Windows Server

Configuring user home directories in Windows Server 2003 R2

Derek Schauland walks you through the process of creating a user account in Windows Server 2003 R2 that can handle a home directory.

In versions of Windows prior to Windows Server 2003 R2, when you create a new user account, you have to create the home directory in a separate step. This leaves room for error if the folder is not configured, meaning the user will have no access to the home directory.

Windows Server 2003 R2 creates a home directory in the location you specify when creating the user account; this saves time and makes the process easier. I'll walk you through the process of creating a user account that can handle a home directory. (In the example, I will access a user account via Active Directory Users And Computers. The process is the same for new or existing accounts.)

Follow these steps to assign a home directory to a user account:

  1. On the server, open Active Directory Users And Computers.
  2. Locate the user account for which you want to add a home directory, right-click the account, and choose Properties.
  3. In the Properties dialog box, click the Profile tab.
  4. Using the Home Folder section of the dialog page, specify if the user's home directory should be a local folder on their computer (this can be useful for laptop users), or you can connect a network drive and use it as the home directory.

(Note: When configuring a home directory, you don't need to create the directory before assigning it to a profile; Windows Server 2003 R2 will take care of that when the user logs in. You will need to make sure each user has rights to their home directory by assigning appropriate NTFS and/or Share level permissions to the folder. If you skip this step, the user will have a folder but will not be able to store any files there.)
  • If you choose to connect a network drive, select the letter for the drive mapping and then enter the share path for the share that will hold the home directory. For example, you might select U: in the drop-down menu (for users) and then point to the users share on the file server by entering \\fileserver\usersshare. Click OK to save the user properties to the account.
  • If you decide to use a local folder, enter the path on the local computer where the folder will reside. You can enter the path using the actual drive letter and path C:\documents and settings\username\my documents or using an environment variable and path %userprofile%\My Documents. (The environment variable %userprofile% saves you typing and points each user to their folder within C:\documents and settings\. This can save a lot of time if you have many accounts to configure.)

By configuring home directories during account configuration, it will save you time and make home directories a bit more uniform.

Miss a Windows Server 2003 tip?

Check out the Windows Server 2003 archive, and catch up on the most useful tips from this newsletter.

Stay on top of the latest Windows Server 2003 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

40 comments
MusiqFan
MusiqFan

Other than the script file that is mentioned only one person pointed to the fact that the root permissions must be set properly. If not, any user will have access to read the contents of the folders. http://support.microsoft.com/kb/555046

iansavell
iansavell

Just a small addition. Windows suggests "H" for the home directory. Don't use that, use something like "P" (personal) Reason? buy a new PC with a multi-card drive and you get by default A, B historic foppy C hard drive D optical drive e, f, g, h card drives Us H for Home and you conflict with the memory stick slot. Yes yo can change the drive letter allocations but why bother when you can just make the decision to use a higher mapped drive letter instead.

paul.warren
paul.warren

This is the sort of thing that any competent system operator should know. It's BASIC user config; the sort of thing that interns learn and sysadmins automated years ago. Why is this being published here? It's hardly a new feature of WIN2K3R2 it's been around since Active directory was first released. One other point: you don???t need to login to the server to complete this task. You can do it from your admin station if you install the adminpack.msi. It can be found on the server install disc or downloaded from the Microsoft website. Then again as mentioned above you can configure it using Group policy or even a login batch file. Lets have something that will educate the subscribers not teach them to suck eggs.

mikifin
mikifin

Linux just comes that way. Maybe you should just get a grownup operating system.

