Drive Mapping Problem w/ Users Home Folders...

In AD I have...
Home Folder, connect to...
U: to \\servername\Users$\username

Note the $ after Users to indicate the share is hidden.

Some random users get a U:\Users$
Instead of getting U:\Users$\UserName

No idea why this is going on.

What I inherrited here was the Sys Admin w/ sharing every single users home
folder, creating too many shares. So the Home Folder used to read...
Home Folder, connect to...
U: to \\servername\username$
So I decided to share the Users dir, instead of every single users home
folder.

Anyone have some suggestions/experience for my problem?
Your help is much appreciated.
Thanks.
Jason.

Lanwench
Mon Jul 14 08:47:12 PDT 2008

Jason Lehman WC <JasonLehmanWC@discussions.microsoft.com> wrote:
> In AD I have...
> Home Folder, connect to...
> U: to \\servername\Users$\username
>
> Note the $ after Users to indicate the share is hidden.
>
> Some random users get a U:\Users$
> Instead of getting U:\Users$\UserName
>
> No idea why this is going on.
>
> What I inherrited here was the Sys Admin w/ sharing every single
> users home folder, creating too many shares. So the Home Folder used
> to read...
> Home Folder, connect to...
> U: to \\servername\username$
> So I decided to share the Users dir, instead of every single users
> home folder.

Absolutely. You don't want to have individual shares. Youmight want to check
out http://support.microsoft.com/kb/274443 (for the permissions).
>
> Anyone have some suggestions/experience for my problem?

Yes - this is a known issue with XP, for one. You should enable "always wait
for network at computer startup and logon" in group policy. Check out
http://technet.microsoft.com/en-us/library/bb456994(TechNet.10).aspx for
more info.


> Your help is much appreciated.
> Thanks.
> Jason.

Richard
Mon Jul 14 09:30:23 PDT 2008

I recently did exactly what I think you are trying to do, and a hidden
share is not what you are after - the correct permissions, however,
are.

Locations:
F:\Test (shared as \\domain\Test)
F:\Test\Mike
F:\Test\Richard

Permissions:
\\domain\Test Share Permissions
Authenticated Users: Full Control

F:\Test NTFS Permissions
Advanced -> 'Allow Inherited' unticked, permissions removed
Local Admins: Full Control (This Folder Only)
Domain Admins: Full Control (This Folder, Subfolders and
Files)
System: Full Control (This Folder, Subfolders and Files)
Authenticated Users: Special (This Folder Only)
+ Traverse Folder/Execute File
+ List Folder/Read Data
+ Read Attributes
+ Read Extended Attributes
+ Read Permissions

F:\Test\Mike NTFS Permissions
Advanced -> 'Allow Inherited' unticked, permissions removed
Local Admins: Full Control (This Folder Only)
Domain Admins: Full Control (This Folder, Subfolders and
Files)
System: Full Control (This Folder, Subfolders and Files)
User 'Mike': Full Control (This Folder, Subfolders and Files)

The above allows users full access to their own folders, read access
to the root folder, no access to anyone elses folder, and still allows
admins to add/remove folders in the root folder.

You can then map \\domain\Test\mike to U:\ without having to hide the
share - other users cannot get access to the folders anyway.

From here:
http://groups.google.co.uk/group/microsoft.public.windows.server.general/browse_thread/thread/974df7bcc3d47c50/01449299fac9d367?hl=en

Works perfectly in my environment, seems like it would work for you.

Regards
Richard

JasonLehmanWC
Mon Jul 14 10:44:03 PDT 2008

Thanks for the reply.
I am pretty sure the permissions are all ok.

If I enable "always wait for network at computer startup and logon", what
impact will this have on our mobile users?
Will they expierence significant slower startups?
The article implys that you are in a Windows 2000 Server Environment. We
have all 2003 DC's. Not sure if that matters.

