How To Setup Home Directories on a Windows File Server

The concept of home directories is fairly universal across all organizations.  Essentially, it is a networked storage location for users to store their personal files instead of using a directory on a local drive (like the non-redirected "My Documents").  Despite this being a common configuration item, there seems to be little standardization on how to configure a Windows file server to support personal home directories.  Should permissions be set using NTFS or shares?  Should individual shares even be used?  What about the Home Folder Active Directory attribute?

My recommendation is to keep things as simple as possible with a single share and simple permissions only set at the NTFS level.

Setup the Directory Structure

The first step to creating home directories on your file server is to prepare the directory structure where the files will be physically stored on your server.  As with a typical file server, do not store shared directories on your system or boot volumes.
  1. Create an empty directory called Home on your data volume.
  2. On the Home directory, go to the Advanced mode on the Permissions tab.
  3. Clear "Allow inheritable permissions from the parent to propagate to this object..."
  4. Add the local Administrators group and give them Full Control to the Home folder.  You could use Domain Administrators here, but I believe using the local group gives you better flexibility as you may require a non-Domain Admin to manage your file server down the road.
  5. Grant the local Users group Read and Execute permissions on the Home folder, but restrict it to "This folder only." Read and Execute permissions include: Traverse Folder, List Folder, Read Attributes, Read Extended Attributes, and Read Permissions. Setting "This folder only" prevents accidentally granting all users access to a new user's directory.

Next, individual folders for each user need to be created.  I highly recommend naming the folder the same as the users' Pre-Windows 2000 logon name (aka sAMAccountName).  This will simplify your logon scripts later on.
  1. Create the user's directory in the Home directory.
  2. Edit the NTFS permissions for the folder and note that only local Administrators have Full Control at this point.
  3. Add the user to the permissions list and grant them Change access.  We do not grant users Full Control of their own directory as it could allow them to accidentally open up the folder to other people or prevent administrator access.

    Setup the Share

    In this model, we are not sharing individual folders for each user but instead just sharing the Home directory.  The reason for this is: it is easier to browse for a home directory when it is not mapped (i.e. when working on a non-domain member computer), setup of new users is easier without creating a share, and there is no worry of share and NTFS permissions getting out of sync.

    With this in mind, share the home directory as Home and set the share permissions to: local Administrators - Full Control, local Users - Change.

    Configure Access-Based Enumeration

    Access-based enumeration is a new feature that became available with Windows 2003.  This option prevents users from seeing folders they do not have access to.  It does not provide any additional security, but instead makes it easier to manually browse through shares to find data.

    On Windows 2003, you will first have to download and install the software to enable access-based enumeration. (Available on here.)  Once installed, go to the properties of the Home directory and enable the feature from the Access-Based Enumeration tab.

    On Windows 2008, this software is included by default.  To enable access-based enumeration, use the Share and Storage Management tool and select Properties on the Home share.  Click Advanced and then enable the setting.

    Giving Users Access

    First off, Microsoft seemly provides a simple way to map a user's home directory for them by using the Home Folder attribute on the Profile tab in Active Directory.  My recommendation is to NOT use this feature because it has some limitations.

    When the drive is mapped with this feature, it does not create a persistent mapping - this means that laptop users who rely on Offline Files will have a disappearing home directory.  Additionally, this setting changes the USERPROFILE environment variable in Windows which is the default working directory for command prompts and many applications.  This can slow down some applications and can cause problems if a user disconnects from the network.
    Instead, I highly recommend mapping a persistent connection to the home directory via logon scripts.  This can either be done in VBScript or batch/command file.  A basic batch file would look like:
    net use h: /d
    net use h: \\fileserver\home\%username% /persistent:yes

    Interested in doing the same with VBScript? Try the following:
    ' Variable setup
    Dim strFileServer, WshNetwork, strUserName
    strFileServer = "FILESERVER"
    Set WshNetwork = WScript.CreateObject("WScript.Network")
    strUserName = WshNetwork.UserName
    ' Disconnect and reconnect H: to Home Directory
    On Error Resume Next
    WshNetwork.RemoveNetworkDrive "H:", true, true
    WshNetwork.MapNetworkDrive "H:", "\\" & strFileServer  & "\Home\" & strUserName, true

    Wrapping Up

    Home Directories are simple concept, yet the configuration often becomes overly complicated which can result in insecure settings or inaccessible drives.  My suggestion is to keep things simple by creating the fewest number of shares and permission changes as possible.  As always, scripting the home directory creation during the user setup process will further reduce the possibility of errors.

    With that in mind, I would really appreciate some feedback.  How are you configuring home directories for your users?  Are you integrating roaming profiles or redirected folders to your home directories?