Minimum permissions needed to create a user Home Folder in Windows Active Directory

Posted by Jim on Server Fault See other posts from Server Fault or by Jim
Published on 2010-04-28T13:10:37Z Indexed on 2010/04/28 13:13 UTC
Read the original article Hit count: 373

We would like the Help Desk to have the responsibility of creating User Home folders instead of our 2nd level support. The help desk global group is already an Account Operator, so in Active Directory they are able to edit all User Attributes just fine.

The problem is figuring out the minimum level of permissions needed on the File Server to create the home share, with out giving them access to everyone home share.

So if they open AD Users and Computer, open the properties for a user, and enter \home\users\%username% in the profile tab and then click OK, they get the following error.

The \home\users\username home folder was not created because you do not have create access on the server. The user account has been updated with the new home folder value but you must create the directory manually after obtaining the required access right.

Right now I have given the Helpdesk group Full Control on the root folder only (no files or subdirectories)

The directory is actually created, but the permissions on the newly created folder only show administrators full control, and no permissions for the configured user account.

It sure sounds like I'd have to make the helpdesk local admins on the file servers, which is what I'd like to avoid. Especially since the file servers are a large cluster hosting much much more than the entire orgs home share structure.

© Server Fault or respective owner

Related posts about Windows

Related posts about file-sharing