Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Windows 2003 Server domain setup scenario

  • 29-08-2006 11:20pm
    #1
    Registered Users, Registered Users 2 Posts: 1,165 ✭✭✭


    I'm helping a friend with the following scenario of setting up a windows domain on Windows 2003 Server. I'm more a Unix/Linux person though so I'm not a huge amount of help.

    Group of students need a 20 Mb quota on their own personal home directory that needs to be stored on the server. They also need read access to a shared directory that gets mounted when they logon.

    Group of Lecturers also need a 20 Mb quota on their home directory thats stored on the server, and they also need write access to the directory that the students have read access to. Again it needs to be mounted automatically when they login. They also need to be able to peruse the home directory of all students, but the students cannot peruse the home directory of the lecturers.

    Group of IT admins, also get 20 Mb quota, but need to be able to view all directories of all users, and write access to all directories.

    So... thinking of setting it up as this.... create 3 groups, one for students, one for lecturers, one for IT admin people. Create the users, and assign them to their respective groups, and create a home directory for them off three directory trees (students, lecturers, it-admin). Also create the shared directory, and give the students read only access, but the lecturers and IT admin people read write access. For the student home directorys give all three groups write access, for the lecturers home directories the students get no rights, and both lecturers and IT people get read/write, and for the IT admin home directories only the IT admin people have any rights.

    Questions I have are....

    - Is this method of setup ok?, or are there better...
    - Are there websites that go through scenarios of setting up structures like this?
    - How are quotas implemented?
    - How are folders automatically mounted on login?
    - Is there a fast way for creating lots of user accounts, creating the home directories and giving users their respective rights or is it a painfully slow process like it seems at first.

    I'll probably have a few more when I think about it further....


Comments

  • Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    Set up seems ok.
    There are a few but I can't remember any offhand
    Quota's are implemented on a per user basis AFAIK
    I use scripts to mount them
    Can be painfully slow but can be scripted - I'll post up a script I found for creating users from an Excel spreadsheet later


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Sounds like a sensible set up to me. The only thing to clarify - should lecturers be able to see the students' home directories?

    Quote management is set up on a per-volume and a per-user basis. You can, however specify the default quota on a volume - you'll need to do this before you set up any users. Basically log onto the server, right-click on the disk where the home directories will be, and click on the Quota tab. It's self-explanatory from there.

    As WizZard says, folders are best mounted (in Windows you may know, they're mapped as a virtual drive) using scripts - Batch files are the easiest, but Windows Scripting with VBScript is more powerful.

    Creating a lot of user accounts can be pretty slow, but you can automate certain parts. You can create a list of users with nothing set up, and add them in bulk to a group (so create all the students, and then add them all at the same time to the students group). For the Home directories, you can script it so that the directories are set up when the person first logs in. This saves you the hassle of having to create a new home directory for every user. I'm not 100% on how rights are inherited in Lunix, but with the right setup, you won't need to configure access right on every home folder, just on the parent.

    If I get a little time later on, I'll expand on this, and stick up the scripts I use for it.

    If you really want, you can fully automate the setup of users - you feed in a list (CSV, excel sheet, etc) of users and their positions to a script and it creates every account and configures it correctly. If you've only say a hundred users though, by the time you have this script written and debugged, you'd probably have created all of the accounts.


  • Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    Some great scripts on this site (and merge in this script for all your needs). Post back here if you need any help modifying them for your own use.

    I'd also be worried about giving teachers/lecturers access to students "personal" directories (didn't notice this earlier)


  • Registered Users, Registered Users 2 Posts: 1,165 ✭✭✭Stky10


    Cheers for that, I'll pass it on....

    But yeah, about the lecturers being able to have access to the students accounts, it is an actual requirement for the setup that has been laid down. I don't know if the students get to know about it or not. I presumed it was something to do with checking if they're passing the lab work results etc around to each other and then changing the name at the top.


  • Closed Accounts Posts: 1,587 ✭✭✭hshortt


    *Mental note* Must change more than the name at the top for any lab work :)

    Senario is fine really, easy to do and establish, easy to manage and maintain. Will this be a new Active Directory Domain? If so then your OU's can take the same structure as your groups for a simple setup. Policies would be worthwhile and delegation of admin duties could be useful, i.e. a subset of admins get to see everything, and 'normal' admins get to see less.

    Scripting the setup of users is great once done right, implementing the login script with drive mappings can be done as part of a Group Policy Object (GPO). Typically you would hide the share of every single home drive by sharing with $ at the end and enabling access only to the owner. To enable access by all the lecturers, it can be easy if you have a root folder called Student-Home-Drives that you can provide the lecturers group access too.

    Lastly, take care with your permissions, and watch out of the inheritble ones!

    cheerio
    Howard


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    hshortt wrote:
    Scripting the setup of users is great once done right, implementing the login script with drive mappings can be done as part of a Group Policy Object (GPO). Typically you would hide the share of every single home drive by sharing with $ at the end and enabling access only to the owner. To enable access by all the lecturers, it can be easy if you have a root folder called Student-Home-Drives that you can provide the lecturers group access too.
    Not too crazy about nested or duplicated shares myself.

    One solution I came up with was to have a share, e.g. "Home". The permissions on this folder give the Domain Admins full access (naturally), CREATOR OWNER full access, and Domain Users get special permissions - just one, "Create Folders/Append Data". This permission is set to only apply on the Home share and to not inherit down.

    This means that when a user logs in, their logon script creates the folder in the Home share, because it has permission to. Since they are now the creator/owner, the inherited permission gives them full access to this new folder.
    If they attempt to access \\server\Home (or any subfolder except their own) they get Access denied.

    The only drawback is that they are free to create their own folders on this share, but I very much doubt that any user would get so bored to try this, even if they did somehow cop it. I would spot an errant folder a mile off anyway :)


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,596 Mod ✭✭✭✭Capt'n Midnight


    hshortt wrote:
    Lastly, take care with your permissions, and watch out of the inheritble ones!
    I really hate these, might not be too bad if the root wasn't everyone, full control :rolleyes:

    Anyway Microsoft Access-Based Enumeration is worth looking at too.
    http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en#filelist

    I've used rmtshare and cacls to create usershares and set permissions
    \\server\%username%$

    http://www.jsifaq.com/SF/Tips/Tip.aspx?id=6353


Advertisement