Read permissions; Change permissions

    This will allow your users to create the folder via the GPO, however they will not be able to browse the share, or view any folder other than their own.

    The you can add a drive mapping prefrence item to your GPO, mapping the path \\MYSERVER\MYSHARE\%LogonUser%\My Documents.

     

    And there we have it.  This will automatically create a folder for the user with exclusive user access and map the drive for users who are a member of your "Home Drive Users" group.

    • Proposed as answer by Fraser Carter Wednesday, August 28, 2013 7:01 AM
    Thursday, November 17, 2011 7:26 PM
  • D.L. Hannah

     

    Can you tell me what happens if this GPO and Security permissions are implemented on an established share?  I've been looking to create and map a user folder for months now, however there are roughly 150 folders already within the Users root that I cannot recreate or alter in a way that requires a re-mapping.

    Friday, January 20, 2012 10:30 PM
  • Okay, here is your final solution.  I have tested and implimented this for a customer.

    Create a new Group Policy Object and link it to the domain.  Create a new Active Directory security group, something like "Home Drive Users". Under Group Policy security filtering, remove Authenticated Users and add your new security group.

    In the new GPO configure a new Folder under "User Configuration\Prefrences\Windows Settings\Folders".  General tab should have a Action of "Create" and the Path should read \\MYSERVER\MYSHARE\%LogonUser%\My Documents.  Do not enable any additional items under Attributes.  In the Common tab, enable the "Run in logged-on user's security context" option.

    To setup exclusive access, go to the directory location of your share.  Ensure that the Everyone or Authenticated Users groups have Full Control share permission.    In the advanced NTFS security permissions, remove the inheritable permissions and clear the current ACL.  You can then add the following ACL:

    SYSTEM = Full Control

    CREATOR OWNER = Full Control

    LOCAL\Administrators = Full Control

    Authenticated Users = [MUST HAVE ONLY:] Traverse folder; Create folder; Write attributes; Write extended attributes; Read permissions; Change permissions

    This will allow your users to create the folder via the GPO, however they will not be able to browse the share, or view any folder other than their own.

    The you can add a drive mapping prefrence item to your GPO, mapping the path \\MYSERVER\MYSHARE\%LogonUser%\My Documents.

     

    And there we have it.  This will automatically create a folder for the user with exclusive user access and map the drive for users who are a member of your "Home Drive Users" group.

    Does that mean the users can create any folder that they like in  \\MYSERVER\MYSHARE\ ? 
    • Proposed as answer by Fraser Carter Wednesday, August 28, 2013 7:00 AM
    • Unproposed as answer by Fraser Carter Wednesday, August 28, 2013 7:00 AM
    Monday, January 23, 2012 1:47 AM
  • Using the Create option would not effect current folders since they already exist. 
    Jasen Webster Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, February 03, 2012 3:41 PM
  • Any idea on how to get the folder to be created before the drive maps? 

    The GUID for Drive Maps comes before the GUID for Folders.  Group Policy Preferences goes alphabetically by GUID for processing order, with exception to Registry preferences.  Go figure.  I'm looking to find a way to make the Folder preferences run before the Drive Maps preferences. 


    Jasen Webster Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, February 03, 2012 4:22 PM
  • Am 03.02.2012 17:22, schrieb Jasen Webster:
    > The GUID for Drive Maps comes before the GUID for Folders.  Group
    > Policy Preferences goes alphabetically by GUID for processing order,
    > with exception to Registry preferences.  Go figure.  I'm looking to
    > find a way to make the Folder preferences run before the Drive Maps
    > preferences.
     
    Even if you manage to create the folder before DriveMaps execute: The
    home drive in AD is connected before (!) GPOs apply. The better way is a
    script (batch or whatever) that runs against the defined home paths in
    AD and creates them if needed.
     
    "dsquery user -samid MyNewUser | dsget user -hmshare" may point you to a
    starter. Also, PowerShell AD-CMDlets may be useful.
     
    sincerely, Martin
     
     

    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Tuesday, February 07, 2012 4:55 PM
  • Even if you manage to create the folder before DriveMaps execute: The
    home drive in AD is connected before (!) GPOs apply. The better way is a
    script (batch or whatever) that runs against the defined home paths in
    AD and creates them if needed.

    We do not define the home drive in AD for our users.  If we did, the folder would be created automatically. This feature is legacy from Windows NT days and only creates one folder, where we need two.

    We have two folders that need to be created based on the users logon name, then mapped.  If I could get the Folders group policy preference to execute before the DriveMaps, then we would be all set.  Currently, we have to logon/logoff twice and am trying to get it all to work in one shot without running any scripts.  It would be nice if Microsoft provided a processing order option for running GPPs specifically. 

    I think my only true option is to have two separate group policies and control the order by link order.  I can set my DriveMaps GPO with a lower link order than the Folders GPO.  I was trying to avoid having separate GPOs. 


    Jasen Webster Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, February 09, 2012 2:09 PM
  • Am 09.02.2012 15:09, schrieb Jasen Webster:
    > We do not define the home drive in AD for our users.  If we did, the
    > folder would be created automatically. This feature is legacy from
    > Windows NT days and only creates one folder, where we need two.
     
    Now I get the picture :-)
     
    > I think my only true option is to have two separate group policies and
    > control the order by link order.  I can set my DriveMaps GPO with a
    > lower link order than the Folders GPO.  I was trying to avoid having
    > separate GPOs.
     
    No, that won't help. Primary execution order is "CSE", each CSE then
    processes GPOs in order of inheritance. Seems to me the most simple
    solution would be to revert back to a logon script that creates the
    remote folders and maps the drives...
    Even better to create the folders through any means of administration
    task and not during user logon (if possible in your environment).
     
    sincerely, Martin
     

    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Thursday, February 09, 2012 2:16 PM
  • Walt, It seems they does. Is any way to prevent this and still use to create home folders through GPO?
    thank you,
    • Edited by pikul Wednesday, June 06, 2012 4:00 AM
    Wednesday, June 06, 2012 3:59 AM
  • A bit of a long shot but here goes.

    Have done the GPO changes for the Home folders which worked a treat however Im having issues with making the files available offline.

    I'm running a 2008 R2 Domain. Windows 7 users work without issue and can set the files to offline.

    Windows Xp users on the other hand just keep spewing up 'access Denied'

    User permissions are the same and there is no GPO to say that offline files are disabled. Any Ideas?

    regards AJ

    Wednesday, October 17, 2012 10:12 AM
  • not sure if this helps, but when i had to bring a new server online last week, my boss gave me two things that had to be ran on the xp computers in order to make the gp work for them.  he said that without running theses two files, the gp would not work on xp computers.  i'm trying to get my folder redirection working and having no luck creating the home folder for each user.  i got some new ideas to try from this thread, thought i would throw this in there.  the name of the two files are:  group policy preference client side extensions for windows xp and windows xp kb915865-v11-x86-enu, both are .exe.  you may be able to get more info to help from this, i haven't done any research at all, just ran the scripts on all my systems first.

    • Edited by sfzombie13 Sunday, November 04, 2012 3:56 PM
    Sunday, November 04, 2012 3:55 PM