Infrastructure
Infrastructure

While this may be a beginner/simple task, the fact remains we all have to do it one way or another. Personally, I put together a simple script for it. This way, we complete the user details as usual, populating the profile and home folder info. Then click through the errors (i.e. folder does not exist etc) it throws back when complete. I also use GPO folder redirection, to point the local 'My Documents' to point to the new "H:\" drive. The batch file is run from within the 'users' folder on a file server. It reads a text file that contains the user name (great for bulk folder creation) ******************* @ECHO OFF ECHO Creating user folders FOR /F "tokens=*" %%a in (Users.txt) Do CALL :DoTask %%a Goto :EOF :DoTask SET User=%* md "Home_Drives\%User%" md "Profiles\%User%" ECHO Modifying permissions on folders cacls "Home_Drives\%User%" /E /T /C /G BUILTIN\Administrators:F cacls "Home_Drives\%User%" /E /T /C /G "%USERDOMAIN%\Domain Admins":F cacls "Home_Drives\%User%" /E /T /C /G "NT AUTHORITY\SYSTEM":F cacls "Home_Drives\%User%" /E /T /C /G "%USERDOMAIN%\%User%":C cacls "Home_Drives\%User%" /E /T /C /R Everyone cacls "Profiles\%User%" /E /T /C /G BUILTIN\Administrators:F cacls "Profiles\%User%" /E /T /C /G "%USERDOMAIN%\Domain Admins":F cacls "Profiles\%User%" /E /T /C /G "NT AUTHORITY\SYSTEM":F cacls "Profiles\%User%" /E /T /C /G "%USERDOMAIN%\%User%":C cacls "Profiles\%User%" /E /T /C /R Everyone ECHO Creating folder shares for new users D:\Users\rmtshare \\\"%User%$"="D:\Users\Home_Drives\%User%" /grant "%User%":c /grant "%USERDOMAIN%\Domain Admins":f /grant SYSTEM:f /remove everyone pause ******************* The pause is there simply so see the completetion.

Breezeserve
Breezeserve

Using Folder Redirection is not the answer, keeping in mind that user profiles and home directories should be seperate, if users save their documents in My Documents it could become quite a mess and increase the size of their user profiles, this could increase loading time, however this is old news, but I suppose having users save their work to a home directory easily allows Admins to backup work from a centralized location, you could also create a logon script to map a specific drive so that the users don't have to do it them selves, still not a bad tip for those that don't know about it

fbarbara
fbarbara

Is this similar to windows 2000 AD? I am troubleshooting why some users home dir unmaps itself.

ewalls
ewalls

Um...very little of this is correct. By default if the folder is being created on the same server, windows automatically builds the folder with the new user's permissions along with the default system/domain admin users. Not to mention the fact that it's worked like this since windows 2000 - it's always worked this way. I don't mean to sound negative or anything, but I would expect this newsletter to feature real admin tips; like rebuilding an AD schema after a restore, or cache optimization, or system tweaks for performance...not stuff you can find in a beginner's windows admin book.

JMO2009
JMO2009

Creating the user home directory is much easier if you provide users with a common share and then create the homefolder as the article describes but one except: rather than jsut point to the \\server\share include the %username% variable in the path (i.e. - \\fileserver\usersshare\%username%). The users home folder will be created with the appropriate NTFS permissions. Only admins, system and the named user will be provide access to the home folders.

CharlieSpencer
CharlieSpencer

"You will need to make sure each user has rights to their home directory by assigning appropriate NTFS and/or Share level permissions to the folder." If I have to go to the folder anyway to check the rights, what's the advantage of having the profile create it? I've got to touch the folder either way. Sorry, I just don't get this one.

Totohydra
Totohydra

...if you buy one of those multi-whiz-bang printers with a gazillion card slots it is practically guaranteed that one of them will stomp on H: Those casefront USB inserts will do the same thing but in the workplace the printer is bound to show up unannounced - followed by the suport call from someone wondering where "H" suddenly went to.

mike
mike

except for a few linux & ms bashing incidents, the excerpts were pretty well done. Kudos to the guys who took the time to put the scripts out there and explain them. We tend to forget the newcommers who browse our writings to gain knowledge and experience and to troubleshoot their problems. We are not a conglomerate of experts so full of ourselves that we forget those whom we lead

laman
laman

John has been providing all these silly tips these days for some reasons. Most of the time, I simply skip all tips when I have found out the tips are from John,

chaneys
chaneys

Linux is mature? Talk about immature!!! LINUS is so narcissistic he has to name the OS MOD after himself. I'm surprised the "OS" doesn't come with it's own security blanket. If any of the *nix knockoffs were as popular as the GNU fanboys wanted to pretend it was it would be just as insecure as any other OS. The only reason the hackers don't mess with the freeware is that they are looking for the most bang for the buck and on an OS that isn't used much the notarity just isn't there. But, good luck with that...

CharlieSpencer
CharlieSpencer

Some of us in corporate environments don't have a choice; we have to use Windows. Responses like yours only reflect poorly on the Linux community, perpetuating it's image of unhelpful elitists.

