2k8 Mapped Network Drive GPO - NTFS Permissions?

Hello,

-2008 Server Enterprise Edition.

I've set up a GPO to map a network drive according to the %LogonUser% value.

Path: \\server\share$\%LogonUser%

This only works when "Everyone" has Full Permissions to the shared folder's
NTFS permissions.

I'm trying to figure out what are the exact required account/permissions for
the share folder to ensure maximum security and still work - it needs to be
able to create the folder automatically or it won't work, erroring with a
path not found error.

I've been googling but I can't find the NTFS permissions structure required
for the share root folder.

Any help would be appreciated!

Thanks,
-B

Hello,

Ok apparantly I was mistaken - the only way this works is if the %LogonUser%
folder already exists.

So again, what are the required permissions on the shared folder in order to
get the folder to automatically create if it doesn't exist?

-B

"Brock Hensley" <brock.hensley@serverintellect.com> wrote in message
news:CE8B5905-830D-42D6-A58A-328EC96E4BA3@microsoft.com...
> Hello,
>
> -2008 Server Enterprise Edition.
>
> I've set up a GPO to map a network drive according to the %LogonUser%
> value.
>
> Path: \\server\share$\%LogonUser%
>
> This only works when "Everyone" has Full Permissions to the shared
> folder's NTFS permissions.
>
> I'm trying to figure out what are the exact required account/permissions
> for the share folder to ensure maximum security and still work - it needs
> to be able to create the folder automatically or it won't work, erroring
> with a path not found error.
>
> I've been googling but I can't find the NTFS permissions structure
> required for the share root folder.
>
> Any help would be appreciated!
>
> Thanks,
> -B

Brock,
consider using folder redirection instead - follow
http://technet.microsoft.com/en-us/l...16(WS.10).aspx regarding
the permissions required to implement it. As far as I recall, they would be
the same in the scenario you are describing. In essence:
- the group of users that will have their user-specific folders autocreated
under Share$ needs - List Folder/Read Data, Create Folders/Append Data -
This Folder Only
- CreatorOwner should have Full Control, Subfolders and Files Only
plus Full control to local Administrators and SYSTEM

hth
Marcin

"Brock Hensley" <brock.hensley@serverintellect.com> wrote in message
news:0A236579-35F0-43BD-9E32-1A7188510ED6@microsoft.com...
> Hello,
>
> Ok apparantly I was mistaken - the only way this works is if the
> %LogonUser% folder already exists.
>
> So again, what are the required permissions on the shared folder in order
> to get the folder to automatically create if it doesn't exist?
>
> -B
>
> "Brock Hensley" <brock.hensley@serverintellect.com> wrote in message
> news:CE8B5905-830D-42D6-A58A-328EC96E4BA3@microsoft.com...
>> Hello,
>>
>> -2008 Server Enterprise Edition.
>>
>> I've set up a GPO to map a network drive according to the %LogonUser%
>> value.
>>
>> Path: \\server\share$\%LogonUser%
>>
>> This only works when "Everyone" has Full Permissions to the shared
>> folder's NTFS permissions.
>>
>> I'm trying to figure out what are the exact required account/permissions
>> for the share folder to ensure maximum security and still work - it needs
>> to be able to create the folder automatically or it won't work, erroring
>> with a path not found error.
>>
>> I've been googling but I can't find the NTFS permissions structure
>> required for the share root folder.
>>
>> Any help would be appreciated!
>>
>> Thanks,
>> -B
>

Hello Brock,

On the share permissions, Remove everything and add authenticated users
(Full Control) and on the security permissions (Administrator -Full control,
Creator Owner -Full Control, System -Full Control and Authenticated Users -
Read & Execute, List Folder Contents, Read

Isaac


"Brock Hensley" <brock.hensley@serverintellect.com> wrote in message
news:0A236579-35F0-43BD-9E32-1A7188510ED6@microsoft.com...
> Hello,
>
> Ok apparantly I was mistaken - the only way this works is if the
> %LogonUser% folder already exists.
>
> So again, what are the required permissions on the shared folder in order
> to get the folder to automatically create if it doesn't exist?
>
> -B
>
> "Brock Hensley" <brock.hensley@serverintellect.com> wrote in message
> news:CE8B5905-830D-42D6-A58A-328EC96E4BA3@microsoft.com...
>> Hello,
>>
>> -2008 Server Enterprise Edition.
>>
>> I've set up a GPO to map a network drive according to the %LogonUser%
>> value.
>>
>> Path: \\server\share$\%LogonUser%
>>
>> This only works when "Everyone" has Full Permissions to the shared
>> folder's NTFS permissions.
>>
>> I'm trying to figure out what are the exact required account/permissions
>> for the share folder to ensure maximum security and still work - it needs
>> to be able to create the folder automatically or it won't work, erroring
>> with a path not found error.
>>
>> I've been googling but I can't find the NTFS permissions structure
>> required for the share root folder.
>>
>> Any help would be appreciated!
>>
>> Thanks,
>> -B
>

Hello,

Unfortunately, I don't think it's a permission issue after all, I think it's
just not built into the function.

