Guest Sven-D Posted September 30, 2008 Posted September 30, 2008 I am having a trouble with users home folders and offline folders. The issue is like this: when making a folder offline (either through group policy og by right clicking and selecting make available offline) I get the following error: "Offline Files (\\server\share): Unable to make 'share' available offline on \\server\users\username. Access is denied." The structure on the server looks like this: - users : shared folder, domain users full control (share permission) - username : subfolders with the name of the user. created automatically when the user is created in AD. According to an article I found, it is a permissions issue with the top-folder "users": http://support.microsoft.com/kb/275461 I can get it to work by doing the following: - granting domain users ntfs "read" access on the top "users" folder. (but this lets everyone check the contents of other users folders, so then I have to:) - edit the ntfs permissions on every sub folder, so the don't inherit permissions from the top folder. This will add administrative overhead, as I will have to remove this permission everytime a new user is created. It is easy to forget, also.. I feel there is something vital I am missing here... It isn't meant to be this way, is it?
Guest Lanwench [MVP - Exchange] Posted September 30, 2008 Posted September 30, 2008 Re: Offline Folders - Windows Server 2003 Sven-D <sven-d@discussions.microsoft.com> wrote: > I am having a trouble with users home folders and offline folders. > > The issue is like this: > when making a folder offline (either through group policy og by right > clicking and selecting make available offline) I get the following > error: "Offline Files (\\server\share): Unable to make 'share' > available offline on \\server\users\username. Access is denied." > > The structure on the server looks like this: > - users : shared folder, domain users full control (share permission) > - username : subfolders with the name of the user. created > automatically when the user is created in AD. > > According to an article I found, it is a permissions issue with the > top-folder "users": > http://support.microsoft.com/kb/275461 > > I can get it to work by doing the following: > - granting domain users ntfs "read" access on the top "users" folder. > (but this lets everyone check the contents of other users folders, so > then I have to:) > - edit the ntfs permissions on every sub folder, so the don't inherit > permissions from the top folder. > > This will add administrative overhead, as I will have to remove this > permission everytime a new user is created. It is easy to forget, > also.. > > I feel there is something vital I am missing here... It isn't meant > to be this way, is it? You might check out "How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003" - http://support.microsoft.com/kb/274443. It doesn't *exactly* describe your setup but should help with the folder permissions. I don't use home directories anymore - they're a pretty antiquated concept. If you just set up folder redirection for My Documents, you can use "basic - redirect everyone to the same location" and "create a folder under the parent share" ...e.g., \\server\home$\%username%\My Documents. You can map a drive letter to that if you like, also. There are all sorts of group policy settings for offline files, too - including one that automatically makes subfolders available offline.
Guest Sven-D Posted September 30, 2008 Posted September 30, 2008 Re: Offline Folders - Windows Server 2003 Just tested this in my test environment - and it works on home folders :) The reason I use home folders are: - they are already there.. - people already have lots of music, pictures etc in my documents. don't want that on the server. - I want to enrypt the offline folder cache. Haven't found a way to do that with my documents redirection - but maybe someone has a solution for that, too? "Lanwench [MVP - Exchange]" wrote: > Sven-D <sven-d@discussions.microsoft.com> wrote: > > I am having a trouble with users home folders and offline folders. > > > > The issue is like this: > > when making a folder offline (either through group policy og by right > > clicking and selecting make available offline) I get the following > > error: "Offline Files (\\server\share): Unable to make 'share' > > available offline on \\server\users\username. Access is denied." > > > > The structure on the server looks like this: > > - users : shared folder, domain users full control (share permission) > > - username : subfolders with the name of the user. created > > automatically when the user is created in AD. > > > > According to an article I found, it is a permissions issue with the > > top-folder "users": > > http://support.microsoft.com/kb/275461 > > > > I can get it to work by doing the following: > > - granting domain users ntfs "read" access on the top "users" folder. > > (but this lets everyone check the contents of other users folders, so > > then I have to:) > > - edit the ntfs permissions on every sub folder, so the don't inherit > > permissions from the top folder. > > > > This will