Set owner of new users home folder to user instead of BUILTIN\Administrators when using ADUC (on Windows Server 2008 R2)
Why? Your permissions seem odd too. Assuming you haven't changed the default server behavior for "bypass traverse checking" then all you need is:
\fileserver\homes
Domain Admins = Full
G_Admins = Full
When you create a user in ADUC and assign their home drive:
\fileserver\homes\%username%
it should set those permissions as:
- Domain Admins = Full
- G_Admins = Full
- %username% = Full (whatever the user's login ID is)
If you want authenticated users to have read access to everyone's home folder then add them to the \fileserver\homes folder with Read access.
But maybe there's a reason for your setup...just showing you how I would do it.
Related videos on Youtube
08 : 44
05 : 55
12 : 32
31 : 26
02 : 16
x-ray
Updated on September 18, 2022Comments
-
x-ray over 1 year
In our AD, we create new users by copying a default user in ADUC. For the default user we specified a home folder using the %USERNAME% variable (mapped to H:): \fileserver\homes\%USERNAME%
For new users, the home folder on the server is automatically created with BUILTIN\Administrators set as owner. But we need the user to be set as owner. How can we achieve this?
The permissions set on the parent folder (homes) are the following:
CREATOR OWNER Full Subfolders and files only g_admins Full This folder, subfolders and files SYSTEM Full This folder, subfolders and files Authenticated Users Read, Append This folder only (Owner: g_admins) -
x-ray about 12 yearsOk, I tried setting Domain Admins = Full and g_admins = Full (only those two) for \\fileserver\homes, but the owner of new %username%-folders still is BUILTIN\Administrators. I want that to be the user so that we can use disk-quotas.
-
kralyk about 12 yearsYou can use subinacl to set the ownership, but it'd have to be scripted with variables if you don't want to mess with it manually. I thought disk quotas were based on file ownership not folder. As users create files in their home directory they will be the owner of those files, so disk quotas should apply.
-
x-ray about 12 yearsHow exactly would the permissions look like when I only want to give users "Modify"-permissions?
-
SamErde about 12 yearsThat depends if you are modifying the ACL (permissions) from the basic security dialog box or if you went through to the advanced security settings dialog. In the standard security tab, click Edit, then add "CREATOR OWNER" and just check the box next to Modify. If you are working in the Advanced Security Settings window, you will need to check Allow for everything EXCEPT "Full Control", "Delete subfolders and files", "Change Permissions", and "Take ownership".