Jason


"Lanwench [MVP - Exchange]" wrote:

> Jason Lehman WC <JasonLehmanWC@discussions.microsoft.com> wrote:
> > In AD I have...
> > Home Folder, connect to...
> > U: to \\servername\Users$\username
> >
> > Note the $ after Users to indicate the share is hidden.
> >
> > Some random users get a U:\Users$
> > Instead of getting U:\Users$\UserName
> >
> > No idea why this is going on.
> >
> > What I inherrited here was the Sys Admin w/ sharing every single
> > users home folder, creating too many shares. So the Home Folder used
> > to read...
> > Home Folder, connect to...
> > U: to \\servername\username$
> > So I decided to share the Users dir, instead of every single users
> > home folder.
>
> Absolutely. You don't want to have individual shares. Youmight want to check
> out http://support.microsoft.com/kb/274443 (for the permissions).
> >
> > Anyone have some suggestions/experience for my problem?
>
> Yes - this is a known issue with XP, for one. You should enable "always wait
> for network at computer startup and logon" in group policy. Check out
> http://technet.microsoft.com/en-us/library/bb456994(TechNet.10).aspx for
> more info.
>
>
> > Your help is much appreciated.
> > Thanks.
> > Jason.
>
>
>
>

Lanwench
Mon Jul 14 10:53:40 PDT 2008

Jason Lehman WC <JasonLehmanWC@discussions.microsoft.com> wrote:
> Thanks for the reply.
> I am pretty sure the permissions are all ok.

Sure....was just giving you that article for a reference.
>
> If I enable "always wait for network at computer startup and logon",
> what impact will this have on our mobile users?
> Will they expierence significant slower startups?
> The article implys that you are in a Windows 2000 Server Environment.
> We have all 2003 DC's. Not sure if that matters.

It doesn't - and it won't hurt your users, mobile or immoble. In fact, if
you try using wireless clients without this GPO setting, you will have a ton
of problems. Just apply the policy to all workstations.
>
> Jason
>
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> Jason Lehman WC <JasonLehmanWC@discussions.microsoft.com> wrote:
>>> In AD I have...
>>> Home Folder, connect to...
>>> U: to \\servername\Users$\username
>>>
>>> Note the $ after Users to indicate the share is hidden.
>>>
>>> Some random users get a U:\Users$
>>> Instead of getting U:\Users$\UserName
>>>
>>> No idea why this is going on.
>>>
>>> What I inherrited here was the Sys Admin w/ sharing every single
>>> users home folder, creating too many shares. So the Home Folder used
>>> to read...
>>> Home Folder, connect to...
>>> U: to \\servername\username$
>>> So I decided to share the Users dir, instead of every single users
>>> home folder.
>>
>> Absolutely. You don't want to have individual shares. Youmight want
>> to check out http://support.microsoft.com/kb/274443 (for the
>> permissions).
>>>
>>> Anyone have some suggestions/experience for my problem?
>>
>> Yes - this is a known issue with XP, for one. You should enable
>> "always wait for network at computer startup and logon" in group
>> policy. Check out
>> http://technet.microsoft.com/en-us/library/bb456994(TechNet.10).aspx
>> for more info.
>>
>>
>>> Your help is much appreciated.
>>> Thanks.
>>> Jason.

JasonLehmanWC
Mon Jul 14 11:38:01 PDT 2008

Thanks for replying Richard.
I am not too worried about my file securiy, though I will check what I
currently have against what you suggested.
Breifly, the users currently have full access to the root & full access to
their own folder. They have no access to anybody else's folders.
The admins have full access to everything.

I'm not even sure why the shares are hidden w/ the $. Sounded like another
way to secure things.
Again, this is a inheritted network that is now mine.
Maybe I could try just removing the $, so the shares are NOT hidden.
Don't know if that will change anything or not.
I agree, if the security is setup properly; there probably is no reason to
hide the shares.