Photogenic Memory
Photogenic Memory

This script is awesome and is looks very time saving! My scripting skills need work(as always) but I was able to understand 95% of the batch syntax. Great stuff! Particular parts of the script such as this you'd written: md "Home_Drives\%User%" md "Profiles\%User%" and this: D:\Users\rmtshare \\\"%User%$"="D:\Users\Home_Drives\%User%" /grant "%User%":c /grant "%USERDOMAIN%\Domain Admins":f /grant SYSTEM:f /remove everyone basically do the main work. After that, It's just a setting of permissions of the general user as you typed here: cacls "Home_Drives\%User%" /E /T /C /G BUILTIN\Administrators:F cacls "Home_Drives\%User%" /E /T /C /G "%USERDOMAIN%\Domain Admins":F cacls "Home_Drives\%User%" /E /T /C /G "NT AUTHORITY\SYSTEM":F cacls "Home_Drives\%User%" /E /T /C /G "%USERDOMAIN%\%User%":C cacls "Home_Drives\%User%" /E /T /C /R Everyone cacls "Profiles\%User%" /E /T /C /G BUILTIN\Administrators:F cacls "Profiles\%User%" /E /T /C /G "%USERDOMAIN%\Domain Admins":F cacls "Profiles\%User%" /E /T /C /G "NT AUTHORITY\SYSTEM":F cacls "Profiles\%User%" /E /T /C /G "%USERDOMAIN%\%User%":C cacls "Profiles\%User%" /E /T /C /R Everyone In addition; I like how you made the script sort of verbose through echoing or pausing command execution. Nice! I do; however, don't understand the environment variables you set in memory at the beginning of the script such as this: FOR /F "tokens=*" %%a in (Users.txt) Do CALL :DoTask %%a Goto :EOF :DoTask SET User=%* What is this? Basically you set a variable and made a call to it? Is this correct? This sounds almost like a Bash function? Can you elaborate, please? Thank you.

PretzelBoy
PretzelBoy

But that's the point of redirecting the folder- to get the My Documents out of the profile. That has all the advantages you tout: keeping profile size down and allowing you to keep all your users' documents on a server where they're easily backed up. I'd note that to really keep the profile size down though, you need to redirect the Desktop folder too since users tend to dump everything on their desktops.

tfenner
tfenner

Just because a tip touches on subject that is generally considered entry level, it doesn't mean the tip is not worthy of posting. Not all subscribers are 10 year veterans with loads of experience. This site was created for ALL levels, with tips ranging from novice to expert level. If you believe this site should post more expert level content, send in your own articles. I am sure there are many who would like to read that content also. And lets not chastise the author for trying to share information (even if it is a little off). At least the general idea was put out there and those who need this type of functionality can attempt it in their environments and see what works... including your suggestions/corrections. Please note that most of the authors on this site work with little to no pay, and are not full-time employees of TechRepublic. They are hard working stiffs who are just trying to help out their fellow man... Regardless of the content (and regardless of accuracy issues) please give them the respect they deserve. And keep the tips coming Derek! :-)

ScottComingThrough
ScottComingThrough

As above, with the security, that is the correct and easiest way to do it. But this "article" is beyond old. This can be done the exact same way in Server 2000. Perhaps the article title should be changed to reflect that. Just wanted to point that out.

skid_rowe_2000
skid_rowe_2000

When AD creates the folder it gives the user rights to the folder. No need to touch the folder at all.

blaise
blaise

Why not just configure "Folder Redirection" in the group policy? User folders are created automatically and the permissions are set also. This is nothing new to R2. We have been doing this since Server 2000. Users save everything in their "my Documents" folder which are then redirected to the server. They never even know it.

pgm554
pgm554

Netware has had automatic folder creation and full permissions to user home directory since version 3.x (1989)Plus a default user login script. What a wonderful NOS.It's too bad that between M$'s underhanded business practices and Novell's inability to market,that such a great product was lost to the IT world.

Infrastructure
Infrastructure

...I have used this for ages, before starting to play in VB. I actually found that part of the script online somewhere (sorry for omitting credits). It was the way that made sense at the time, since it was just a batch file and lacked the capabilities of VB.

Totohydra
Totohydra

...the fact that his article did get this discussion going! While I'm surprised he did not espouse the benefits of using the %username% variable combined with a root share it is interesting that people go about this as many different ways as these posts reflect.

