Optimal NTFS Permissions Configuration for Home Directories Share in Windows Server 2008 R2 Active Directory Environment


2 views

When automating home directory creation through AD Profile settings in Windows Server 2008 R2, the parent folder permissions at \\server\home require careful configuration to balance security and functionality. The automatic permission inheritance must work correctly while preventing unauthorized access.

For the root \\server\home folder, apply these NTFS permissions:

ICACLS "C:\home" /inheritance:r /grant "Domain Admins:(OI)(CI)F" /grant "SYSTEM:(OI)(CI)F" /grant "CREATOR OWNER:(OI)(CI)(IO)F"

This configuration:

  • Removes inherited permissions (/inheritance:r)
  • Grants full control to Domain Admins and SYSTEM
  • Sets CREATOR OWNER with special inheritance flags

Your approach using "Everyone: Full Control" at share level while controlling access via NTFS is absolutely correct. This is Microsoft's recommended practice because:

  • NTFS permissions offer more granular control
  • Permission conflicts are resolved using the most restrictive set
  • Easier to audit and manage through security descriptors

Here's how to properly set the Home Folder in ADUC:

# PowerShell alternative for bulk configuration
Import-Module ActiveDirectory
Get-ADUser -Filter * | ForEach-Object {
    $homeDir = "\\server\home\$($_.SamAccountName)"
    Set-ADUser $_ -HomeDirectory $homeDir -HomeDrive "H:"
    
    # Verify folder creation
    if (!(Test-Path $homeDir)) {
        New-Item -Path $homeDir -ItemType Directory
    }
}

If users can't access their home directories:

  1. Check Effective Permissions using:
    2. icacls "\\server\home\username" /verify /t
  2. Confirm the CREATOR OWNER permission propagates:
    3. icacls "\\server\home" /reset /t

Always:

  • Run regular permission audits with:
    • accesschk.exe -w -d -q -s "C:\home"
  • Monitor for permission changes using SACL auditing
  • Consider disabling inheritance on subfolders if needed

When automating home directory creation through Active Directory's Profile tab, the parent folder (\\server\home) requires careful permission structuring. The key principle is to grant just enough access for the automatic creation process while maintaining security.

The parent folder should have these NTFS permissions:

CREATOR OWNER - Full Control (Subfolders and files only)
SYSTEM - Full Control (This folder, subfolders and files)
Domain Admins - Full Control (This folder, subfolders and files)
Authenticated Users - List folder/read data, Create folders/append data (This folder only)

Your approach to share permissions is correct. In modern Windows environments:

  • Set share permissions to "Everyone: Full Control" (as you mentioned)
  • Rely entirely on NTFS permissions for actual access control
  • This avoids permission conflicts and simplifies management

When AD creates home directories, it needs these specific permissions at the root level:

# PowerShell to verify permissions
Get-Acl \\server\home | Format-List

The Authenticated Users permission with "Create folders/append data" is crucial - this allows users to create their initial home directory while preventing them from modifying others' folders.

If home directories aren't being created automatically, check:

# Check effective permissions for a test user
(Get-ADUser TestUser -Properties homedirectory).homedirectory
Test-Path \\server\home\TestUser
Get-Acl \\server\home\TestUser | Format-List

Common problems include:

  • Insufficient permissions at the root level
  • Group Policy conflicts overriding the AD profile settings
  • DFS namespace complications if using DFS

For environments needing stricter controls, consider this PowerShell script to set permissions:

$HomeRoot = "\\server\home"
$acl = Get-Acl $HomeRoot

# Remove inherited permissions
$acl.SetAccessRuleProtection($true, $false)

# Add new permissions
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("CREATOR OWNER", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Domain Admins", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Authenticated Users", "ListDirectory,ReadData,CreateDirectories", "None", "None", "Allow")
$acl.AddAccessRule($rule)

Set-Acl $HomeRoot $acl