This page looks best with JavaScript enabled

User Home Permissions

 ·  ☕ 5 min read

Before You Start

By default, Windows Server does a decent job these days of setting up secure permissions for user home directories but only if you use the various wizards that are built-in to the server manager. Sometimes you just want to create some directories and shares and have them good to go. I mean how hard can it be right?

First things first, create a folder that will be the User Home root, we’ll set the permissions and share permissions on this folder. For the purposes of this article, we’ll be using “X:\User-Homes” as the root.

Setting the Share Permissions

  1. Right-click on the User-Homes folder and select “Properties”
  2. Click on the “Sharing” tab
  3. Click on “Advanced Sharing”
  4. Tick the box “Share this folder”
  5. Click on the “Permissions” button
  6. Remove “Everyone” from the list of Group or usernames
  7. Click on the “Add” button and type in “Domain Users” and click on “OK”
  8. Check the “Allow” tick box for “Full Control” in the Permissions list
  9. Click OK on all the permissions windows that are open for the changes to be made.

Share permissions are not as granular as file permissions, so it’s best to set “Full Control” for all “Domain Users” to minimize future problems and help with troubleshooting. Using “Everyone” is too open as the share is essentially wide open to unauthenticated users.

User Share Permissions

Setting the File Permissions

  1. Right-click on the User-Homes folder and select “Properties”
  2. Click on the “Security” tab
  3. Click on the “Advanced” button
  4. Click on “Disable inheritance” and then click on “Convert inherited permissions into explicit permissions on the object”
  5. Add or ensure that “CREATOR OWNER” has “Full Control” and “Subfolders and files only” is in the “Applies to” column
  6. Add “Domain Users” and set the “Applies to:” drop down to “This folder only”
  7. Click on “Show advanced permissions” and tick the box “Create folders / append data”
  8. Click OK on all the permissions windows that are open for the changes to be made.

This will set the permissions on the folder so that a user will be able to create their own home folder. If you use Folder Redirection in Group Policy, the users home folder will be automatically created when the user first logs on. Manually setting the home directory and drive letter in Active Directory will also create a home folder and set the permissions automatically.

Advanced User Permissions

Administration Access

If you follow the steps above no-one except the owner will be able to access each user’s home folder, not even admins. It is often desirable for admins to be able to access user data on a file server. Follow the steps below to add a given user or group full access to user homes.

  1. Right-click on the User-Homes folder and select “Properties”
  2. Click on the “Security” tab
  3. Click on the “Advanced” button
  4. Click the “Change” text next to the “Owner:” information
  5. Add the user or group you wish to give full access to and click on OK
  6. Tick the box “Replace owner on sub containers and objects” and then click on Apply
  7. A dialogue box will pop up saying “If you have just taken ownership of this object, you will need to close and reopen this object’s properties before you can view or change permissions.” Click “OK” on it and all open permission windows.
  8. Go back to the “Advanced” permission window using steps 1 - 3
  9. Click on “Add” and then “Select a principal” and enter the user or group you wish to give Full Access
  10. Ensure that the “Applies to:” drop down is set to “This folder subfolders and files”
  11. Tick the “Full control” box under “Basic permissions:” and then click on OK
  12. Click on “Apply” to apply to permissions and the user or group you specified will have complete access to.

Admin Permissions

Fixing Permissions with Existing User Homes

All the above is great if you’re creating a new user home share, but what if you have an existing one with hundreds/thousands of users and you want to reset the permissions? Well, that’s where a script can come in handy.

You can download my script from GitHub. You’ll need to configure the location of your user homes; I’m also assuming that the user home folders are named after the sam account name of the user. The script will go through each folder it finds in the root of the user home location and take ownership of the files, reset the permissions to the inherited permissions from the root folder and then give the user full access to the folder.

The script is not guaranteed to be perfect for everyone’s environment so I would recommend taking a look and seeing if it fits your needs.

Also, one last thing, although the script is a PowerShell script you’ll noticed that I’m still using the old takeown.exe and icacls.exe utility. This is simply because they are easy to use and the built in PowerShell commands Get-ACL and Set-ACL aren’t as easy to use as these old utilities. There are other third-party modules out there but the old utilities work and this shouldn’t be something you need to do a lot.

I hope this helps and thanks for reading.

Support My Work

If you would like to support me, please check out the links below. Thank you!

If you’d like to contact me, please leave a comment, send me a tweet, or you can join the community on Discord.

-Mike

Share on
Support the author with