What is the best way to prevent a Windows domain user from deleting their home directory...
Is it legal for company to use my work email to pretend I still work there?
How much of data wrangling is a data scientist's job?
Can a Cauchy sequence converge for one metric while not converging for another?
Why is consensus so controversial in Britain?
What typically incentivizes a professor to change jobs to a lower ranking university?
Did Shadowfax go to Valinor?
Perform and show arithmetic with LuaLaTeX
A case of the sniffles
Is it possible to run Internet Explorer on OS X El Capitan?
RSA: Danger of using p to create q
Java Casting: Java 11 throws LambdaConversionException while 1.8 does not
How to determine what difficulty is right for the game?
Replacing matching entries in one column of a file by another column from a different file
What's the output of a record needle playing an out-of-speed record
High voltage LED indicator 40-1000 VDC without additional power supply
Add text to same line using sed
Why does Kotter return in Welcome Back Kotter?
Are astronomers waiting to see something in an image from a gravitational lens that they've already seen in an adjacent image?
Do I have a twin with permutated remainders?
What defenses are there against being summoned by the Gate spell?
What is the word for reserving something for yourself before others do?
What does the "remote control" for a QF-4 look like?
Why can't we play rap on piano?
How to format long polynomial?
What is the best way to prevent a Windows domain user from deleting their home directory sub-directories?
Child Folder inheriting a permission that parent folder does not have (NTFS)Folder creation date is very recent, while last modified is years agoWhat's the difference between Home folders and Folder Redirection?Windows Server NTFS Advanced File PermissionsRedirection Folder permissions on Windows 2012 R2How do I prevent a domain client from creating local user home folders (e.g. C:UsersMyUser)?Outlook 2013 POP Account Reprompting for Password with Roaming ProfileWhy do Roaming User Profiles stay at home?Windows Server 2012 issue with User logins and User Profile DisksWhy can't admins view user's redirected folders?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I'm working on a Windows Server 2012 R2 domain controller, with primarily Windows 7 Professional clients.
I have recently set up folder redirection and user profile roaming, such that each domain user has a folder on a network share wherein they store both their user profile and their documents. These user folders have form,
D:Users%USERNAME%
on the the file server and, correspondingly,
\MYSERVERUsers%USERNAME%
on the domain.
These folders are generated automatically on the user first-time login, and contain all the usual suspects including "Application Data", "My Documents", "Links", "Contacts" and "Profile.V2".
All these subfolders are also generated automatically on the user's first login, as is specified by domain group policy. Specifically, all these subfolders with the exception of "Profile.V2" are the result of folder redirection policies; "Profile.V2" is the result of roaming user profile policies.
To achieve all this I've set NTFS permissions on
D:Users%USERNAME%
as is recommended by Microsoft (can't remember where now!) and by countless other derivative blog posts. These permissions are,
Disable Inheritance
Allow - SYSTEM - Full Control - This Folder, Subfolders and Files
Allow - Administrator - Full Control - This Folder, Subfolders and Files
Allow - CREATOR OWNER - Full Control - Subfolders and Files
Allow - MyUserGroup - Special (List Folder / Read Data; Create Folders / Append Data) - This Folder Only
This works well for me, with one problem. Once a user has logged on, and the folder structure generated as specified, the user naturally retains the permission to delete any of these folders as they like. This means that the user could, by accident or otherwise, delete - for example - "Desktop". Not only does this result in a loss of the contents of the "Desktop" folder, but it also breaks folder redirection on the next login.
My question is, what is the best way to prevent a user from deleting these top-level user subfolders ("Desktop", "Contacts", "Profile.V2", and the rest)? I have experimented with alternative permissions on the parent folder, but these inevitably break automatic folder generation on user first-time login. Moreover, I have tried to adjust the permissions on these subfolders programmatically following user fist-time login with a script - but I keep missing the mark (modifying ACLs using Powershell is proving to be something of a headache.)
What is the best-practice solution here? Surely I can't be the only one who's run into this issue!
windows-server-2012-r2 ntfs
asked Oct 12 '15 at 16:34
snoopy91snoopy91
687
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I'm working on a Windows Server 2012 R2 domain controller, with primarily Windows 7 Professional clients.
