Win Domain File Services


Sample Use Setups

In the following examples, "ORGX_Admins" is the IT-NSS created group that contains the organizational administrators.

Office file share instructions

In this example, an office file share is created so that all office users can see the basic directory structure, but only certain groups can see within subfolders. This setup allows users to map a single drive and move among folders they have access to.

Assuming the name of the Organizational Unit is ORGX, IT-NSS performs the following functions:

  1. Creates share name \\win.udel.edu\ORGX\Shared.
  2. Sets shadow copies to 10% of usage.
  3. Creates WIN AD groups ORGX-FS-Shared-Access, ORGX-FS-Shared-Modify, and grants ORGX_Admins full control over these groups. Note: In this example, the "FS" designates file system related groups. These groups are assigned Read Access and Modify Access to the entire \\win.udel.edu\ORGX\Shared share.

Members of the ORGX_Admins group perform the following steps:

  1. Create subfolders “ExchangeDocumentation” and “SharepointBudget”.
  2. Create WIN AD groups ORGX-FS-Shared-ExchangeDocs-Modify, ORGX-FS-Shared-ExchangeDocs-Read, ORGX-FS-Shared-SharepointBudget-Modify, and ORGX-FS-Shared-SharepointBudget-Read.
  3. Assign NTFS Security permissions appropriately.
    1. On the Files share:
      1. Note that when the share is created, Read rights to the entire share are assigned to the ORGX-Shared-Access group.
      2. On the ExchangeDocs subfolder:
        1. Under Security-Advanced, disable inheritance and remove access for ORGX-FS-Shared-Read group.
        2. Grant Modify rights to the ORGX-FS-Shared-ExchangeDocs-Modify group.
        3. Grant Read rights to the ORGX-FS-Shared-ExchangeDocs-Read group.
    2. Assign permissions on the SharepointBudget subfolder with appropriate groups as above. Note: We do not recommend that full rights be granted to these groups or users since that allows the users in those groups to modify permissions, potentially adding users outside those groups and even blocking themselves and others in the group from content.
  4. Assign users to correct groups.
    1. Note: You may wish to create user groups, such as ORGX-Users-Documentation-Editors and add users to those groups rather than adding users to the FS (file share) groups directly. It all depends on how complicated your structure is.
    2. Avoid adding individual users or user groups directly to subfolder file share permissions as this gets confusing quickly. Using the method above, anyone accessing AD can quickly determine who has access to which subfolders, and access that an individual user has can be determined quickly by examining their group membership.

This procedure yields shares with subfolders set up with appropriate permissions. End users are not able to create other top level folders creating a top level sense of order, and users are not able to modify permissions. The procedure prevents end users from granting permissions to sensitive data to all users at the University or excluding themselves from subfolders created by others.

Additional information on permissions can be found at TechNet Magazine.

Personal file share with folder redirection instructions

Assuming the name of the Organizational Unit is ORGX, IT-NSS performs the following functions:

  1. Creates share name \\win.udel.edu\ORGX\Home.
  2. Sets shadow copies to 10% of usage.
  3. Creates WIN AD groups ORGX-FS-Staff-Access, ORGX-FS-Staff-Modify, and grants ORGX_Admins full control over these groups.

Members of ORGX_Admins perform the following steps:

  1. You must request blank group policies from IT-NSS for step 6.
  2. Create a subfolder for each end user (along with Documents and/or Pictures, etc.).
  3. Assign permissions to those folders to those users. (Grant Modify permissions for folder \\win\ORGX\Staff\uduser to the user UDelNetID.)
  4. Either create an OU named ORGX-Computers-Staff-Redirect or apply to computers in an existing OU.
    1. Place all computers to which this policy is to be applied in this OU.
  5. If you have not already done so, create a group policy for loopback or use the pre-created one WIN-Loopback-Enable.
    1. Navigate to Computer Configuration, Policies, Administrative Templates, System, Group Policy.
    2. Enable the following:
      1. Configure folder redirection policy:
      2. Allow processing across a slow network connection.
      3. Process even if group policy objects have not changed.
    3. Configure user Group Policy loopback processing mode:
      1. Set mode to Replace.
      2. Settings can be compared to the WIN-Loopback-Enable Policy.
    4. Request a blank group policy from IT-NSS and rename it ORGX-Home-Redirection.
    5. Navigate to User Configuration, Policies, Windows Settings, Folder Redirection.
    6. On the folder(s) to be redirected, right-click and choose Properties.
    7. Under Target:
      1. Change setting to Basic.
      2. Create a folder for each user under the root path.
      3. Root Path: \\win.udel.edu\ORGX\Staff\
    8. Under Setttings:
      1. Grant user exclusive rights: disabled (unchecked).
      2. Move the contents of documents to new location: disabled (unchecked).
      3. Policy removal behavior: Leave contents.
    9. Link the group policies above (loopback and redirection) to the ORGX-Staff-Redirect OU
      1. In GPedit.msc, browse to the OU, right-click, and choose Link an Existing GPO for each of the above policies (loopback and redirection).
    10. Create a backup copy of user's home directory.
    11. Have the user log out and then log on.
    12. Copy files to home directory under the appropriate folders specified above.
      1. You must create a folder for each staff member named the same as their user name.
      2. Note: If users will be accessing their subfolders from a Mac you must allow READ access to the root of the share for everyone who wishes to access any subdirectories (i.e., their own staff folder).
      3. Disable inheritance on EACH staff subfolder.
      4. Remove that group's access.
      5. Add the Modify access for the individual.
  6. Option (and good idea for laptops): Right-click on the folder and choose Always available offline.

This procedure gives your users redirected home folders. We recommend against the exclusive rights option as it then will make life difficult if you, as the share admin, need to recover something for a user's manager.

One other potential issue is that you may need to create multiple shares to handle this process. With a 2TB limit, it is conceivable that a large department could run into this issue. To avoid the problem, request a second share, for example, \\win.udel.edu\ORGX\Staff2. This procedure will require an additional computer OU and corresponding GPO to implement.