General discussion


Need to isolate users via AD 2003

By DoubleShocker ·
We have a Server 2003 with AD, and installed a NAS - the NAS is on the DOMAIN, and we can not isolate users with any number of share / security permissions. The NAS is running Windows Storage Server 2003.

Basically, we have 40 employees, each needs their own directory on the NAS, and should not be able to view one anothers' files.

Please help!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by DoubleShocker In reply to Need to isolate users vi ...

Some futher technical notes:

By default, the Iomega NAS wants to set up the folder as F:\companyname\employee as a share with 'Everyone' having 'READ' access.

I RDP into the NAS and change that share permission to 'READ/CHANGE' so that my AD can create the user folders.

I create the user folders in AD by clicking on multiple employee names (let's use Amanda, Chris, and Peter), selecting properties, and adding a homedir, mapping to drive 'N:' and setting the path to: \\nasserver\employee\%username%

This automatically creates the folders, and gives Full Control to the individual user.

Then, I change the share properties on the 'employee' to 'READ'.

Logged in as any of the three aforementioned employees, I can now browse any of the other emoployee's folders. This is bad.

Changing the 'employee' share to 'READ/CHANGE' - allows all three employees to read/write in all three folders.

I've tried every (well, maybe not every) conceivable combination of share and security permissions, including groups, to no avail. I can not simply isolate each user to their own home folder and offer privacy from other users.

DOMAIN\Domain Users is also under the security tab of each individual folder, inherited from the 'employee' share - with rights# 2-9 on the 'advanced' tab.

I can give more details, please help!

Collapse -

by JFowler In reply to Need to isolate users vi ...

Set up OUS in Server 2k3 ( Organizational Units) for each department. After doing so add the department memebers in each OU that they belong to. This will keep everyone else from other departments from getting into the objects that they do not need to see. Add department folders into the OU as well. The Directory on the NAS should also be included on the individuals OU.

Collapse -

by DoubleShocker In reply to

Thank you - great suggestion - it did not work, however.

Collapse -

by lowlands In reply to Need to isolate users vi ...

You should be able to do the following:
Share permission on employee (assuming that's the folder you share) can be full control for "Domain Users".

File security:
Employee folder: Admins+System full control and give "Domain Users" Read+Execute on "this folder only". (Special permission)
Then each user + admins and system full control on the individual user folders.

Collapse -

by DoubleShocker In reply to

ALAS! The solution is perfect. I can't believe how close we were to getting this on our own. I just re-read my additional comments, and realized if we had just kept working on this for 4 more weeks, we may have stumbled across this solution.

Thanks for a well written, and perfectly matched answer!


Collapse -

by exNN In reply to Need to isolate users vi ...

I will leave Sharing permissions as Full Control to Authenticated users instead of Everyone, and on Security Tab, the folder that host everybody's folder, Full control to Domain admins, and Domain users just Read, then allow these security settings to be propagated to child objects. And then each individual folder you should give on a one by one basis each individual Full control, that should work.

Good luck

Collapse -

by DoubleShocker In reply to
Collapse -

by DoubleShocker In reply to Need to isolate users vi ...

This question was closed by the author

Related Discussions

Related Forums