Configure Windows Server 2008 file sharing

[MrNorth]

Hi!

Not exactly a programming question, but hopefully some1 can help me anyway.

Our development server has crashed and we need to replace it ASAP.

The dev network is really simple, we have one server that act as dns, dhcp, domain controller etc and also file server. We have 3 folders that are mapped to the client whenever the client log on.

I have successfully installed the new server and configured it properly. Now I am not sure what to do about the folders. The setup with shared folders look somewhat diffrent than 2003 server. We have also made the decision to have one server as file server and this new one will store ad etc. So some way we need to create user and pubkic folders to the new file server, but they need to be mapped to the client when he/she log on to the domain controller (new 2008 server).

best way to solve this? Can it be done with the new "shared folders" or do I need to fiddle with startup scripts? It is required that the paths on the client as as before like

X:\Donald Duck\ <-- user folder
y:\Public\ <-- public folder
Z:\Projects <-- projects folder

kind regards
Henrik

[chris128]

Yeah it is supposed to be more 'user friendly' on server 2008 but in reality it just means its easier for people to do the wrong thing in my opinion :P
Anyway, here's how I would do it: (assuming you want all users to have access to Public and Projects but only the relevant user to have access to their own user folder):

On the File Server - EDIT: I assumed your file server was Server 2008 when I typed this but after re-reading your post I'm not 100&#37; sure
For the Public and Projects folders, create new folders with those names wherever you want on the server, presumably on the root of the data drive (ie not the OS drive) if you have got more than one partition/drive in it. Once you have created these 2 folders, right click on one of them and go to Properties, go to the Sharing tab and click the Advanced Sharing button, in the new window that appears type the name for the share (so Public or Projects) and click the Permissions button. In the permissions dialog, make sure the group Everyone has got Full Control and no other groups/users are on there. Now click OK on that permissions dialog and then OK on the sharing dialog. Do not close the properties dialog though, instead click on the Security tab and then click the Edit button to edit the permissions - assuming you want all users to be able to access the Projects and Public folders, just make sure System and Administrators have Full Control and then set the Authenticated Users group to Modify (if you set them to Full Control as well then they will be able to edit the permissions for the folder and take ownership of it, which is usually not desirable). Remove any other groups from this permissions list and then OK your way back to the folder view and repeat the same procedure for the other folder.

For the user's own folders, I would create a folder on the root of the data drive named "Users" or something similar and then create each user's folder under there (to make things easier later on I would name the folders exactly the same as what the user's username will be - you will understand this when you read the Domain Controller section below). Now there are 2 popular styles of doing this - you can either share the top level "Users" folder and make it read only but then grant users access to their own folder beneath or you can make the Users folder not accessible for users and then share each individual user's folder beneath it (and grant them access obviously). The second method is more work obviously as it involves sharing each user's folder rather than just the top level folder but personally I prefer it. For one thing it makes it easier for the users as their mapped drive will take them straight to their own folder rather than them having to look through the list of everyone's folders and find their name (which is rubbish when you have a lot of users), plus I have seen some issues in the past with network drive mappings not working correctly when mapped to the top level read only folder. Anyway, whichever method of sharing you choose you will have to grant each user access to their own folder within the top level Users folder so right click on each user's folder once you have created them and go to Properties, then click the Security tab. Now depending on what security you have got on the top level Users folder, you might not need to do this next part. If you have only got administrators and system able to access the top level Users folder then dont bother with this next bit. If you have got users having read access (or any kind of access really) to the top level folder then click the Advanced button (on the security tab of the properties window you just opened up), on the next window click the Edit button, on the next window untick the box that says "Include inherited permissions from this object's parent" and then OK your way back to the security tab of the folder properties dialog window. Now click the Edit button and make it so that all you have in the list of permissions is: System - Full Control, Administrators - Full Control, USER_NAME_HERE - Modify (obviously replace USER_NAME_HERE with the name of the user who's folder you are currently setting up). Now repeat this process for all of the user's folders under the top level folder. Little tip as well, if you have gone with the style of sharing each individual user folder then when you share the folder put a $ symbol after the share name as this makes it hidden from the list of browsable shares on the server (this has a couple of small security benefits but also means that if you have lots of users then when you browse to that server you will not see a huge list of user shares cluttering things up).