I have recently set up folder redirection and user profile roaming, such that each domain user has a folder on a network share wherein they store both their user profile and their documents. These user folders have form,
D:Users%USERNAME%
on the the file server and, correspondingly,
\MYSERVERUsers%USERNAME%
on the domain.
These folders are generated automatically on the user first-time login, and contain all the usual suspects including "Application Data", "My Documents", "Links", "Contacts" and "Profile.V2".
All these subfolders are also generated automatically on the user's first login, as is specified by domain group policy. Specifically, all these subfolders with the exception of "Profile.V2" are the result of folder redirection policies; "Profile.V2" is the result of roaming user profile policies.
To achieve all this I've set NTFS permissions on
D:Users%USERNAME%
as is recommended by Microsoft (can't remember where now!) and by countless other derivative blog posts. These permissions are,
Disable Inheritance
Allow - SYSTEM - Full Control - This Folder, Subfolders and Files
Allow - Administrator - Full Control - This Folder, Subfolders and Files
Allow - CREATOR OWNER - Full Control - Subfolders and Files
Allow - MyUserGroup - Special (List Folder / Read Data; Create Folders / Append Data) - This Folder Only
This works well for me, with one problem. Once a user has logged on, and the folder structure generated as specified, the user naturally retains the permission to delete any of these folders as they like. This means that the user could, by accident or otherwise, delete - for example - "Desktop". Not only does this result in a loss of the contents of the "Desktop" folder, but it also breaks folder redirection on the next login.
My question is, what is the best way to prevent a user from deleting these top-level user subfolders ("Desktop", "Contacts", "Profile.V2", and the rest)? I have experimented with alternative permissions on the parent folder, but these inevitably break automatic folder generation on user first-time login. Moreover, I have tried to adjust the permissions on these subfolders programmatically following user fist-time login with a script - but I keep missing the mark (modifying ACLs using Powershell is proving to be something of a headache.)
What is the best-practice solution here? Surely I can't be the only one who's run into this issue!
windows-server-2012-r2 ntfs
asked Oct 12 '15 at 16:34
snoopy91snoopy91
687
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
I've dealt with this as well like most admins.. The folders will be generated again at next login. If a user looses their own content and looses their own work how is IS to blame? We can't - and aren't supposed to - climb into our folks minds. Hopefully you have policy in place that covers all this kind of stuff.
– Tim Brigham
Oct 12 '15 at 16:43
3
Don't redirect the My Documents folder to the same share as the roaming profile. Create separate shares for each of those. How is it that they're seeing and accessing the roaming profile folder directly?
– joeqwerty
Oct 12 '15 at 17:13
@TimBrigham Whilst we can't be to blame for user stupidity, it is part of the job description to anticipate likely avenues of stupidity and put in place preventative measures...Users, by definition, are not IT experts. They can and will make stupid mistakes. We need to make that as difficult for them to accomplish as possible and as easy to recover from as possible.
– Steve365
Oct 12 '15 at 21:48
@Steve365. With all due respect it is not ITs job to prevent user stupidity. Help mitigate common mistakes and provide an avenue of recovery (like file and folder history)- absolutely. We are also responsible for educating the users so that even those with the IQ of a half grown radish get the message that performing action X is a career limiting move (in this case deleting the desktop). We can not fix stupid but, with enough pain and effort, it can be cured, but sadly not prevented.
– Jim B
Oct 13 '15 at 1:41
@JimB I've yet to meet someone who got fired for deleting their desktop folder ;-) Anyway, let's agree to disagree on this one...
– Steve365
Oct 13 '15 at 8:26
add a comment |
I'm working on a Windows Server 2012 R2 domain controller, with primarily Windows 7 Professional clients.
I have recently set up folder redirection and user profile roaming, such that each domain user has a folder on a network share wherein they store both their user profile and their documents. These user folders have form,
D:Users%USERNAME%
on the the file server and, correspondingly,
\MYSERVERUsers%USERNAME%
on the domain.
These folders are generated automatically on the user first-time login, and contain all the usual suspects including "Application Data", "My Documents", "Links", "Contacts" and "Profile.V2".
