Win Domain File Services

Sample Use Setups

In the following examples, "ORGX_Admins" is the IT-NSS created group that contains the organizational administrators.

Office file share instructions

In this example, an office file share is created so that all office users can see the basic directory structure, but only certain groups can see within subfolders. This setup allows users to map a single drive and move among folders they have access to.

Assuming the name of the Organizational Unit is ORGX, IT-NSS performs the following functions:

  1. Creates share name \\\ORGX\Files.
  2. Sets shadow copies to 10% of usage.
  3. Creates WIN AD groups ORGX-Files-Read, ORGX-Files-Modify, and grants ORGX_Admins full control over these groups.

Members of the ORGX_Admins group perform the following steps:

  1. Create subfolders “ExchangeDocumentation” and “SharepointBudget”.
  2. Create WIN AD groups ORGX-Files-ExchangeDocs-Modify, ORGX-Files-ExchangeDocs-Read, ORGX-SharepointBudget-Modify, and ORGX-SharepointBudget-Read.
  3. Assign NTFS Security permissions appropriately.
    1. On the Files share:
      1. Grant Read rights to ORGX-Files-Read group.
    2. ExchangeDocs:
      1. Under Security-Advanced, disable inheritance and remove access for ORGX-Files-Read group.
      2. Grant Modify rights to the ORGX-Files-ExchangeDocs-Modify group.
      3. Grant Read rights to the ORGX-Files-ExchangeDocs-Read group.
    3. SharepointBudget: as above, with appropriate groups.
    4. Note: We do not recommend that full rights be granted to these groups or users since that allows the users in those groups to modify permissions, potentially adding users outside those groups and even blocking themselves and others in the group from content.
  4. Assign users to correct groups.

This procedure yields shares with subfolders set up with appropriate permissions. End users are not able to create other top level folders creating a top level sense of order, and users are not able to modify permissions. The procedure prevents end users from granting permissions to sensitive data to all users at the University or excluding themselves from subfolders created by others.

Additional information on permissions can be found at TechNet Magazine.

Personal file share with folder redirection instructions

Assuming the name of the Organizational Unit is ORGX, IT-NSS performs the following functions:

  1. Creates share name \\\ORGX\Home.
  2. Sets shadow copies to 10% of usage.
  3. Creates WIN AD groups ORGX-Home-Read, ORGX-Home-Modify, and grants ORGX_Admins full control over these groups.

Members of ORGX_Admins perform the following steps:

  1. You must request blank group policies from IT-NSS for step 6.
  2. Create subfolder for each end user (along with Documents and/or Pictures, etc.).
  3. Assign permissions to those folders to those users. (Grant Modify permissions for folder \\win\ORGX\Home\uduser to the user uduser).
  4. Either create an OU named ORGX-Home-Redirect or apply to computers in an existing OU.
    1. Place all computers to which this policy is to be applied in this OU.
  5. If you have not already done so, create a group policy for loopback or use the pre-created one WIN-Loopback-Enable.
    1. Navigate to Computer Configuration, Policies, Administrative Templates, System, Group Policy.
    2. Enable the following:
      1. Configure folder redirection policy:
        1. Allow processing across a slow network connection.
        2. Process even if group policy objects have not changed.
      2. Configure user Group Policy loopback processing mode:
        1. Set mode to Replace.
    3. Setttings can be compared to the WIN-Loopback-Enable Policy.
  6. Request a blank group policy from IT-NSS and rename it ORGX-Home-Redirection.
    1. Navigate to User Configuration, Policies, Windows Settings, Folder Redirection.
    2. On the folder(s) to be redirected, right-click and choose Properties.
    3. Under Target:
      1. Change setting to Basic.
      2. Create a folder for each user under the root path.
      3. Root Path: \\\ORGX\Home\.
    4. Under Settings:
      1. Grant user exclusive rights: disabled (unchecked).
      2. Move the contents of documents to new location: disabled (unchecked).
      3. Policy removal behavior: Leave contents.
  7. Link the group policies above (loopback and redirection) to the ORGX-Home-Redirect OU
    1. In GPedit.msc, browse to the OU, right-click, and choose Link an Existing GPO for each of the above policies (loopback and redirection).
  8. Create backup copy of user's home directory.
  9. Have the user log out and then log on.
  10. Copy files to home directory under the appropriate folders specified above.
  11. Option (and good idea for laptops): Right-click on the folder and choose Always available offline.

This procedure gives your users redirected home folders. We recommend against the exclusive rights option as it then will make life difficult if you, as the share admin, need to recover something for a user's manager. One other potential issue is that you may need to create multiple shares to handle this process. With a 2TB limit, it is conceivable that a large department could run into this issue. To avoid the problem, create a new share of \\\ORGX\Home2.