On the Domain Controller
There are a couple of ways to do this but the simplest is to just use the Logon script attribute in a user's AD account properties to specify the name of a batch file (or vbs file) that should be run each time the user logs on. So all you need to do to set this up is to log on to the domain controller (via Remote Desktop or whatever) and then go to Start -> Run -> type \\localhost\Netlogon -> click OK -> this will open up the netlogon share on the DC and this is the default location that the DC will look for logon scripts (anything in this folder also gets replicated automatically to any other DCs you have on your domain). So in here create a new batch file (named logonscript.bat for example) and in the batch file type the following:

Code:

Net Use X: /delete /yes
Net Use Y: /delete /yes
Net Use Z: /delete /yes

Net Use X: \\FILE_SERVER_NAME\%USERNAME%$
Net Use Y: \\FILE_SERVER_NAME\Public
Net Use Z: \\FILE_SERVER_NAME\Projects

Replace FILE_SERVER_NAME with your file server name or IP address obviously but leave the %USERNAME%$ as it is (you only need the $ if you added the $ when sharing the folders as mentioned above). This is assuming you went with the method of sharing individual user folders, if you didnt and just shared the top level Users folder then you need to replace the line that %USERNAME%$ with the name that you shared the top level folder as. Also note that this %USERNAME% part will only work if you shared the user's folders with the same name as their logon username - as you have probably guessed, it gets 'translated' into the username of whoever is running the batch file when it is run. You also do not have to do the first 3 lines where it deletes the drives, I just like to do this for tidyness and to make sure that if we were to change where a drive mapped to then the user's would definitely see the changes next time they log in.

Anyway, once you have done this and saved the batch file in Netlogon, open up Active Directory Users & Computers and open up a user account that will need these network drives mapping. Click on the Profile tab and then in the Logon Script box just type whatever name you gave the batch file - you dont need to include the full path, just the name of the file.

Now try logging on to a PC as one of the user's and see what happens!

[MrNorth]

Hi!

Thanks for your lengthy reply! It worked like a charm.

We are using Windows Small Business Server 2008 so you assumed correctly.


I got one issue from the boss, he want all users to be created as:

Donald Duck

instead of

dodu (log on name),

and he also want the fullname to appear on the share... for some reason.

Is this possible? I guess you can just use another environment variable? I did some googling and didnt find the variable to use...

Are there any other things we should think about when setting up this server, security wise? We use Windows 7 on all clients, can we benefit from using 2008 server to make life easier somehow?

Another thought was, what about all the info that the user stores in their libraries, will it ever be moved to the server as part of their profile or just stay on the client?

kind regards
Henrik

[chris128]

None of their profile will be stored on the server unless you setup a policy to redirect it. I usually redirect user's My Documents folder to their personal drive (via group policy) and leave it at that because when you start redirecting their entire profile (ie Roaming Profiles) you can find that it takes a very long time to log on or off as all of the information is downloaded from the server and it can also be quite complicated to set up if you havent done it before.

As for the user's folders being shared with their full name rather than their username - if you do that then you will have to manually specify the user's folder name for every single user (there is no environmental variable for the user's full name unfortunately). This would mean that instead of mapping the user's personal drive in the logon script with the other 2 drives, you would have to use the Home Drive attribute on a user's AD account properties (on the Profile tab) to map a specific drive letter to their shared folder path... but you would have to do this for every single user account individually as it would be a unique path for each user obviously. I would ask your boss if it is really worth the extra time and effort required to set this up just for the sake of the folder names looking a bit nicer... what does it matter what the folders are shared as anyway if the user's have a mapped drive that takes them straight INTO the folder, they wont ever see the folder name (apart from on the label of the mapped drive).

[MrNorth]

Hi!

Thanks for the reply! Im starting to get the hang of it.

Well the reason for the full name was that he just htought it is easier to see who is who on the server... don't ask me why it is so important.

Anyway, do you mind describing how I do to mirror the "my documents" to the users folder? Also, I need to set some kind of quota for each user to say 50 MB.

I am not so used to group policies... my background is .net development and architecture, not server administration. But when the regular admin quit his job, I was appointed

/Henrik

[chris128]

Well you can give the user's their full name when you create their user account in Active Directory (ie in the First Name and Surname fields), its just the logon name / username that needs to be the same as the share name.

As for redirecting My Documents, just search google for "redirecting my documents group policy" and you will find loads of good tutorials. As for quota's, check out this article http://www.petri.co.il/managing-wind...tas-part-2.htm and just have a play around with a test user account setting quota's on a specific drive for that user and seeing how it works.

[MrNorth]

Hi!

I added a group policy under the "folder redirection" area on the group policy editor. I selected just for testing, the documents and the desktop. But nothing happens when I add files and folders there, they are not created on the server. I have the same security settings as you suggested in the post above.

I am clueless, how can I troubleshoot this? Everything looks good in the config. Can I somewhere in the eventlog if there is a security problem? I looked through the eventlog on the server, but didnt find anything that can be related to this issue...

kind regards
Henrik

[chris128]

Any event logs entries will be logged on the PC that the user logged on to, not on the server. Usually under the Application event log with a source of Userenv (although I think the folder redirection ones have their own event log source) but this might be different in Windows 7 I've not tried to troubleshoot group policy issues on that yet.