All these subfolders are also generated automatically on the user's first login, as is specified by domain group policy. Specifically, all these subfolders with the exception of "Profile.V2" are the result of folder redirection policies; "Profile.V2" is the result of roaming user profile policies.
To achieve all this I've set NTFS permissions on
D:Users%USERNAME%
as is recommended by Microsoft (can't remember where now!) and by countless other derivative blog posts. These permissions are,
Disable Inheritance
Allow - SYSTEM - Full Control - This Folder, Subfolders and Files
Allow - Administrator - Full Control - This Folder, Subfolders and Files
Allow - CREATOR OWNER - Full Control - Subfolders and Files
Allow - MyUserGroup - Special (List Folder / Read Data; Create Folders / Append Data) - This Folder Only
This works well for me, with one problem. Once a user has logged on, and the folder structure generated as specified, the user naturally retains the permission to delete any of these folders as they like. This means that the user could, by accident or otherwise, delete - for example - "Desktop". Not only does this result in a loss of the contents of the "Desktop" folder, but it also breaks folder redirection on the next login.
My question is, what is the best way to prevent a user from deleting these top-level user subfolders ("Desktop", "Contacts", "Profile.V2", and the rest)? I have experimented with alternative permissions on the parent folder, but these inevitably break automatic folder generation on user first-time login. Moreover, I have tried to adjust the permissions on these subfolders programmatically following user fist-time login with a script - but I keep missing the mark (modifying ACLs using Powershell is proving to be something of a headache.)
What is the best-practice solution here? Surely I can't be the only one who's run into this issue!
windows-server-2012-r2 ntfs
asked Oct 12 '15 at 16:34
snoopy91snoopy91
687
I'm working on a Windows Server 2012 R2 domain controller, with primarily Windows 7 Professional clients.
I have recently set up folder redirection and user profile roaming, such that each domain user has a folder on a network share wherein they store both their user profile and their documents. These user folders have form,
D:Users%USERNAME%
on the the file server and, correspondingly,
\MYSERVERUsers%USERNAME%
on the domain.
These folders are generated automatically on the user first-time login, and contain all the usual suspects including "Application Data", "My Documents", "Links", "Contacts" and "Profile.V2".
All these subfolders are also generated automatically on the user's first login, as is specified by domain group policy. Specifically, all these subfolders with the exception of "Profile.V2" are the result of folder redirection policies; "Profile.V2" is the result of roaming user profile policies.
To achieve all this I've set NTFS permissions on
D:Users%USERNAME%
as is recommended by Microsoft (can't remember where now!) and by countless other derivative blog posts. These permissions are,
Disable Inheritance
Allow - SYSTEM - Full Control - This Folder, Subfolders and Files
Allow - Administrator - Full Control - This Folder, Subfolders and Files
Allow - CREATOR OWNER - Full Control - Subfolders and Files
Allow - MyUserGroup - Special (List Folder / Read Data; Create Folders / Append Data) - This Folder Only
This works well for me, with one problem. Once a user has logged on, and the folder structure generated as specified, the user naturally retains the permission to delete any of these folders as they like. This means that the user could, by accident or otherwise, delete - for example - "Desktop". Not only does this result in a loss of the contents of the "Desktop" folder, but it also breaks folder redirection on the next login.
My question is, what is the best way to prevent a user from deleting these top-level user subfolders ("Desktop", "Contacts", "Profile.V2", and the rest)? I have experimented with alternative permissions on the parent folder, but these inevitably break automatic folder generation on user first-time login. Moreover, I have tried to adjust the permissions on these subfolders programmatically following user fist-time login with a script - but I keep missing the mark (modifying ACLs using Powershell is proving to be something of a headache.)
What is the best-practice solution here? Surely I can't be the only one who's run into this issue!
windows-server-2012-r2 ntfs
windows-server-2012-r2 ntfs
asked Oct 12 '15 at 16:34
snoopy91snoopy91
687
asked Oct 12 '15 at 16:34
snoopy91snoopy91
687
asked Oct 12 '15 at 16:34
snoopy91snoopy91
687
asked Oct 12 '15 at 16:34
snoopy91snoopy91
687
asked Oct 12 '15 at 16:34
snoopy91snoopy91
687
687
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 4 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
I've dealt with this as well like most admins.. The folders will be generated again at next login. If a user looses their own content and looses their own work how is IS to blame? We can't - and aren't supposed to - climb into our folks minds. Hopefully you have policy in place that covers all this kind of stuff.