It is just a lot of work to go around re-shareing everything.
Thank you again for your reply


"Richard Price" wrote:

> I recently did exactly what I think you are trying to do, and a hidden
> share is not what you are after - the correct permissions, however,
> are.
>
> Locations:
> F:\Test (shared as \\domain\Test)
> F:\Test\Mike
> F:\Test\Richard
>
> Permissions:
> \\domain\Test Share Permissions
> Authenticated Users: Full Control
>
> F:\Test NTFS Permissions
> Advanced -> 'Allow Inherited' unticked, permissions removed
> Local Admins: Full Control (This Folder Only)
> Domain Admins: Full Control (This Folder, Subfolders and
> Files)
> System: Full Control (This Folder, Subfolders and Files)
> Authenticated Users: Special (This Folder Only)
> + Traverse Folder/Execute File
> + List Folder/Read Data
> + Read Attributes
> + Read Extended Attributes
> + Read Permissions
>
> F:\Test\Mike NTFS Permissions
> Advanced -> 'Allow Inherited' unticked, permissions removed
> Local Admins: Full Control (This Folder Only)
> Domain Admins: Full Control (This Folder, Subfolders and
> Files)
> System: Full Control (This Folder, Subfolders and Files)
> User 'Mike': Full Control (This Folder, Subfolders and Files)
>
> The above allows users full access to their own folders, read access
> to the root folder, no access to anyone elses folder, and still allows
> admins to add/remove folders in the root folder.
>
> You can then map \\domain\Test\mike to U:\ without having to hide the
> share - other users cannot get access to the folders anyway.
>
> From here:
> http://groups.google.co.uk/group/microsoft.public.windows.server.general/browse_thread/thread/974df7bcc3d47c50/01449299fac9d367?hl=en
>
> Works perfectly in my environment, seems like it would work for you.
>
> Regards
> Richard
>

Lanwench
Mon Jul 14 12:47:18 PDT 2008

Jason Lehman WC <JasonLehmanWC@discussions.microsoft.com> wrote:
> Thanks for replying Richard.
> I am not too worried about my file securiy, though I will check what I
> currently have against what you suggested.
> Breifly, the users currently have full access to the root & full
> access to their own folder. They have no access to anybody else's
> folders.
> The admins have full access to everything.
>
> I'm not even sure why the shares are hidden w/ the $. Sounded like
> another way to secure things.

Yep. Nobody can browse the shares that way. I always hide shares.

> Again, this is a inheritted network that is now mine.
> Maybe I could try just removing the $, so the shares are NOT hidden.
> Don't know if that will change anything or not.

It won't. You need the policy setting...

> I agree, if the security is setup properly; there probably is no
> reason to hide the shares.

Belt + suspenders!
>
> It is just a lot of work to go around re-shareing everything.
> Thank you again for your reply
>
>
> "Richard Price" wrote:
>
>> I recently did exactly what I think you are trying to do, and a
>> hidden share is not what you are after - the correct permissions,
>> however, are.
>>
>> Locations:
>> F:\Test (shared as \\domain\Test)
>> F:\Test\Mike
>> F:\Test\Richard
>>
>> Permissions:
>> \\domain\Test Share Permissions
>> Authenticated Users: Full Control
>>
>> F:\Test NTFS Permissions
>> Advanced -> 'Allow Inherited' unticked, permissions removed
>> Local Admins: Full Control (This Folder Only)
>> Domain Admins: Full Control (This Folder, Subfolders and
>> Files)
>> System: Full Control (This Folder, Subfolders and Files)
>> Authenticated Users: Special (This Folder Only)
>> + Traverse Folder/Execute File
>> + List Folder/Read Data
>> + Read Attributes
>> + Read Extended Attributes
>> + Read Permissions
>>
>> F:\Test\Mike NTFS Permissions
>> Advanced -> 'Allow Inherited' unticked, permissions removed
>> Local Admins: Full Control (This Folder Only)
>> Domain Admins: Full Control (This Folder, Subfolders and
>> Files)
>> System: Full Control (This Folder, Subfolders and Files)
>> User 'Mike': Full Control (This Folder, Subfolders and Files)
>>
>> The above allows users full access to their own folders, read access
>> to the root folder, no access to anyone elses folder, and still
>> allows admins to add/remove folders in the root folder.
>>
>> You can then map \\domain\Test\mike to U:\ without having to hide the
>> share - other users cannot get access to the folders anyway.
>>
>> From here:
>> http://groups.google.co.uk/group/microsoft.public.windows.server.general/browse_thread/thread/974df7bcc3d47c50/01449299fac9d367?hl=en
>>
>> Works perfectly in my environment, seems like it would work for you.
>>
>> Regards
>> Richard