Have you actually applied this group policy to the OU where the user accounts are? To see if a GPO is actually affecting a user (or computer) you can log on as that user and run "gpresult" from the command line to see a list of all GPOs (group policies) that are currently being applied to that user and computer and it will also show you any that are not being filtered out as well.

[MrNorth]

Hi!

Thanks again for the replies. I have checked and verified that the group policy is enforced on the client, but I see no notes in the event log stating that folder redirecion has started. The principal itself is properly configured. This is of secondary importance so I will leave it unless you have any suggestions for further troubleshooting.

According to the gpresult /r the policy is enforced... so what else is there to do?

kind regards and thanks for your patience

/Henrik

[chris128]

Can you post a screenshot of both tabs in the My Documents folder redirection settings window? Here's an example screenshot I found on google just so you know which window I mean:

[MrNorth]

Hi!

I finally got it working, sorta. I applied the policy to the default group policy instead of the new one I ceated and now the policy is working as it should. But since I created all user folders with an $, I cant seem to write the folder redirection path as I want.
Or should I follow another strategy for folder redirection? I get the event log error that the path can't be mapped, and that is obvious since it trise to map \\myserver\Users\user

when it should map \\myserver\Users\user$

kind regards
Henrik

[chris128]

You can use a $ in the path for the folder redirection... just type \\myserver\users\user$ in the group policy folder redirection settings window. I have no idea why it would work in the default domain policy and not in a separate policy if you say you are sure you had applied that new policy to the OU where the user accounts are, I've certainly never experienced such a problem.

[MrNorth]

Hi!

Thanks for the quick reply. Are you sure that will work? When I type \\myserver\Users....

server 2008 automatically suggest that the resulting path will be \\myserver\Users\Clair (as example for user clair)

I don't see how I can add the $ since windows add the last part automatically.

Hope I make sense?

/Henrik

[chris128]

Oh so you have shared the top level User's folder and not each individual user's folder then? If you have done that then you dont need to share each user's folder (see my original post) so you dont need the $ at all.

[MrNorth]

Hi!

Thanks for your reply. I managed to solve the error. The problem was that I stupidly had chosen the "create a folder for every user..." when I should have selected "redirect to the following location" Now can type \\MYSERVER\%USERNAME%$

But, I get another problem now

"This security ID may not be assigned as the owner of this object."

I have read the acticle at

http://technet.microsoft.com/en-us/l...53(WS.10).aspx

But on the folder heno I ahve set full permission to administrators, creators and heno. And from the client I can create folders and files without any problem. Why do I get this error? I think I have set all permissions as the article suggests.

kind regards
Henrik - who is slowly getting there...

[chris128]

Can you do as I suggested in post #10 and post a screenshot of both of the tabs in the group policy folder redirection window?

[MrNorth]

Hi!

Thanks for your help, I managed to sort this out. I completly missed your first request for screenshots, but can understand why you asked for them.

We plan to deploy this new server configuration within a week, hopefully everything will be sorted out, I have two questions though.

1) We have about 40 users that we will create new accounts for, manually in the new domain. This means adding login name, set logon script, profile path, domain group membership (I have two domain groups, administrators and users). WHat can I do to make this process less time consuming? Is there any way?

2) We need all domain users to be local administrators. All users are developers in one way or another, and we need them to be able to access registry, add printers, devices etc without having to enter a domain administrator account. And I dont want them to be domain admins, just local admins on each and every one of the clients. How do I do this? I have spent two hours googling on this, but either I type the search text incorrectly or there is no easy way? We use WIndows 7 on all clients!

Anything special I need to think about when using windows 7? I read lots about that using win7 + server 2008 will ease your admin, but I cant find answers on how this is done in practice...

best regards
Henrik

[chris128]

1) You can write scripts to create multiple users but to be honest for 40 users it would be quicker to create them all manually than to figure out how to get a script working properly
2) If you are using all Windows 7 clients then you can take advantage of the new Group Policy Preferences - when you go to edit a group policy on a Server 2008 machine you should see the policies broken down into "Policies" and "Preferences"... if you expand the Preferences section under the Computer Configuration heading and then go into Control Panel Settings, then Local Users and Groups, you should be able to right click in the area in the right hand window and go to New -> Group. Now in the next window that appears you can select the Administrators group from the drop down and then click the Add button below to add a new member. I would recommend rather than adding every single user in this section, you just create a security group in AD and add all of the users that you want to be local admins to that, then add that AD group to the local admins group in this group policy.

[MrNorth]

Hi!