It simply won't work unless the %LogonUser% folder exists.

I've had suggestions to use the Folder group policy feature to create the
folder, but evidently they don't work together in the right order?

Not really sure :-S

-B

"Isaac Oben [MCITP:EA, MCSE]" <isaac.oben@nospam.gmail.com> wrote in message
news:%23T0mQyO3JHA.3476@TK2MSFTNGP05.phx.gbl...
> Hello Brock,
>
> On the share permissions, Remove everything and add authenticated users
> (Full Control) and on the security permissions (Administrator -Full
> control, Creator Owner -Full Control, System -Full Control and
> Authenticated Users - Read & Execute, List Folder Contents, Read
>
> Isaac
>
>
> "Brock Hensley" <brock.hensley@serverintellect.com> wrote in message
> news:0A236579-35F0-43BD-9E32-1A7188510ED6@microsoft.com...
>> Hello,
>>
>> Ok apparantly I was mistaken - the only way this works is if the
>> %LogonUser% folder already exists.
>>
>> So again, what are the required permissions on the shared folder in order
>> to get the folder to automatically create if it doesn't exist?
>>
>> -B
>>
>> "Brock Hensley" <brock.hensley@serverintellect.com> wrote in message
>> news:CE8B5905-830D-42D6-A58A-328EC96E4BA3@microsoft.com...
>>> Hello,
>>>
>>> -2008 Server Enterprise Edition.
>>>
>>> I've set up a GPO to map a network drive according to the %LogonUser%
>>> value.
>>>
>>> Path: \\server\share$\%LogonUser%
>>>
>>> This only works when "Everyone" has Full Permissions to the shared
>>> folder's NTFS permissions.
>>>
>>> I'm trying to figure out what are the exact required account/permissions
>>> for the share folder to ensure maximum security and still work - it
>>> needs to be able to create the folder automatically or it won't work,
>>> erroring with a path not found error.
>>>
>>> I've been googling but I can't find the NTFS permissions structure
>>> required for the share root folder.
>>>
>>> Any help would be appreciated!
>>>
>>> Thanks,
>>> -B
>>
>
>

Hi
Give Full access to Domain Users and System security group, after the Folder
Profile is created, the Permissions for that Folder will be automatically
setup for you, you may also have a Policy that additionally adds the domain
Administrator to those Profile Folders.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Brock Hensley" <brock.hensley@serverintellect.com> wrote in message
news:CE8B5905-830D-42D6-A58A-328EC96E4BA3@microsoft.com...
> Hello,
>
> -2008 Server Enterprise Edition.
>
> I've set up a GPO to map a network drive according to the %LogonUser%
> value.
>
> Path: \\server\share$\%LogonUser%
>
> This only works when "Everyone" has Full Permissions to the shared
> folder's NTFS permissions.
>
> I'm trying to figure out what are the exact required account/permissions
> for the share folder to ensure maximum security and still work - it needs
> to be able to create the folder automatically or it won't work, erroring
> with a path not found error.
>
> I've been googling but I can't find the NTFS permissions structure
> required for the share root folder.
>
> Any help would be appreciated!
>
> Thanks,
> -B

Forgot to say that this applies to share and NFS Permissions.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Brock Hensley" <brock.hensley@serverintellect.com> wrote in message
news:CE8B5905-830D-42D6-A58A-328EC96E4BA3@microsoft.com...
> Hello,
>
> -2008 Server Enterprise Edition.
>
> I've set up a GPO to map a network drive according to the %LogonUser%
> value.
>
> Path: \\server\share$\%LogonUser%
>
> This only works when "Everyone" has Full Permissions to the shared
> folder's NTFS permissions.
>
> I'm trying to figure out what are the exact required account/permissions
> for the share folder to ensure maximum security and still work - it needs
> to be able to create the folder automatically or it won't work, erroring
> with a path not found error.
>
> I've been googling but I can't find the NTFS permissions structure
> required for the share root folder.
>
> Any help would be appreciated!
>
> Thanks,
> -B

Hello,

No matter what the permissions are, it won't work unless the profile folder
already exists:

The user 'U:' preference item in the 'MappedUserDrive_GPO
{67844E83-6CA4-45B0-8889-069E8D283EA2}' Group Policy object did not apply
because it failed with error code '0x8007000f The system cannot find the
drive specified.' This error was suppressed.