– Tim Brigham
Oct 12 '15 at 16:43
3
Don't redirect the My Documents folder to the same share as the roaming profile. Create separate shares for each of those. How is it that they're seeing and accessing the roaming profile folder directly?
– joeqwerty
Oct 12 '15 at 17:13
@TimBrigham Whilst we can't be to blame for user stupidity, it is part of the job description to anticipate likely avenues of stupidity and put in place preventative measures...Users, by definition, are not IT experts. They can and will make stupid mistakes. We need to make that as difficult for them to accomplish as possible and as easy to recover from as possible.
– Steve365
Oct 12 '15 at 21:48
@Steve365. With all due respect it is not ITs job to prevent user stupidity. Help mitigate common mistakes and provide an avenue of recovery (like file and folder history)- absolutely. We are also responsible for educating the users so that even those with the IQ of a half grown radish get the message that performing action X is a career limiting move (in this case deleting the desktop). We can not fix stupid but, with enough pain and effort, it can be cured, but sadly not prevented.
– Jim B
Oct 13 '15 at 1:41
@JimB I've yet to meet someone who got fired for deleting their desktop folder ;-) Anyway, let's agree to disagree on this one...
– Steve365
Oct 13 '15 at 8:26
add a comment |
I've dealt with this as well like most admins.. The folders will be generated again at next login. If a user looses their own content and looses their own work how is IS to blame? We can't - and aren't supposed to - climb into our folks minds. Hopefully you have policy in place that covers all this kind of stuff.
– Tim Brigham
Oct 12 '15 at 16:43
3
Don't redirect the My Documents folder to the same share as the roaming profile. Create separate shares for each of those. How is it that they're seeing and accessing the roaming profile folder directly?
– joeqwerty
Oct 12 '15 at 17:13
@TimBrigham Whilst we can't be to blame for user stupidity, it is part of the job description to anticipate likely avenues of stupidity and put in place preventative measures...Users, by definition, are not IT experts. They can and will make stupid mistakes. We need to make that as difficult for them to accomplish as possible and as easy to recover from as possible.
– Steve365
Oct 12 '15 at 21:48
@Steve365. With all due respect it is not ITs job to prevent user stupidity. Help mitigate common mistakes and provide an avenue of recovery (like file and folder history)- absolutely. We are also responsible for educating the users so that even those with the IQ of a half grown radish get the message that performing action X is a career limiting move (in this case deleting the desktop). We can not fix stupid but, with enough pain and effort, it can be cured, but sadly not prevented.
– Jim B
Oct 13 '15 at 1:41
@JimB I've yet to meet someone who got fired for deleting their desktop folder ;-) Anyway, let's agree to disagree on this one...
– Steve365
Oct 13 '15 at 8:26
I've dealt with this as well like most admins.. The folders will be generated again at next login. If a user looses their own content and looses their own work how is IS to blame? We can't - and aren't supposed to - climb into our folks minds. Hopefully you have policy in place that covers all this kind of stuff.
– Tim Brigham
Oct 12 '15 at 16:43
I've dealt with this as well like most admins.. The folders will be generated again at next login. If a user looses their own content and looses their own work how is IS to blame? We can't - and aren't supposed to - climb into our folks minds. Hopefully you have policy in place that covers all this kind of stuff.
– Tim Brigham
Oct 12 '15 at 16:43
3
3
Don't redirect the My Documents folder to the same share as the roaming profile. Create separate shares for each of those. How is it that they're seeing and accessing the roaming profile folder directly?
– joeqwerty
Oct 12 '15 at 17:13
Don't redirect the My Documents folder to the same share as the roaming profile. Create separate shares for each of those. How is it that they're seeing and accessing the roaming profile folder directly?
– joeqwerty
Oct 12 '15 at 17:13
@TimBrigham Whilst we can't be to blame for user stupidity, it is part of the job description to anticipate likely avenues of stupidity and put in place preventative measures...Users, by definition, are not IT experts. They can and will make stupid mistakes. We need to make that as difficult for them to accomplish as possible and as easy to recover from as possible.
