Skip to main content

Automatic creation of user folders for home, roaming profile and redirected folders

  Periodically we’re asked "what is the best way to auto-create home, roaming profile, and folder redirection folders instead of Administrators creating and configuring the NTFS permissions manually?" The techniques in this post requires you to use the environment variable %USERNAME% in the user’s home folder attribute when you create the users account.

We will also make use of the “$” symbol in the share name; which makes the share hidden from anyone who attempts to list the shares on the file server via computer browsing.
Alright let’s get started.
Home directory:
Home folders are created automatically when the user’s account is created and an administrator has enabled the use of home folders. You change the home folders for the user afterwards, but we are all about making the Admin’s life easier.
Create the folder and enable sharing

As you can see we create the share name and added a dollar sign ($) to the end.
Next, we’ll configure the share permissions. It is important to note that there is a difference in the default permissions for a share between Windows NT/Windows 2000 and Windows Server 2003. By default, Windows 2000 gives the Everyone group Full Control permissions. Windows Server 2003 gives the Everyone group Read permissions. However, we’ll change this to:
Administrators: Full Control
System: Full Control
Authenticated Users: Full Control

If you expect or want users to be able to select their home directory to be available while they are not connected to the network (also known as Offline Files), then you’ll want to make sure you turn on Offline file caching of the HOME$ share. You do this by:
1. Click Offline Settings on Windows 2000 or Caching on Windows Server 2003 or later, which is located on the Sharing tab.
2. Click Only the files and programs that users specify will be available offline. If you would like more information on the different options and what they mean you can click here.
3. Then click OK.
NOTE: You should consider configuring Offline Files settings even if you do not want users to work with files while they are not connected to the network—you’ll want to disable Offline Files by clicking Files or programs from the share will not be available offline.
Configuring NTFS Permissions

Now we need to configure the NTFS permissions, so we need to be on the “Security” tab of the folder we created earlier.
1. Turn off inheritance on the folder and copy the permissions. You do this by:
a. Click the Advanced button found on the Security tab.
b. Clear Allow inheritable permissions to propagate to this object check box in the Advanced Security Settings dialog box.
c. Click Copy when prompted by the Security dialog box.
2. Click OK to return to the Security tab. Ensure we have the following permissions set:
Administrators: Full Control
System: Full Control
Creator Owner: Full Control
Authenticated Users: Read & Execute, List Folder Contents, Read
3. Change permissions for Authenticated Users so they cannot access other users’ folders. You do this by:
a. Click Advanced on the Security tab.
b. Click Authenticated Users, and then click Edit.
c. On the Permissions Entry for HOME dialog box, drop down the Apply onto and select This folder only.
d. Click OK twice.
Here is a screen shot of this step:
We now have the permissions configured properly. Next, let’s create a user and specify the home folder location. This is done by going to the Profile tab of the user account in Active Directory Users and Computers. In the following screen shot shows an example of a drive mapping.
Yep, the TOM folder got created without a problem:
When we look at the permissions of the TOM folder we see the following:
We see that only AdministratorsSystemTom, and Creator Owner have permissions to the folder. Other users do not.
Roaming Profile:
Configuring roaming profiles uses the same procedure as the home folder share, except for one difference. You should disable Offline Files and you should always hide the profile share using a dollar sign ($).
Since the setup is pretty much exactly the same (except for the share name) so I’m not going to bore you with the same steps as earlier.
The main difference between the roaming profile folder and the home folder is that the roaming profile folder is not created until the user logs on and then logs off. Windows creates the profile directory and copies the profile to the share once the user has completed one successful logon and logoff.
You configure the profile location on the Profile or Terminal Services Profile tab within Active Directory Users and Computers. Type a UNC path to where Windows should create the user profile. The following screen shot gives you an example a user account configured with a profile path.

Folder Redirection:
For the most part the share and NTFS permissions are the same as the Home folder configuration except we need to replace Authenticated Users with the Everyone group. This is required for Windows to automatically create the redirected folders. These two KB articles provide more information:
291087 Event ID 101 and Event ID 1000 Messages May Be Displayed When Folder
http://support.microsoft.com/?id=291087
274443 How to dynamically create security-enhanced redirected folders by using
http://support.microsoft.com/?id=274443
Create the folder and enable sharing

So, we need to create a folder on a file server and enable it for sharing, again I would recommend that you hide the share using the dollar sign ($) at the end of the share name.
If you expect or want users to be able to select their home directory to be available while they are not connected to the network (also known as Offline Files), then you’ll want to make sure you turn on Offline file caching of the HOME$ share. You do this by:
1. Click Offline Settings on Windows 2000 or Caching on Windows Server 2003 or later, which is located on the Sharing tab.
2. Click Only the files and programs that users specify will be available offline. If you would like more information on the different options and what they mean you can click here.
3. Then click OK.
We will also need to set the following permissions for the share:
Administrators: Full Control
System: Full Control
Everyone: Full Control
Configuring NTFS Permissions

We need to configure NTFS permissions for the newly created folder. You’ll want to remove inheritance from this folder, as we did when configuring home folders.
1. Turn off inheritance on the folder and copy the permissions. You do this by:
a. Click the Advanced button found on the Security tab.
b. Clear Allow inheritable permissions to propagate to this object check box in the Advanced Security Settings dialog box.
c. Click Copy when prompted by the Security dialog box.
2. Click OK to return to the Security tab. Ensure we have the following permissions set:
Administrators: Full Control
System: Full Control
Creator Owner: Full Control
Everyone: Read & Execute, List Folder Contents, Read
3. Now we need change the permissions a bit for “Everyone” so that they do not have any permission to other users’ folders. This is done by doing the following:
a. Click Advanced on the Security tab.
b.Click Everyone, and then click Edit.
c. On the Permissions Entry for FldrRedir dialog box, drop down Apply onto and select This folder only.
d. Click OK twice.
Here is a screen shot of this step:
4. Configuring Folder Redirection settings within Group Policy:
a. Use the Group Policy Management Console (GPMC) and edit the GPO containing the Folder Redirection settings you want modified. Configure each from the following list to use the Basic – Redirect everyone’s folder to the same location Folder Redirection setting. Type the UNC path listed in the table into the Root Path setting for each folder listed in the following table.

