Need help with AD and homefolders

[MarcusLauk]

So Im on a school project where I have set up my own NAS using freenas to my windows 2008 server. Now I want to integrate this NAS more with AD. Is there any way I can make it so whenever I make a new user there will be created a home folder automatically in this directory. I`ve managed to automatically make folders for the user with the GPO, but that just made a folder lacking personal permissions for the users.

[theguywhoroutes]

You could just share a folder and then go into the AD profile properties and give them a home folder to:

 

\\myserver\share\%username%

 

Make a group and give the group permissions for read & create folders in this directory (not all directories) and then creator/owner permission should give the person full access automatically

[MarcusLauk]

Just now, theguywhoroutes said:

You could just share a folder and then go into the AD profile properties and give them a home folder to:

 

\\myserver\share\%username%

 

Make a group and give the group permissions for read & create folders in this directory (not all directories) and then creator/owner permission should give the person full access

Im currently doing that (-the group), is there no there way to fully make this really automatic?

[theguywhoroutes]

Well if you create users via powershell it can be easy as 1 2 3... Although it isn't much, now whenever you create a new user just add them to the group and set there home folder in AD and sorted...

 

If you add multiple users, just shift+click all the users and use the " \\myserver\share\%username% " method 

[theguywhoroutes]

and creating the users folder via GPO is just making it hard for yourself, have you reverted back to AD home folder? You just need to create a shared folder which will allow the user folder to automatically be created when you set the users home folder in the properties?

[theguywhoroutes]

BUt yeah, all the permissions you really need on a shared folder which all the users profiles are stored are below (well that is how I've set mine up)

 

 

[MarcusLauk]

okey thanks, I will try this out

[leadeater]

Above information is sort of correct.

 

Couple of things I would advise doing, more for a real deployment but good to know:

• Always use DFS paths for any shares, home folders and standard network shares. This allows you to move the underlying storage/share without having to change GPOs, scripts etc. Save your future self hours and always do this.
• Enable access based enumeration, users will only see folder they actually have permissions to.
• Users need permissions as @theguywhoroutes shows, sort of. You also need to add another permission for 'CREATOR OWNER' of 'Full Control' for 'Subfolders and Files Only'. https://blogs.technet.microsoft.com/migreene/2008/03/24/ntfs-permissions-for-redirected-folders-or-home-directories/
• I a real deployment the creation of user accounts and their home folders it automated, powershell is a good choice. Take away the rights for general users to create/append data to the root of the home folder share and use the script to create them. Also with this script you can set the Home drive letter (H: typically).

There's actually already a few threads on this forum about folder redirection I'll dig them up for you.

[theguywhoroutes]

1 minute ago, leadeater said:

 

• Users need permissions as @theguywhoroutes shows, sort of. You also need to add another permission for 'CREATOR OWNER' of 'Full Control' for 'Subfolders and Files Only'. https://blogs.technet.microsoft.com/migreene/2008/03/24/ntfs-permissions-for-redirected-folders-or-home-directories/

Whoops, that would help LOL... Totally forgot since in most of my environments it automatically does that, should mention that next time. thx

[leadeater]

As promised, might have missed 1 or 2 good threads but if you have any further questions ask away, happy to help.

 

 

[leadeater]

39 minutes ago, theguywhoroutes said:

Whoops, that would help LOL... Totally forgot since in most of my environments it automatically does that, should mention that next time. thx

Yea easy to forget every exact permissions required. I have a reference lab setup that I always double check just in case. I've done it way more than enough to remember but I just like to really make sure .

 

I don't follow the Microsoft permissions like you do, having any user account able to create a home folder on the fly is sub optimal security wise. Much prefer controlled user creation. I've got a large/nice powershell script I wrote for creating user accounts in schools, reads in all their details and enrolled classes and adds them to class groups and if the group doesn't exist it creates it. Schedule it to run nightly and if a student changes class they get added to the correct group then have permissions to the Moodle class page and the network shared folder for it.

 

Also have a nice user archiving script that strips useless folders, correct permissions if require then zips them and moved them to an archive NAS/share. Actually mostly finished of and cleaned way up by someone else i worked with but hey team effort .

[Matt_98]

44 minutes ago, MarcusLauk said:

So Im on a school project where I have set up my own NAS using freenas to my windows 2008 server. Now I want to integrate this NAS more with AD. Is there any way I can make it so whenever I make a new user there will be created a home folder automatically in this directory. I`ve managed to automatically make folders for the user with the GPO, but that just made a folder lacking personal permissions for the users.