Thanks that did the trick. I have added all users to the new AD, set their roamin profile and login scripts and also created two security groups "Company_Users" and "Company_Admins".

My plan is that the users group should only have "domain user" rights. The Admins group have access to our servers. I have added in the admins group these built in groups:

Administrators
Domain administrators
Domain users

Is that correct?

There is also a built in role called "company administrator". Not sure what to use it for, but our boss have lots shared folders with "secret" info about budget, salary etc. Shouyld this group be used for my boss only? And then set security to these folders?

kind regards
Henrik

[MrNorth]

I have another small question thats confusing me a lot.

Why can't my user who is a domain administrator delete the folders created by folder redirection 8or roaming profiles)? I can't even see the permissions, I just get error message when I go to the security-tab for the folder. What role do I lack?

/Henrik

[chris128]

I have another small question thats confusing me a lot.

Why can't my user who is a domain administrator delete the folders created by folder redirection 8or roaming profiles)? I can't even see the permissions, I just get error message when I go to the security-tab for the folder. What role do I lack?

/Henrik

That will be because the user will be set as the owner of the folder for any that were created by redirection - you need to take ownership of the folder when logged on as admin to be able to change the permissions. You can do this by going to the same location where you would view a folder's permissions but clicking on the Advanced button and then the Owner tab. I think there is a tick box in the My Documents group policy redirection window that says something like "grant user exclusive rights to folder" - If you untick that then you wont get that problem with user's redirected My Documents folder, but obviously you need to manually make sure that only that user (and admin) has permission to access that folder.

[MrNorth]

Hi Chris!

Im very grateful for your support and patience, Im finally getting the hang of this.

One last question:

We have an old domaincontroller on a win 2003 server. There are lots of folders there with secret info and that has ntfs-permission set so that only certain AD users have access. We plan to demote this to a normal server and kill the domain it controls. What will happen to all permission locked to all the folders. We are talking like 2-300 folders with info dedicated to only certain users int he domain. All these users exist in our new domain, and it is this new domain that will assume control of these folders. The old DC will only work as a common file server.

Is it dangerous to demote a DC? Is there any risk that these folders will be inaccessible?

kind regards
Henrik

[chris128]

No there is not any risk of the folders becoming inaccessible completely but the users will loose access to the files/folders until you reconfigure the permissions - when you set permissions on a folder it is not the user account name that is granted permission, but the SID (a unique security ID) of the user account. When you look at permissions on a folder the permissions dialog window looks for a domain controller to 'translate' these SIDs to a domain and username combination - if it cannot find a domain controller for that domain (which is what will happen once you demote the DC for the old domain) then it will just display the SID. So once you have demoted the DC you will find that when you view the permissions of the folders you will just see a load of SIDs. If it was ONLY accounts on the old domain that were assigned permissions to some of these folders (i.e. no local groups such as Administrators) then to be able to get into these folders and setup the new permissions you will need to take ownership of them in a similar way to what I mentioned in the last post.

So I would say demote the DC, then join it to the new domain and take ownership of all of the files on it so that you can then setup the permissions again to grant the relevant user's new domain account access to the folder (make use of the "replace permissions/owner on child objects" option where necessary to save a lot of time)

Hope that helps

[MrNorth]

Hi!

Now we have finally changed servers. But there is an important issue that I have no idea how to handle, google has turned out nothing.

On all win7 clients on the network, internet explorer seems to be locked in some kind of high security mode, everything seems to be set to "maximum security"

How can I change this so all clients get normal security, so they can run active x, flash etc just like a normal PC? I chave looked through the Group Policy Editor and under internet explorer, everything seems ot be untouched.

For example, when browsing to a page that has a flash animation, the user dont get a popup that suggest they install flash... they have to go manually to the adobe website and download. Not happy users

kind regards
Henrik

[chris128]

Sorry I've not come across that issue but if you go onto one of the user's machines and open Internet Explorer n go to Tools -> Internet Options -> Security tab, what is the security level for the Internet zone set to?

[MrNorth]

Hi!

It was set to "high" for the internet zone. Very strange. Can it has to do with that I choose "work" and not "home" for the network setting when I installed windows 7 on the client. Perhaps its not group policy related at all.

Also, the first time I started IE it showed the page "hardadmin.htm". That was the first time I noticed something was wierd.

/Henrik

[chris128]

Nah the "work" location should not do that, if anything it lowers security settings (because you are on a network you trust). I doubt it is group policy related, if its something that is set by group policy then it generally does not allow the user to change it (unless it is one of the new 'preferences' policies). For example if you enable Offline Files via group policy then you will find that even an admin on the PC cannot disable it as the checkbox will be greyed out. I'm not sure if there even is a GPO for setting the default IE security level, but if there is then you could use that to set it back to medium on all of the clients.