How To Setup Home Directories on a Windows File Server

The concept of home directories is fairly universal across all organizations. Essentially, it is a networked storage location for users to store their personal files instead of using a directory on a local drive (like the non-redirected "My Documents"). Despite this being a common configuration item, there seems to be little standardization on how to configure a Windows file server to support personal home directories. Should permissions be set using NTFS or shares? Should individual shares even be used? What about the Home Folder Active Directory attribute? My recommendation is to keep things as simple as possible with a single share and simple permissions only set at the NTFS level.

Setup the Directory Structure

The first step to creating home directories on your file server is to prepare the directory structure where the files will be physically stored on your server. As with a typical file server, do not store shared directories on your system or boot volumes. 1. Create an empty directory called Home on your data volume. 2. On the Home directory, go to the Advanced mode on the Permissions tab. 3. Clear "Allow inheritable permissions from the parent to propagate to this object..." 4. Add the local Administrators group and give them Full Control to the Home folder. You could use Domain Administrators here, but I believe using the local group gives you better flexibility as you may require a non-Domain Admin to manage your file server down the road. 5. Grant the local Users group Read and Execute permissions on the Home folder, but restrict it to "This folder only." Read and Execute permissions include: Traverse Folder, List Folder, Read Attributes, Read Extended Attributes, and Read Permissions. Setting "This folder only" prevents accidentally granting all users access to a new user's directory.

Next, individual folders for each user need to be created. I highly recommend naming the folder the same as the users' Pre-Windows 2000 logon name (aka sAMAccountName). This will simplify your logon scripts later on. 1. Create the user's directory in the Home directory. 2. Edit the NTFS permissions for the folder and note that only local Administrators have Full Control at this point. 3. Add the user to the permissions list and grant them Change access. We do not grant users Full Control of their own directory as it could allow them to accidentally open up the folder to other people or prevent administrator access.

Setup the Share

In this model, we are not sharing individual folders for each user but instead just sharing the Home directory. The reason for this is: it is easier to browse for a home directory when it is not mapped (i.e. when working on a non-domain member computer), setup of new users is easier without creating a share, and there is no worry of share and NTFS permissions getting out of sync. With this in mind, share the home directory as Home and set the share permissions to: local Administrators - Full Control, local Users - Change.

Configure Access-Based Enumeration

Access-based enumeration is a new feature that became available with Windows 2003. This option prevents users from seeing folders they do not have access to. It does not provide any additional security, but instead makes it easier to manually browse through shares to find data. On Windows 2003, you will first have to download and install the software to enable access-based enumeration. (Available on microsoft.com here.) Once installed, go to the properties of the Home directory and enable the feature from the Access-Based Enumeration tab. On Windows 2008, this software is included by default. To enable access-based enumeration, use the Share and Storage Management tool and select Properties on the Home share. Click Advanced and then enable the setting.

Giving Users Access

First off, Microsoft seemly provides a simple way to map a user's home directory for them by using the Home Folder attribute on the Profile tab in Active Directory. My recommendation is to NOT use this feature because it has some limitations. When the drive is mapped with this feature, it does not create a persistent mapping - this means that laptop users who rely on Offline Files will have a disappearing home directory. Additionally, this setting changes the USERPROFILE environment variable in Windows which is the default working directory for command prompts and many applications. This can slow down some applications and can cause problems if a user disconnects from the network.

Instead, I highly recommend mapping a persistent connection to the home directory via logon scripts. This can either be done in VBScript or batch/command file. A basic batch file would look like: 2

net use h: /d net use h: \\fileserver\home\%username% /persistent:yes

Interested in doing the same with VBScript? Try the following:

' Variable setup Dim strFileServer, WshNetwork, strUserName strFileServer = "FILESERVER" Set WshNetwork = WScript.CreateObject("WScript.Network") strUserName = WshNetwork.UserName ' Disconnect and reconnect H: to Home Directory On Error Resume Next WshNetwork.RemoveNetworkDrive "H:", true, true WshNetwork.MapNetworkDrive "H:", "\\" & strFileServer

& "\Home\" & strUserName, true

Wrapping Up
Home Directories are simple concept, yet the configuration often becomes overly complicated which can result in insecure settings or inaccessible drives. My suggestion is to keep things simple by creating the fewest number of shares and permission changes as possible. As always, scripting the home directory creation during the user setup process will further reduce the possibility of errors. With that in mind, I would really appreciate some feedback. How are you configuring home directories for your users? Are you integrating roaming profiles or redirected folders to your home directories?