 

Good luck with that AD integration with freenas never works, but creating a users shared drive would be simple enough (create a share called users) just set the path in the users properties to \\nas\users\(username)

[leadeater]

1 minute ago, Matt_98 said:

Good luck with that AD integration with freenas never works, but creating a users shared drive would be simple enough (create a share called users) just set the path in the users properties to \\nas\users\(username)

Never works is a bit strong, had FreeNAS working with AD auth which does break occasionally. FreeNAS is never my first pick when it some to NAS storage in a Windows environment, well FreeNAS is never my first pick but not everyone has the funds to buy enterprise storage arrays.

[Matt_98]

Just now, leadeater said:

Never works is a bit strong, had FreeNAS working with AD auth which does break occasionally. FreeNAS is never my first pick when it some to NAS storage in a Windows environment, well FreeNAS is never my first pick but not everyone has the funds to buy enterprise storage arrays.

 

 

Fair enough I just speak from my personal expperiences. ended up using a windows box with a storage pool (probably works less than the freenas did) 

[leadeater]

13 minutes ago, Matt_98 said:

Fair enough I just speak from my personal expperiences. ended up using a windows box with a storage pool (probably works less than the freenas did) 

I've had great experiences with Storage Spaces/Storage Pools. I use Windows server for it though which has a few extra bells and whistles, I'm very much not a fan of FreeNAS. If I'm going to use Linux/BSD based storage I'll use something like Ceph.

[Matt_98]

Just now, leadeater said:

I've had great experiences with Storage Spaces/Storage Pools. I use Windows server for it though which has a few extra bells and whistles, I'm very much not a fan of FreeNAS. If I'm going to use Linus/BSD based storage I'll use something like Ceph.

 

 

Windows server is great but my server can't handle the number of drives I need and I'm not spending £500 on another server license

[leadeater]

Just now, Matt_98 said:

Windows server is great but my server can't handle the number of drives I need and I'm not spending £500 on another server license

What about it can't handle more drives? Drive bays or ports?

[Matt_98]

Just now, leadeater said:

What about it can't handle more drives? Drive bays or ports?

not enough ports free (have a spare jbod card though) its more the lack of physical space in the chassis

[leadeater]

Just now, Matt_98 said:

not enough ports free (have a spare jbod card though) its more the lack of physical space in the chassis

Ahk, pity. Issue with my main server is it only takes 2.5" disks which for a long time the largest possible were 1TB, you can get bigger now just recently but for a stupid price >.<

[Matt_98]

Just now, leadeater said:

Ahk, pity. Issue with my main server is it only takes 2.5" disks which for a long time the largest possible were 1TB, you can get bigger now just recently but for a stupid price >.<

 

5ssd raid 0?

[leadeater]

Just now, Matt_98 said:

5ssd raid 0?

6 Samsung Pros actually 

 

P.S. Server has 32 drive bays.

[Matt_98]

Just now, leadeater said:

6 Samsung Pros actually 

nice, could you donate one to a bro in need?  Seriously though what do you use them for, big ass write cache?

[Matt_98]

Just now, leadeater said:

P.S. Server has 32 drive bays.

 

dayum you storage much?

[leadeater]

19 minutes ago, Matt_98 said:

nice, could you donate one to a bro in need?  Seriously though what do you use them for, big ass write cache?

Read/Write cache and as a dedicated SSD only virtual disk for my steam library. Storage Spaces allows you to create multiple virtual disks on the same pool and you can manually define storage tiers using powershell to control how the virtual disks are made up and what physical disks to use.

 

For the Read/Write cache storage I use that for my ESXi storage.

 

I connect my gaming desktop to my server using directly connected 10Gb so I can make use of that SSD speed.

 

17 minutes ago, Matt_98 said:

dayum you storage much?

It may have 32 bays but I certainly don't use that many, too $$$. I have the 6 512GB SSDs and 4 300GB 10K RPM SAS disks. I also have 3 3TB Seagate NAS disks basically just placed sitting in side of the server chassis cos screw paying 2.5" bulk storage prices.

[Matt_98]

5 minutes ago, leadeater said:

Read/Write cache and as a dedicated SSD only virtual disk for my steam library. Storage Spaces allows you to create multiple virtual disks on the same pool and you can manually define storage tiers using powershell to control how the virtual disks are made up and what physical disks to use.

 

For the Read/Write cache storage I use that for my ESXi storage.

 

I connect my gaming desktop to my server using directly connected 10Gb so I can make use of that SSD speed.

 

sounds like a bad ass setup (lucky bastard)