Ace
Mon Jul 14 16:25:13 PDT 2008

In news:DD12AF0B-A92A-4C50-92AA-3CC718381D09@microsoft.com,
Jason Lehman WC <JasonLehmanWC@discussions.microsoft.com> typed:
> Thanks for replying Richard.
> I am not too worried about my file securiy, though I will check what I
> currently have against what you suggested.
> Breifly, the users currently have full access to the root & full
> access to their own folder. They have no access to anybody else's
> folders.
> The admins have full access to everything.
>
> I'm not even sure why the shares are hidden w/ the $. Sounded like
> another way to secure things.
> Again, this is a inheritted network that is now mine.
> Maybe I could try just removing the $, so the shares are NOT hidden.
> Don't know if that will change anything or not.
> I agree, if the security is setup properly; there probably is no
> reason to hide the shares.
>
> It is just a lot of work to go around re-shareing everything.
> Thank you again for your reply
>
>
> "Richard Price" wrote:
>


If I can offer the way I set it up, is to share out the individual users'
folders as hidden and not the root. This way it maps directly to their
folder and see nothing else.

\\servername\%username%$

Also, using the %username% variable on an NTFS drive automatically sets up
the permissions. I just go in there and adjust each one. Keep in mind each
user needs their own customized logon script as well, and on a larger
scaled, have used KixStart to do that with.

And yes, do use that policy setting Lanwench recommended.

Just a suggestion.

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

JasonLehmanWC
Tue Jul 15 06:24:01 PDT 2008

I made the policy change you suggested late yesterday. I immediately tried
rebooting my laptop (which was having the problem described). When I logged
back in, my U: drive was correct.
So the policy seems to make a difference.
My Helpline staff is to let me know if anyone reports this problem again.
So we wait & see what happens.
Thank you all for your help. I was REALLY scratching my head on this one.
I will try to remember to post any results here.
If you don't hear from me, then it means I forgot to post & everything is
fine.

Jason

"Lanwench [MVP - Exchange]" wrote:

> Jason Lehman WC <JasonLehmanWC@discussions.microsoft.com> wrote:
> > Thanks for the reply.
> > I am pretty sure the permissions are all ok.
>
> Sure....was just giving you that article for a reference.
> >
> > If I enable "always wait for network at computer startup and logon",
> > what impact will this have on our mobile users?
> > Will they expierence significant slower startups?
> > The article implys that you are in a Windows 2000 Server Environment.
> > We have all 2003 DC's. Not sure if that matters.
>
> It doesn't - and it won't hurt your users, mobile or immoble. In fact, if
> you try using wireless clients without this GPO setting, you will have a ton
> of problems. Just apply the policy to all workstations.
> >
> > Jason
> >
> >
> > "Lanwench [MVP - Exchange]" wrote:
> >
> >> Jason Lehman WC <JasonLehmanWC@discussions.microsoft.com> wrote:
> >>> In AD I have...
> >>> Home Folder, connect to...
> >>> U: to \\servername\Users$\username
> >>>
> >>> Note the $ after Users to indicate the share is hidden.
> >>>
> >>> Some random users get a U:\Users$
> >>> Instead of getting U:\Users$\UserName
> >>>
> >>> No idea why this is going on.
> >>>
> >>> What I inherrited here was the Sys Admin w/ sharing every single
> >>> users home folder, creating too many shares. So the Home Folder used
> >>> to read...
> >>> Home Folder, connect to...
> >>> U: to \\servername\username$
> >>> So I decided to share the Users dir, instead of every single users
> >>> home folder.
> >>
> >> Absolutely. You don't want to have individual shares. Youmight want
> >> to check out http://support.microsoft.com/kb/274443 (for the
> >> permissions).
> >>>
> >>> Anyone have some suggestions/experience for my problem?
> >>
> >> Yes - this is a known issue with XP, for one. You should enable
> >> "always wait for network at computer startup and logon" in group
> >> policy. Check out
> >> http://technet.microsoft.com/en-us/library/bb456994(TechNet.10).aspx
> >> for more info.
> >>
> >>
> >>> Your help is much appreciated.
> >>> Thanks.
> >>> Jason.
>
>
>
>

