Windows – Share a private folder on server for each active directory user and auto mount at login

active-directorywindowswindows-server-2008-r2windows-server-2012

I am pretty much new to Windows servers.

What I want to achieve:

  1. Allow the users to login using central credential from any on the Client PCs within LAN/WLAN.
  2. They don't get access to the server's desktop even with their valid credentials. This should be just for authentication at client PCs.
  3. They should have a private folder located on the server to which
    they can save their personal files.
  4. This private folder should get auto-mounted (with drive letter) on the PC where they login.
    I read about the Shared home folder, but I'm preferring a different folder without a system wide importance such as user home directory.
  5. (optional) There should be an option to keep their files on the local system instead of the server share (#2, #3 above) if they want to.

Reading around the techNet manuals and various SO answers, I got a hint that Active Directory can be of use for my purpose. But I am unsure about which Server version I should use, and how would I setup the entire system. Do I need any additional tools to set this up.

Is that all possible to achieve these without making any special setting on the client PCs? I mean just by setting up the server in some particular way!

This (How to "batch" create folders for Active Directory users' network drive?) appears like closer to my needs, but I'm not able to fully understand this.
Apparently it needs the mount script to be run on client PC at login, which I less prefer.

Curiously, I'd like to know whether this setup is possible without using a Server OS at all. For instance, Windows 8.1 Desktop version with few additional Windows tools installed.

Best Answer

How many users? I ask because of the private folders, and this mainly because it might be tedious to set them up if you have a lot of users (although you might be able to script this).

  1. Set up Active Directory on a Server version of Windows (emphasis because of your question about running this whole thing on workstation OSes). By default, workstations (as in, a workstation operating system) added to the domain have "domain users" as allowed log on users and "domain admins" as administrators.
  2. By default, servers (as in, a server operating system) added to the domain has domain admins in the administrator group and doesn't allow desktop logins to anyone except administrators or remote desktop users.
  3. It sounds like you just want shares rather than roaming profiles. It's generally discouraged to put shares on domain controllers if you can avoid it, but products like Small Business Server do it and it happens. If you just want shares, create a folder named something like usershares with subfolders named after each user and then share each folder with the user and only the user, and name the share after the username. (For example: d:\usershares\username for a username of username, shared as \\yourserver\username.)
  4. Assign a logon script to the users with something like net use S: \\yourserver\%username% or a PowerShell equivalent.
  5. This is where it sounds like you're saying you don't want roaming profiles.

(As for "Why not?"--It's discouraged because it's preferred that you not add any kind of "attack surface" to your domain controller, and any added service is an attack surface.)

I should probably also add that best practice is to have two domain controllers in case one fails. (Virtualizing would still be putting both eggs in one basket, so I wouldn't recommend that. It would be more administration for no risk reduction.)

Related Topic