Setup automated Home folders in Active Directory
When creating a new user in Active Directory, some admins will opt to create a Home folder for each user in the company. This can be a useful directory for the user. Where they can have their own storage location on a file server to store files and data that's specific to them.
Active Directory can automatically create this folder for you when applying the Home folder to the user. This automated process will require a specific set of share and security permissions to be applied to the root directory where these Home folders are to be stored. Admins may create and set the permissions on these directories manually before mapping the drive to the user in Active Directory, but having Active Directory accomplish this step for you automatically can save time and simplify the setup process.
This guide will show you the best practices in configuring the share and security permissions on the root directory so that these Home folders can be automatically created as sub-folders by Active Directory. While also maintaining a level of security so that each user will only have access to their own Home folder.
Step 1: Create the Home directory and set the share permissions
The first step in the configuration is to create the root directory where all of the user Home folders will be stored. In this example, we're going to use a folder named "Home," but it can be named however you want. This folder will contain the sub-folders for each of the users in Active Directory that are assigned a Home folder. C:\Home\User1, C:\Home\User2, etc.
Create the folder just like any other folder by right clicking the Explorer window and selecting the, "New Folder" option. Once this folder has been created, you'll need to then set the share permissions to reflect the following settings.
- Administrator: Full Control
- SYSTEM: Full Control
- Authenticated Users: Full Control
This will be accomplished by right clicking the folder and going into "Properties." On the Sharing tab, select the, "Advanced Sharing" button and then check the box to, "Share this folder." It's best practice to have this folder be a hidden share so that it'll be hidden from view if a user were to browse to the server where this Home folder is stored. This is done by simply placing a dollar sign ($) after the entry in the Share name field. Once this is complete, click on the "Permissions" button and set the permissions for the users and groups outlined above.
Step 2: Set the security permissions on the directory for automatic creation and security
This step will involve setting the security permissions on the same Home folder that we created in step one. Please complete the following steps to add and adjust the appropriate security permissions that'll allow for Active Directory to automatically create the Home folders in this directory and secure each of these Home folders so that only the applicable user will have access to it.
- Right click the folder created in step one and select Properties from the context menu that appears.
- Go onto the Security tab and click on the Advanced button towards the bottom.
- Click on the button that says Disable inheritance and answer, "Convert inherited permissions into explicit permissions on this object" when prompted. We'll be adjusting these permissions next.
You'll now set permissions for four objects on this folder. Some of these may already exist. If there are any other permissions other than what's needed by this guide, they can be removed. Administrators, SYSTEM, and CREATOR OWNER will have their permissions set to apply to, "This folder, subfolders, and files." While the final group object (Authenticated Users) will have its permissions set to apply to, "This folder only." Start by setting the following security permissions on the directory:
- Administrators: Full Control
- SYSTEM: Full Control
- CREATOR OWNER: Full Control
- Authenticated Users: Read & Execute, List Folder Contents, Read
Once the above permissions are set, highlight the Authenticated Users group in the Advanced Security Settings window and click on the button that says "Edit." In the drop down menu for the field labeled, "Applies to," select the option for, "This folder only" and then save the settings to the directory's security permissions.
Step 3: Add the Home folder to the Active Directory user properties
Perform the following steps to create a Home folder for the user that'll be stored under the Home root directory that was configured in the previous steps.
- Log into a domain controller on your network and open the Active Directory Users & Computers snap-in.
- If you haven't already done so, create the user in Active Directory and then right click the user and select Properties from the context menu.
- On the Profile tab and under the Home folder section, select the radio button next to the label Connect. Then select a drive letter to the right that will be the drive letter that this Home folder is mapped to on the user's workstation.
- Enter the shared folder path of the folder you'd like to create for this user. For example, "\\GTDC1\Home$\JohnDoe"
Remember that you don't have to create this sub-folder yourself. Active Directory will create this folder for you with the appropriate permissions for the user automatically. If these sub-folders are intended to match the Active Directory account names, you can use the username variable in place of typing out the account name for each user. For example, "\\GTDC1\Home$\%username%" will replace "%username%" with the Active Directory account name of the user that's currently being configured.