This is with Authenticated Users, System, Domain Users having Full control
on the Share and NTFS Folder. (Plus creater owner, admins having full on
ntfs).

Has anyone gotten this to work with the Folders GPP?

Thanks,
-B

"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:98C348F3-1181-4489-A973-1A800A9E7EA8@microsoft.com...
> Forgot to say that this applies to share and NFS Permissions.
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MVP Directory Services
> "Brock Hensley" <brock.hensley@serverintellect.com> wrote in message
> news:CE8B5905-830D-42D6-A58A-328EC96E4BA3@microsoft.com...
>> Hello,
>>
>> -2008 Server Enterprise Edition.
>>
>> I've set up a GPO to map a network drive according to the %LogonUser%
>> value.
>>
>> Path: \\server\share$\%LogonUser%
>>
>> This only works when "Everyone" has Full Permissions to the shared
>> folder's NTFS permissions.
>>
>> I'm trying to figure out what are the exact required account/permissions
>> for the share folder to ensure maximum security and still work - it needs
>> to be able to create the folder automatically or it won't work, erroring
>> with a path not found error.
>>
>> I've been googling but I can't find the NTFS permissions structure
>> required for the share root folder.
>>
>> Any help would be appreciated!
>>
>> Thanks,
>> -B
>

If you're trying to map any drive to any place where the path is invalid,
then it won't work this is true for any given path.
Mapped drives assume valid paths, and you should use shares only, meaning
that you CAN'T map a drive to a folder that isn't shared, AVOID using the
user profile path for this, use instead a shared folder.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Brock Hensley" <brock.hensley@serverintellect.com> wrote in message
news:B4E1F15F-4EAB-420D-B6A7-3507331BBE40@microsoft.com...
> Hello,
>
> No matter what the permissions are, it won't work unless the profile
> folder already exists:
>
> The user 'U:' preference item in the 'MappedUserDrive_GPO
> {67844E83-6CA4-45B0-8889-069E8D283EA2}' Group Policy object did not apply
> because it failed with error code '0x8007000f The system cannot find the
> drive specified.' This error was suppressed.
>
> This is with Authenticated Users, System, Domain Users having Full control
> on the Share and NTFS Folder. (Plus creater owner, admins having full on
> ntfs).
>
> Has anyone gotten this to work with the Folders GPP?
>
> Thanks,
> -B
>
> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
> news:98C348F3-1181-4489-A973-1A800A9E7EA8@microsoft.com...
>> Forgot to say that this applies to share and NFS Permissions.
>>
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MVP Directory Services
>> "Brock Hensley" <brock.hensley@serverintellect.com> wrote in message
>> news:CE8B5905-830D-42D6-A58A-328EC96E4BA3@microsoft.com...
>>> Hello,
>>>
>>> -2008 Server Enterprise Edition.
>>>
>>> I've set up a GPO to map a network drive according to the %LogonUser%
>>> value.
>>>
>>> Path: \\server\share$\%LogonUser%
>>>
>>> This only works when "Everyone" has Full Permissions to the shared
>>> folder's NTFS permissions.
>>>
>>> I'm trying to figure out what are the exact required account/permissions
>>> for the share folder to ensure maximum security and still work - it
>>> needs to be able to create the folder automatically or it won't work,
>>> erroring with a path not found error.
>>>
>>> I've been googling but I can't find the NTFS permissions structure
>>> required for the share root folder.
>>>
>>> Any help would be appreciated!
>>>
>>> Thanks,
>>> -B
>>
>

"Brock Hensley" <brock.hensley@serverintellect.com> wrote in message news:2F4A7AA8-A318-4616-803E-E5F41E1CD3B0@microsoft.com...
> Hello,
>
> Unfortunately, I don't think it's a permission issue after all, I think it's
> just not built into the function.
>
> It simply won't work unless the %LogonUser% folder exists.
>
> I've had suggestions to use the Folder group policy feature to create the
> folder, but evidently they don't work together in the right order?
>
> Not really sure :-S
>

I've never used the %LogonUser% variable. I didn;t even know it existed.

Have you tried the %username% variable?


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker
http://twitter.com/acefekay