Skip to main content

Home Directories in Active Directory

Ok, Windows Admins who don't know this, listen up.
 
You know the way that you add home directories to user accounts in Active Directory? 
Yeah, you're fucking it up!
 
I have to say that I cannot stand it when admins don't read AT LEAST the bare minimum of basic Windows / Active Directory management. I cannot hold it back anymore, I feel like I'm gonna lose my mind. Everytime I go to a customer site and see where some chucklehead has added the home directory in some stupid way (see below).
 
1. Create a new directory, either by calling the same as the username or something close.
2. Share out this directory as a normal share or a hidden share
3. Change NTFS permissions manually, or better yet, not at all.
4. Open the user account properties and put in the drive letter and UNC path to this new share.
 
Ok, so now if you do anything in your life the correct way, do this (bare minimum):
 
 1. Create a single directory under whatever path you like (eg...D:\Home or D:\Users)
2. Share this new directory, usually a hidden share (home$ or users$)
3. Allow SYSTEM and Domain Admins Full Control and Domain Users Read Only
4. Open user account properties and add the drive letter and the UNC path:
(eg...\\server\share\%username%)
5. You can literally use the %username% variable if you wanna.
 
Step 4 is the only step you have to do once you have created the initial share. What happens when you do step 4? Good question. It will create the home directory for you in the share specified and it will apply proper NTFS permissions with the user account with Full Control and remove the inheritance flag.
If you have a template user account and you copy it, it will create the home directory and apply security properly for you as well based on the username.
 
From now on, do this or I will come after you with a shovel and a hayfork.

Comments

Post a Comment

Popular posts from this blog

Juniper / NetScreen Dual Untrust

Something I did recently using a SSG 20 with commercial T1 and Comcast and both default virtual routers. (You don't have to use two virtual routers, but here's why I did this at first). Initially, my client reported that Comcast was assigning DHCP to the firewall's interface. When DHCP is used, the default route created from DHCP cannot be modifed and will show up as a directly connected route, so it will have a higher metric (unless you modify your preference / metric settings, but I have not tried that) So, if Comcast is supposed to be the backup route, placing it in the untrust-vr and controlling traffic in the trust-vr worked great. This works fine with a static IP as well. Here we go: Here are the default zones in the default trust-vr. set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" I created a new custom zone and placed it in the untrust-vr set zone id 101 "Comcast" set zone "Comcast...
7 comments
Read more

Um, EHLO?!

So, I have to say what a drag it is to have 20+ .pst files from an Exchange 2000 server and having no way to import said .pst files at the server level into Exchange 2007. Oh yes, I'm well aware of the SP1 option for the <!@%^%$#> Import-Mailbox Powershell command syntax, but, I'm also aware that SP1 is not yet out of beta. And even if it was today, it wouldn't have helped me 10 days ago. Here's the situation. I'm in the middle of trying to migrate a small organization over from Windows 2000 DC's and Exchange 2000 to Windows Server 2003 + Exchange 2007, I run into what I am still dwelling on, no .pst import option. Well, the two biggest problems / pain in the  <!@%^%$#>  on this project was the fact that 1) Active Directory has inconsistencies 2) Exchange 2000 is installed on a Domain Controller. Now, what's the problem with that? I can't ADPREP Active Directory with inconsistencies that are not easily resolved. But, for fun let's ...
2 comments
Read more

Devaluation of Technical Certifications In Progress

I received this email as a member of a Juniper group within Google, and I was a bit blown away by the fact that someone, first of all, would be willing to pay someone else to get them certified. But then I realized after some thought, while consulting with some of the knuckleheads that I have had to work with that have > 5 certifications all from different vendors, and couldn't possibly due the work they were hired for. Honestly. I've seen it and been dumbfounded by the amount of coin they were pulling in and then they would have me do the work. Awesome. Is this the end of how certifications are valued? I of course have NEVER thought highly of certifications. My biggest reason is because so many test questions are so loaded and NEVER straight forward and are so subjective that you have to guess what {Enter Vendor Name Here} wants instead of interesting factual information.  <!@%^%$#>  I hate tests but not enough to be a  <!@%^%$#>   <!@%^%$#> ...
2 comments
Read more