How to assign a home folder to a user

This step-by-step article describes how to use the Active Directory Users and Computers management console, the Computer Management management console, a logon script, or the command line to assign a home folder to a user. Home folders and My Documents make it easier for an administrator to back up user files and manage user accounts by collecting the user's files in one location. If you assign a home folder to a user, you can store the user's data in a central location on a server, and make backup and recovery of data easier and more reliable. If no home folder is assigned, the computer assigns the default local home folder to the user account. The home folder can use the same location as the My Documents folder. When you are using Windows 2003 Terminal Services, the user profile is the default home folder.

Assign a home folder to a domain user

Note: To specify a network path for the home folder, you must first create the network share and set permissions that permit the user access. You can do this with Shared Folders in Computer Management on the server computer. To assign a home folder to a domain user: 1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. 2. In the console tree, click Users. 3. In the Details pane, right-click the user account, and then click Properties. 4. In the Properties dialog box, click Profile. 5. Under the Home folder, type the folder information. To do this, follow these steps: a. To assign a home folder on a network server, click Connect, and then specify a drive letter. b. In the To box, type a path. This path can be any one of the following types: o Network path, for example: \\server\users\tester o You can substitute username for the last subfolder in the path, for example: \\server\users\username 6. Note In these examples, server is the name of the file server housing the home folders, and users is the shared folder.
2.

Click OK.

Assign a home folder to a local user

To assign a home folder to a local user: 1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management. 2. In the console tree, click Users in Local Users and Groups. 3. Click the user account. 4. Click the Action menu, and then click Properties. 5. Click the Profile tab, click Connect, and then specify a drive letter. 6. In the To box, type a path. This path can be any of the following types: o Network path, for example: \\server\users\tester
o

You can substitute username for the last subfolder in the path, for example: \\server\users\username Where server is the name of the file server housing the home folders, and where users is the shared folder.

7. Click OK.

Specify a home folder for a terminal server

In Windows Server 2003, you can specify a home folder for a terminal server. Assign each user on a terminal server a unique home folder. This makes sure that you store the program information separately for each user in the multi-user environment. Note: If you specify only the home folder for Windows Server 2003, both Windows 2003 and Terminal Services use this home folder. To specify a home folder for a terminal server, use one of the following procedures.

Domain user account

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. 2. In the console tree, expand the domain node, and then click the Users folder. 3. Double-click the user account. 4. Click the Terminal Services Profile tab. 5. If the Terminal Services home folder is on the local server, click Local path, and then type the path of the profile. Note If you do not specify the location path in the Terminal Service Home folder pane, the default local home folder is located at the following path: system drive\Documents and Settings\username 6. If the Terminal Services home folder is on a network share, click Connect, select a drive to connect, and then type the network path. 6

7. Click OK.

Local user account

1. Click Start, point to Programs, point to Administrative Tools, and then click Computer Management. 2. In the console tree, click Users in Local Users and Groups. 3. Double-click the user account. 4. Click the Terminal Services Profile tab. 5. If the Terminal Services home folder is on the local server, click Local path, and then type the path of the profile. Note If you do not specify the location path in the Terminal Service Home folder pane, the default local home folder is located at the following path: system drive\Documents and Settings\username 6. If the Terminal Services home folder is on a network share, click Connect, select a drive to connect, and then type the network path. 7. Click OK.

Assign a home folder to a user from the command line

You can use the net user command to assign a home folder to a user from the command line. For example, at the command line, type the following command, and then press ENTER: net user tester /homedir:\\server\tester$ This command assigns the tester$ hidden shared folder on the server to the user Tester.

Assign a home folder to a user by using a logon script

You can automate user account creation and home folder assignment. You can use the net user command to create local user accounts in configuration scripts.

Create a logon script

The following example creates a user named "tester". The user is created with a comment, password expiration settings, home folder, and profile path configured:
NET USER tester /add /comment:"Example Account for User" /expires:never /homedir:\\zippy\%username%$ /profilepath:\\zippy\profile

Assign a logon script to a profile

To assign a logon script to a profile, follow these steps: 1. Click Start, point to Settings, and then click Control Panel. 2. Double-click Administrative Tools, and then double-click Computer Management. 3. In the console tree, click Local Users and Groups, and then click Users. 4. Click the user account, click Action, and then click Properties. 5. Click Profile, and then type the file name of the script in the Logon script box. Note: For local accounts, the logon script path is %Systemroot%\System32\Repl\Import\Scripts. However, this folder is not created if you perform a clean installation of Windows Server 2003. If the logon script is stored in a subfolder of the domain controller, type the following login script path before the logon script name: 7

sysvol\domainname\scripts Note: You can also use Group Policy to assign home folders. For additional information about using Group Policy to assign home folders see the "To change the path of a user's home directory" topic in the Windows 2003 help files.