User homes permission settings

By gmichels ·
I am hoping this is a common issue with a common response.

I have a WinServ2003 network. We have users home folders mapped to drive H. Drive H goes to:


Right now, the NTFS rights of "userhomes" propagates down and all domain users have access. If we change Domain Users permissions at "userhomes", it changes the access at the home folder for that user as well.

Changing what is there is no problem but when we create a new user, we want to be able to have the folder automatically set to allow only Domain Admins and the new user to have access. How can we set it to create the permissions we want when creating a new user rather than going in and fixing it each time?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by Jacky Howe In reply to User homes permission set ...

How to Use CACLS.EXE in a Batch File


HOW TO: Use Xcacls.exe to modify NTFS permissions


Collapse -

You may be able to do

by BizIntelligence In reply to User homes permission set ...

this via Group Policy...

Collapse -

No need for CACLS

by GreyIT In reply to User homes permission set ...

Best is to block inheritance at "userhomes", and then set it up so certain permissions (ie the traverse and create folder rights for all users) are applicable to "this folder only"; that way they will not propagate to the userfolders.

Collapse -

my setup

by GreyIT In reply to No need for CACLS

In my server home folders, the parent folder has these perms:

* domain admin and system:
- full control
this folder, subfolders and files

* creator owner:
- full control;
subfolders and files only

* group to which the users belong, can be authenticated users:
- traverse folder / execute file
- list folder / read data
- create folders / append data
- read attributes (needed for office 2007 on a 2008 server; otherwise office wont be able to open homefolder in its browser)
! this folder only

This should get you set up; traverse folder may not be needed depending on group policy (you can disable traverse checking);
you could restrict creator owner to modify only if that suits your needs better.

Related Discussions

Related Forums