Redirected Folder

UNC Path

Application Data

\\contoso-rt-mem1\FldrRedir$

Desktop

\\contoso-rt-mem1\FldrRedir$

My Documents

\\contoso-rt-mem1\FldrRedir$

Start Menu
\\contoso-rt-mem1\FldrRedir$

Here is a screen shot of Application Data being redirected:

You can see that Windows shows you the entire path used for the Folder Redirection. So although we didn’t specify the user’s name in the Root Path, the redirection example shows the folder path as: \\contoso-rt-mem1\FldrRedir$\Clair\Application Data
b. By default, Administrators do not have permissions to users’ redirected folders. If you require the ability to go into the users folders you will want to go to the “Settings” Tab, and uncheck: "Grant the user exclusive rights to" on each folder that is redirected. This allows Administrators to enter the users redirected folder locations without taking ownership of the folder and files.
When you’re all done, you can kick back and enjoy the easy life of being an administrator. Now when you create the user and define the home path it will create the user’s home folder immediately. When Group Policy applies Folder Redirection; folders are created automatically. And, when the user logs off their roaming profile folders will be created after the first logon.
This last part is for the former Novell Admins out there. Yes, you could use Access Based Enumeration (ABE) on these new shares; however if there is going to a lot of user folders on any one of these shares you could experience degradation of performance. Enabling ABE on a share does come at a price of performance. If you are still all hyped up to enable this feature please read ABE whitepaper available information so that you make an informed decision.

Comments

Popular posts from this blog

Recreating a missing VMFS datastore partition in VMware vSphere 5.x and 6.x

    Symptoms A datastore has become inaccessible. A VMFS partition table is missing.   Purpose The partition table is required only during a rescan. This means that the datastore may become inaccessible on a host during a rescan if the VMFS partition was deleted after the last rescan. The partition table is physically located on the LUN, so all vSphere hosts that have access to this LUN can see the change has taken place. However, only the hosts that do a rescan will be affected.   This article provides information on: Determining whether this is the same problem Resolving the problem   Cause This issue occurs because the VMFS partition can be deleted by deleting the datastore from the vSphere Client. This is prevented by the software, if the datastore is in use. It can also happen if a physical server has access to the LUN on the SAN and does an install, for example.   Resolution To resolve this issue: Run the  partedUtil  command on the host with the issues and verify if your output

ما هى ال FSMO Roles

  بأختصار ال FSMO Roles هى اختصار ل Flexible Single Operation Master و هى عباره عن 5 Roles فى ال Active Directory و هما بينقسموا لقسمين A - Forest Roles 1- Schema Master Role و هى ال Role اللى بتتحكم فى ال schema و بيكون فى Schema Master Role واحد فى ال Forest بيكون موجود على Domain Controller و بيتم التحكم فيها من خلال ال Active Directory Schema Snap in in MMC بس بعد ما يتعمل Schema Register بواسطه الامر التالى من ال Cmd regsvr32 schmmgmt.dll 2-Domin Naming Master و هى ال Role المسئوله عن تسميه ال Domains و بتتأكد ان مفيش 2 Domain ليهم نفس الاسم فى ال Forest و بيتم التحكم فيها من خلال ال Active Directory Domains & Trusts B- Domain Roles 1-PDC Emulator و هى ال Role اللى بتتحكم فى ال Password change فى ال domain و بتتحكم فى ال time synchronization و هى تعتبر المكان الافتراضى لل GPO's و هى تعتبر Domain Role مش زى الاتنين الاولانيين و بيتم التحكم فيها من خلال ال Active directory Users & Computers عن طريق عمل كليك يمين على اسم الدومين و نختار operations master فى تاب ال PDC Emu

Unlock the VMware VM vmdk file

  Unlock the VMware VM vmdk file Kill -9 PID Sometimes a file or set of files in a VMFS become locked and any attempts to edit them or delete will give a device or resource busy error, even though the vm associated with the files is not running. If the vm is running then you would need to stop the vm to manipulate the files. If you know that the vm is stopped then you need to find the ESX server that has the files locked and then stop the process that is locking the file(s). 1. Logon to the ESX host where the VM was last known to be running. 2.  vmkfstools -D /vmfs/volumes/path/to/file  to dump information on the file into /var/log/vmkernel 3.  less /var/log/vmkernel  and scroll to the bottom, you will see output like below: a. Nov 29 15:49:17 vm22 vmkernel: 2:00:15:18.435 cpu6:1038)FS3: 130: <START vmware-16.log> b. Nov 29 15:49:17 vm22 vmkernel: 2:00:15:18.435 cpu6:1038)Lock [type 10c00001 offset 30439424 v 21, hb offset 4154368 c. Nov 29 15:49:17 vm22 vmkernel: gen 664