add administrative overhead, as I will have to remove this > > permission everytime a new user is created. It is easy to forget, > > also.. > > > > I feel there is something vital I am missing here... It isn't meant > > to be this way, is it? > > You might check out "How to dynamically create security-enhanced redirected > folders by using folder redirection in Windows 2000 and in Windows Server > 2003" - http://support.microsoft.com/kb/274443. > It doesn't *exactly* describe your setup but should help with the folder > permissions. > > I don't use home directories anymore - they're a pretty antiquated concept. > If you just set up folder redirection for My Documents, you can use "basic - > redirect everyone to the same location" and "create a folder under the > parent share" ...e.g., \\server\home$\%username%\My Documents. You can map a > drive letter to that if you like, also. > > There are all sorts of group policy settings for offline files, too - > including one that automatically makes subfolders available offline. > > >
Guest Sven-D Posted September 30, 2008 Posted September 30, 2008 Re: Offline Folders - Windows Server 2003 Ooops! I was a litte quick there... Users still get access to each others home folders. (The home folders are automatically created by Active Directory users and computers, when creating a new user) Any more ideas?? "Sven-D" wrote: > Just tested this in my test environment - and it works on home folders :) > > The reason I use home folders are: > - they are already there.. > - people already have lots of music, pictures etc in my documents. don't > want that on the server. > - I want to enrypt the offline folder cache. Haven't found a way to do that > with my documents redirection - but maybe someone has a solution for that, > too? > > > "Lanwench [MVP - Exchange]" wrote: > > > Sven-D <sven-d@discussions.microsoft.com> wrote: > > > I am having a trouble with users home folders and offline folders. > > > > > > The issue is like this: > > > when making a folder offline (either through group policy og by right > > > clicking and selecting make available offline) I get the following > > > error: "Offline Files (\\server\share): Unable to make 'share' > > > available offline on \\server\users\username. Access is denied." > > > > > > The structure on the server looks like this: > > > - users : shared folder, domain users full control (share permission) > > > - username : subfolders with the name of the user. created > > > automatically when the user is created in AD. > > > > > > According to an article I found, it is a permissions issue with the > > > top-folder "users": > > > http://support.microsoft.com/kb/275461 > > > > > > I can get it to work by doing the following: > > > - granting domain users ntfs "read" access on the top "users" folder. > > > (but this lets everyone check the contents of other users folders, so > > > then I have to:) > > > - edit the ntfs permissions on every sub folder, so the don't inherit > > > permissions from the top folder. > > > > > > This will add administrative overhead, as I will have to remove this > > > permission everytime a new user is created. It is easy to forget, > > > also.. > > > > > > I feel there is something vital I am missing here... It isn't meant > > > to be this way, is it? > > > > You might check out "How to dynamically create security-enhanced redirected > > folders by using folder redirection in Windows 2000 and in Windows Server > > 2003" - http://support.microsoft.com/kb/274443. > > It doesn't *exactly* describe your setup but should help with the folder > > permissions. > > > > I don't use home directories anymore - they're a pretty antiquated concept. > > If you just set up folder redirection for My Documents, you can use "basic - > > redirect everyone to the same location" and "create a folder under the > > parent share" ...e.g., \\server\home$\%username%\My Documents. You can map a > > drive letter to that if you like, also. > > > > There are all sorts of group policy settings for offline files, too - > > including one that automatically makes subfolders available offline. > > > > > >
Guest Phillip Windell Posted September 30, 2008 Posted September 30, 2008 Re: Offline Folders - Windows Server 2003 "Sven-D" <sven-d@discussions.microsoft.com> wrote in message news:D8546371-52FF-458D-A668-12DC37A400E2@microsoft.com... > Ooops! I was a litte quick there... Users still get access to each others > home folders. (The home folders are automatically created by Active > Directory > users and computers, when creating a new user) The document she pointed you to will cover the permissions issues. How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003" - http://support.microsoft.com/kb/274443. Don't "blow over" the permissions decription, it is important, it is the key, and it is not the "default" permissions you might expect it to be if you don't look closely. Take note how the permissions in the Root above the user's folders allow the creation of the folders below that but do not grant permissions to the folders after they are created. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Recommended Posts