Lanwench
Tue Jul 15 09:58:34 PDT 2008

Jason Lehman WC <JasonLehmanWC@discussions.microsoft.com> wrote:
> I made the policy change you suggested late yesterday. I immediately
> tried rebooting my laptop (which was having the problem described).
> When I logged back in, my U: drive was correct.
> So the policy seems to make a difference.
> My Helpline staff is to let me know if anyone reports this problem
> again. So we wait & see what happens.
> Thank you all for your help. I was REALLY scratching my head on this
> one. I will try to remember to post any results here.
> If you don't hear from me, then it means I forgot to post &
> everything is fine.
>
> Jason

Glad to hear everything is OK - I remember that this was a big
head-scratcher for me too, back in the day. Thanks for posting back.
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> Jason Lehman WC <JasonLehmanWC@discussions.microsoft.com> wrote:
>>> Thanks for the reply.
>>> I am pretty sure the permissions are all ok.
>>
>> Sure....was just giving you that article for a reference.
>>>
>>> If I enable "always wait for network at computer startup and logon",
>>> what impact will this have on our mobile users?
>>> Will they expierence significant slower startups?
>>> The article implys that you are in a Windows 2000 Server
>>> Environment. We have all 2003 DC's. Not sure if that matters.
>>
>> It doesn't - and it won't hurt your users, mobile or immoble. In
>> fact, if you try using wireless clients without this GPO setting,
>> you will have a ton of problems. Just apply the policy to all
>> workstations.
>>>
>>> Jason
>>>
>>>
>>> "Lanwench [MVP - Exchange]" wrote:
>>>
>>>> Jason Lehman WC <JasonLehmanWC@discussions.microsoft.com> wrote:
>>>>> In AD I have...
>>>>> Home Folder, connect to...
>>>>> U: to \\servername\Users$\username
>>>>>
>>>>> Note the $ after Users to indicate the share is hidden.
>>>>>
>>>>> Some random users get a U:\Users$
>>>>> Instead of getting U:\Users$\UserName
>>>>>
>>>>> No idea why this is going on.
>>>>>
>>>>> What I inherrited here was the Sys Admin w/ sharing every single
>>>>> users home folder, creating too many shares. So the Home Folder
>>>>> used to read...
>>>>> Home Folder, connect to...
>>>>> U: to \\servername\username$
>>>>> So I decided to share the Users dir, instead of every single users
>>>>> home folder.
>>>>
>>>> Absolutely. You don't want to have individual shares. Youmight want
>>>> to check out http://support.microsoft.com/kb/274443 (for the
>>>> permissions).
>>>>>
>>>>> Anyone have some suggestions/experience for my problem?
>>>>
>>>> Yes - this is a known issue with XP, for one. You should enable
>>>> "always wait for network at computer startup and logon" in group
>>>> policy. Check out
>>>> http://technet.microsoft.com/en-us/library/bb456994(TechNet.10).aspx
>>>> for more info.
>>>>
>>>>
>>>>> Your help is much appreciated.
>>>>> Thanks.
>>>>> Jason.