CharlieSpencer
CharlieSpencer

This certainly would save me time and effort. I'll take a look at it later today.

adeal
adeal

I'm looking for a way to have the user's entire profile backed up, along with their My Documents - the benefit being that they will have a copy of their .PST file if (when) their machine goes down. Is there a way do do it through Group Policy, or do I need to depend on something like Veritas?

dave.schutz
dave.schutz

I agree! Using Group Policy is much easier, just set it and forget it. Why would you want to do it manually?

CharlieSpencer
CharlieSpencer

"...just use a script and run it against all of the users." That's great if you're setting up shares for a large number of users, say for an initial installation. For an single user like a new hire, I can manually create the folder just as easy as editing the script to include the user's name.

andyhassard
andyhassard

I've set up automatic folder redirection using GP at several places. You need to use \\fileserver\sharename\$username$ as the syntax for crreatint the shares. You don't even have to do this manually, just use a script and run it against all of the users. Once this has been set up (making sure the root share has the correct permissions that allow the user to create a folder beneath it) the folder gets created automatically and then GP redirects the my docs, etc that we redirect. We have two high level shares, one called staffprofiles and one called staffredirected - works perfectly!

CharlieSpencer
CharlieSpencer

'Full Control' allows a user to change the security settings on the directory. He could then grant other access to his directory, potentially allowing them to delete his files without his knowledge or to access to information he may not realize they can open. He could also reset the permissions on the directory itself and then accidentally delete it. With rare exception, we do not grant users any access higher than 'Change'. Only domain administrators have 'Full Control'.

heckle
heckle

Just wondering why you would not grant a user full control of their own directory?

JohnMcGrew
JohnMcGrew

In fact, just last night I was toying with this and I kept getting an error message telling me that the directory had not been created. So I had to go and manually create it and set permissions anyway. I've never understood why the NTFS permissions function was not ever fully integrated into Active Directory. I'm always having to jump all over the place to get things tuned. And since most of the systems I oversee are domains with less than a dozen or so users, it's not always worth the trouble to set everything up via group policies. Microsoft has never really eliminated the "this was all a kludge from desktop NT" feeling out of Windows Server. It's been 15 years and they've still not made this as easy as it was under Novell in their golden years.

CharlieSpencer
CharlieSpencer

I created a new user account in AD by copying from an existing template. I open the new account in AD and specify a home directory of\\server\username$. I log a desktop as the new account and the login batch file hangs and stops the initial login process. No home directory is created. I tried again with another new account, this time specifying the home directory as \\server\D$\users\username. This time a directory was created. I notice the user has Full Control on the created directory; we don't grant users FC. Since I'd have to go back and change home dir in the account to \\server\username$, and change the FC to Modfy, I'm not saving any work.

csigler
csigler

Yes, there is a template that you can add for Microsoft Office that is version specific to your Group Policies. Go to microsoft.com and install it on your domain controller. Then open your GP editor and it should be there. The template includes a disabling of the auto-archive and I think a default location. Make sure to enforce the policy or it won't do anything.

iansavell
iansavell

We use roaming profiles but I'm constantly caught out by users who allow Outlook to "archive their old items". Outlook puts archive.pst in the local settings part of the profile which doesn't roam. Scrap the PC and their email archive goes with it. Archiving is good because it gets stuff out of the mailbox I have to find space for and into a file they have to find space for, but I recommend against it because of the above. Is there an easy (policy) way to force archive.pst to be created in the home folder or elsewhere in a server share?

showard2007
showard2007

Sure... if i understand you correctly. It doesn't involve backing up local profiles, instead it involves using roaming profiles. Use GP folder redirection and have the profiles stored on a server. Then back up the server. That way if a node goes down, you can re-image the box without having to worry about loosing data. Its foolish and really stupid to have a users information and data like that on a node versus using a roaming profile

blaise
blaise

The user folders are automatically created. They alway have been. Did you ever even try this?

drummerb0y
drummerb0y

... The Active Directory Folder Redirection GPO won't CREATE the folder in the share. You have to have a folder (preferably networked shared) that the user has rights to BEFORE Folder Redirection can redirect the files. Server 2003 R2 is saving us a step by creating the folder, but the REAL time saver would be to add some permissions to that folder. That way you wouldn't have to touch the folders after-the-fact or run some script with xcacls or something to fix the users' folder permissions.

Editor's Picks