Server 2012 – Home Folder Share Permissions

home-directorypermissionswindows-server-2012

I'm trying (without success) to get help with setting up User Home Folder\Directory permissions on server 2012. What I would like to know is what permission do I need so that each user can access his/her files etc but CANNOT view\access other users home folders.

I have already created folders on the server called "UserProfiles" and "UserData". When a user logs on for the first time, their home folder would be created as a subfolder in the "UserData" folder i.e. \server01\UserData$\%username%

Best Answer

Unless something drastic has changed in 2012, the following should work.

Set the share on the server (in your case UserData$) with Full Control for the Admins/Domain Admins, and Everyone as "Change and Read".

On the NTFS folder "UserData" set the permissions explicit without inheritance and only grant Domain Admins Full control, along with anyone outside of Domain Admins that needs to see all folders.

Then when you create the user in AD and set their home folder that subfolder %username% will automically be granted Full Control for that user. Since they can traverse the UserData folder to map a drive to \server01\UserData$\%username% they get access to only that folder. Mapping a drive to \server01\UserData$ will be useless for them.

That's how we've always set ours up over the years.

Now with 2012 you can easily enable ABE http://heineborn.com/tech/enable-access-based-enumeration-in-windows-server-2012/ where the users only see folders they have rights to, but this isn't even necessary if you do the above.

Related Solutions

Windows – Script to reset home directory permissons on a windows share

Assuming you're running this on Windows Server 2003 or newer you'll have both the TAKEOWN and ICACLS commands. I'm also assuming the that top level folder permission is set sanely (i.e. "Authenticated Users - List Folder Contents - This folder only", proper "Administrator" permissions if you like them being able to get into user folders, etc).

@echo off
FOR /D %%i in (*) do (
  TAKEOWN /f "%%i" /r /d y
  ICACLS "%%i" /reset /T
  ICACLS "%%i" /grant:r "DOMAIN\%%i":(OI)(CI)F
  rem Unremark this line to set the owner to the user, if you like that
  rem ICACLS "%%i" /setowner "DOMAIN\%%i" /T
)

That'll take ownership, clean up all the permissions and restore inheritance, add the user w/ Full Control rights to the directory, and then optionally give back ownership if you un-rem the last line.

My condolences for having to deal with users sharing files between each other out of home directories. That's a real pain.

Linux – How to setup linux permissions for the WWW folder

After more research it seems like another (possibly better way) to answer this would be to setup the www folder like so.

sudo usermod -a -G developer user1 (add each user to developer group)
sudo chgrp -R developer /var/www/site.com/ so that developers can work in there
sudo chmod -R 2774 /var/www/site.com/ so that only developers can create/edit files (other/world can read)
sudo chgrp -R www-data /var/www/site.com/uploads so that www-data (apache/nginx) can create uploads.

Since git runs as whatever user is calling it, then as long as the user is in the "developer" group they should be able to create folders, edit PHP files, and manage the git repository.

Note: In step (3): '2' in 2774 means to 'set Group ID' for the directory. This causes new files and sub directories created within it to inherit the group ID of the parent directory (instead of the primary group of the user) Reference: http://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories

Best Answer

Related Solutions

Windows – Script to reset home directory permissons on a windows share

Linux – How to setup linux permissions for the WWW folder

Related Topic