– Steve365
Oct 12 '15 at 21:48
@TimBrigham Whilst we can't be to blame for user stupidity, it is part of the job description to anticipate likely avenues of stupidity and put in place preventative measures...Users, by definition, are not IT experts. They can and will make stupid mistakes. We need to make that as difficult for them to accomplish as possible and as easy to recover from as possible.
– Steve365
Oct 12 '15 at 21:48
@Steve365. With all due respect it is not ITs job to prevent user stupidity. Help mitigate common mistakes and provide an avenue of recovery (like file and folder history)- absolutely. We are also responsible for educating the users so that even those with the IQ of a half grown radish get the message that performing action X is a career limiting move (in this case deleting the desktop). We can not fix stupid but, with enough pain and effort, it can be cured, but sadly not prevented.
– Jim B
Oct 13 '15 at 1:41
@Steve365. With all due respect it is not ITs job to prevent user stupidity. Help mitigate common mistakes and provide an avenue of recovery (like file and folder history)- absolutely. We are also responsible for educating the users so that even those with the IQ of a half grown radish get the message that performing action X is a career limiting move (in this case deleting the desktop). We can not fix stupid but, with enough pain and effort, it can be cured, but sadly not prevented.
– Jim B
Oct 13 '15 at 1:41
@JimB I've yet to meet someone who got fired for deleting their desktop folder ;-) Anyway, let's agree to disagree on this one...
– Steve365
Oct 13 '15 at 8:26
@JimB I've yet to meet someone who got fired for deleting their desktop folder ;-) Anyway, let's agree to disagree on this one...
– Steve365
Oct 13 '15 at 8:26
add a comment |
3 Answers
3
active
oldest
votes
Redirect each profile folder to a separate share. So the Desktop folder gets redirected to myserverusersDesktops%username%.
Technet Article
answered Oct 12 '15 at 17:56
murisoncmurisonc
2,52321528
add a comment |
What if you remove Allow - CREATOR OWNER - Full Control - Subfolders and Files
I suspect this is a bit redundant these days and maybe the reason they have the rights to do what you say.
Also the others are right, its better practice to separate them, as you have more flexibility.
answered Oct 12 '15 at 18:04
Nick EagleNick Eagle
1112
add a comment |
So it turns out there's no easy way to do this.
I took the other posters' advice to separate out the locations of the roaming profile root folder (e.g. for "Profile.V2") and the user home root folder (e.g. for "My Documents" and the rest), and this is working well. I've also hidden these shares from network browsing (by appending "$" to their share names), and somehow this has had the effect of completely preventing the user from accessing their own roaming profile folder (which is very good). I must confess that I find this behaviour perplexing - nonetheless it is very welcome!
I guess I'll just have to live with the fact that if a user deletes their own Desktop folder, then it's their own loss! Luckily I've got frequent backups of all these shares going, so that should go some way to mitigating damage.
answered Oct 13 '15 at 12:15
snoopy91snoopy91
687
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f728420%2fwhat-is-the-best-way-to-prevent-a-windows-domain-user-from-deleting-their-home-d%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Redirect each profile folder to a separate share. So the Desktop folder gets redirected to myserverusersDesktops%username%.
Technet Article
answered Oct 12 '15 at 17:56
murisoncmurisonc
2,52321528
add a comment |
Redirect each profile folder to a separate share. So the Desktop folder gets redirected to myserverusersDesktops%username%.
Technet Article
answered Oct 12 '15 at 17:56
murisoncmurisonc
2,52321528
add a comment |
Redirect each profile folder to a separate share. So the Desktop folder gets redirected to myserverusersDesktops%username%.
Technet Article
answered Oct 12 '15 at 17:56
murisoncmurisonc
2,52321528
Redirect each profile folder to a separate share. So the Desktop folder gets redirected to myserverusersDesktops%username%.
