Windows User Home Folders

From SambaWiki
Revision as of 11:23, 3 November 2013 by Mmuehlfeld (talk | contribs) (New HowTo explaning how to setup a share for user homes with automatic ACL assignment.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


In a professional environment, you setup the permissions on the share, containing the user homes, in a way that allows the automatic creation for new accounts, without setting ACLs manually.

Preparatory work

To continue, make sure, that you have read the Setup and configure file shares HowTo and have complied the preconditions.

Adding the share

  • Add the new share to your smb.conf
        path = /srv/samba/home/
        read only = No
Don't name the share „[homes]“, as this is a special section (see the smb.conf manpage)! The „[homes] section can't handle the automatic folder creation, we'll setup below!
  • Create the root folder (owner root:root, permissions 755) for the home directories
# mkdir /srv/samba/home/
# chmod 755 /srv/samba/home/
  • Reload Samba, to take the changes effect
# smbcontrol all reload-config

Setting up the share and filesystem permissions

The following steps can be performed on any Windows client.

  • Log on to a Windows machine using an account or member of a group, the „SeDiskOperatorPrivilege“ was granted to.
  • Open the Start Menu and search for „Computer Management“.
  • In the menu bar, go to „Action“ / „Connect to another computer“.
  • Enter the name of your Samba server, you've create the new share on.
  • Navigate to „System Tools“ / „Shared Folders“ / „Shares“ and select the new added share.
File:Computer Management Shares home.png
  • Right-click to the share name and choose „Properties“ .
  • Go to the „Share Permissions“ tab.
  • Change the share permissions to:
 Authenticated Users: Full Control
 Domain Admins:       Full Control
 System:              Full Control
File:Home share permissions.png
If this fails with a „permission denied“ error, recheck, if you use and account with SeDiskOperatorPrivilege privileges!
  • Next go to the „Security“ tab.
  • Click, the „Advanced“ button and in the appearing window the „Change permissions“ button. In the next Window, uncheck the „Include inheritable permissions from the object's parent“ option. Close the windows with „OK“ until you are back in the „Security“ tab.
Include inheritable permissions from this objects parent.png
  • Click the „Edit“ button to modify the filesystem ACLs according to the following:
     Administrator:       Full Control
     Authenticated Users: Read & Execute, List Folder Contents, Read
     Creator Owner:       Full Control
     Domain Admins:       Full Control
     System:              Full Control
The „Creator Owner“ permissions are automatically limited to „Subfolder and files only“. This is correct.
FS ACLs home share.png
Close the „Edit“ window with „OK“ and return to the „Security“ tab.
  • To prevent „Authenticated Users“ to access the other users home folder, click the „Advanced“ button again and in the appearing sub-window the „Change permissions“ button. Select „Authenticated Users“ from the list, click „Edit“ and change the „Apply to“ value to „This folder only“.
File:Apply to This folder only.png
  • Close all Windows with „OK“ to save the changes.

Define the users home folder in the account settings

For this steps, you have the Microsoft RSAT (Remote Server Administration Tools) installed.

The account that is used for account creation must have the respective permissions in AD and on the home share (e. g. „Domain Administrator“).

  • Open Active Directory Users and Computer (ADUC).
  • Edit an existing user account (or create a new one first), by right-clicking and choosing „Properties“
  • Switch to the „Profile“ tab. Choose a drive letter, the home drive should be be connected to, and fill the „To“ field with the path to the users home folder. You can use the variable „%USERNAME%“ instead of the individual username. This is usefull, if you modify multiple accounts at once.
File:User properties Profiles tab home drive.png
  • Close the users properties window with „OK“ to save the modification. The users home directory is created on the fly during the save processess.

If you validate the permissions on the new created users home folder, you can see, that only the user itself, System and the Domain Admins have permissions on that folder.