Permission settings for home folders

By cassiusaugusta ·
Since the other thread died out, (see ) and this is a separate issue than the original reason why it was created, I've started a new question.

The situation:
Students are able to UNC to the current home folder share and browse other user folders. (Same deal with teachers).

The solution:
A test-bed where I limit permissions & access to other folders

The setup:
Hard drive partitioned so that the staff & students have their own, separate space for quota management.

Sharing permissions:
Domain Administrator, Domain Admins, Domain Users, Technology : Full control
Students: Deny

NTFS Permissions:
Domain Administrator, Domain Admins, Technology, System, Creator Owner : Full Control
Domain Users: This folder only: List folder/Read Data

So here's the issue currently: I can set it up so that users cannot UNC to the share path, but when I use AD to populate the home directory mapping, it populates the Server Administrator, and then users can UNC to another users home folder.

TestTeacher can UNC to TestTeacher1 and create or delete documents after the folders have been populated in AD.

If I go in and uncheck inherit permissions from parent and remove the server admin, then it all works PERFECTLY as planned.

BUT - I cannot MANAGE this solution, since I have some odd 1500 users to deal with!

Please help out with suggestions & solutions! Thanks!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Script it

by LarryD4 In reply to Permission settings for h ...

The process of manually going in and removing the inheritance is the only way to get the job done.

If you have experience in programming and Visual Basic Script, you can create a script to do this for you.

Collapse -


by cassiusaugusta In reply to Script it

Thanks for helping me on this. I have limited knowledge of VBscript, but have managed to cobble together a script to map network drives based on AD's group membership.

I may be able to comb the internet to see if there's something I can modify to use in our situation.

Collapse -

This may help

by LarryD4 In reply to Thanks!

Below is some code that enumerates through my users in an OU and pulls out the home directory info. Its one way to get the path for each AD user.

You'll then need to perform security level actions on each users folder that will change the permissions on the share.

Set objOU = GetObject("LDAP://ou=Users,dc=courts,dc=judiciary,dc=state,dc=nj,dc=us")

objOU.Filter = Array("user")
WScript.Echo "Users OU"

For Each objUser In objOU

WScript.Echo & "," & objUser.homeDirectory


' Search IT OU
Set objOU = GetObject("LDAP://ou=Information Technology Staff,ou=Users,dc=courts,dc=judiciary,dc=state,dc=nj,dc=us")

objOU.Filter = Array("user")

WScript.Echo "IT Staff OU"
For Each objUser In objOU
If left(objUser.homeDirectory,9) = "\\mid03fp7\" Then
WScript.Echo & "," & objUser.homeDirectory
End If


' Search Law clerk OU
Set objOU = GetObject("LDAP://ou=Law Clerks 2005-2006,ou=Users,c=courts,dc=judiciary,dc=state,dc=nj,dc=us")

objOU.Filter = Array("user")
WScript.Echo "Law Clerks"
For Each objUser In objOU

If left(objUser.homeDirectory,9) = "\\CourtServer\" Then
WScript.Echo & "," & objUser.homeDirectory
End If


Related Discussions

Related Forums