Technet Article
answered Oct 12 '15 at 17:56
murisoncmurisonc
2,52321528
answered Oct 12 '15 at 17:56
murisoncmurisonc
2,52321528
answered Oct 12 '15 at 17:56
murisoncmurisonc
2,52321528
answered Oct 12 '15 at 17:56
murisoncmurisonc
2,52321528
2,52321528
add a comment |
add a comment |
What if you remove Allow - CREATOR OWNER - Full Control - Subfolders and Files
I suspect this is a bit redundant these days and maybe the reason they have the rights to do what you say.
Also the others are right, its better practice to separate them, as you have more flexibility.
answered Oct 12 '15 at 18:04
Nick EagleNick Eagle
1112
add a comment |
What if you remove Allow - CREATOR OWNER - Full Control - Subfolders and Files
I suspect this is a bit redundant these days and maybe the reason they have the rights to do what you say.
Also the others are right, its better practice to separate them, as you have more flexibility.
answered Oct 12 '15 at 18:04
Nick EagleNick Eagle
1112
add a comment |
What if you remove Allow - CREATOR OWNER - Full Control - Subfolders and Files
I suspect this is a bit redundant these days and maybe the reason they have the rights to do what you say.
Also the others are right, its better practice to separate them, as you have more flexibility.
answered Oct 12 '15 at 18:04
Nick EagleNick Eagle
1112
What if you remove Allow - CREATOR OWNER - Full Control - Subfolders and Files
I suspect this is a bit redundant these days and maybe the reason they have the rights to do what you say.
Also the others are right, its better practice to separate them, as you have more flexibility.
answered Oct 12 '15 at 18:04
Nick EagleNick Eagle
1112
answered Oct 12 '15 at 18:04
Nick EagleNick Eagle
1112
answered Oct 12 '15 at 18:04
Nick EagleNick Eagle
1112
answered Oct 12 '15 at 18:04
Nick EagleNick Eagle
1112
1112
add a comment |
add a comment |
So it turns out there's no easy way to do this.
I took the other posters' advice to separate out the locations of the roaming profile root folder (e.g. for "Profile.V2") and the user home root folder (e.g. for "My Documents" and the rest), and this is working well. I've also hidden these shares from network browsing (by appending "$" to their share names), and somehow this has had the effect of completely preventing the user from accessing their own roaming profile folder (which is very good). I must confess that I find this behaviour perplexing - nonetheless it is very welcome!
I guess I'll just have to live with the fact that if a user deletes their own Desktop folder, then it's their own loss! Luckily I've got frequent backups of all these shares going, so that should go some way to mitigating damage.
answered Oct 13 '15 at 12:15
snoopy91snoopy91
687
add a comment |
So it turns out there's no easy way to do this.
I took the other posters' advice to separate out the locations of the roaming profile root folder (e.g. for "Profile.V2") and the user home root folder (e.g. for "My Documents" and the rest), and this is working well. I've also hidden these shares from network browsing (by appending "$" to their share names), and somehow this has had the effect of completely preventing the user from accessing their own roaming profile folder (which is very good). I must confess that I find this behaviour perplexing - nonetheless it is very welcome!
I guess I'll just have to live with the fact that if a user deletes their own Desktop folder, then it's their own loss! Luckily I've got frequent backups of all these shares going, so that should go some way to mitigating damage.
answered Oct 13 '15 at 12:15
snoopy91snoopy91
687
add a comment |
So it turns out there's no easy way to do this.
I took the other posters' advice to separate out the locations of the roaming profile root folder (e.g. for "Profile.V2") and the user home root folder (e.g. for "My Documents" and the rest), and this is working well. I've also hidden these shares from network browsing (by appending "$" to their share names), and somehow this has had the effect of completely preventing the user from accessing their own roaming profile folder (which is very good). I must confess that I find this behaviour perplexing - nonetheless it is very welcome!
I guess I'll just have to live with the fact that if a user deletes their own Desktop folder, then it's their own loss! Luckily I've got frequent backups of all these shares going, so that should go some way to mitigating damage.
answered Oct 13 '15 at 12:15
snoopy91snoopy91
687
So it turns out there's no easy way to do this.
I took the other posters' advice to separate out the locations of the roaming profile root folder (e.g. for "Profile.V2") and the user home root folder (e.g. for "My Documents" and the rest), and this is working well. I've also hidden these shares from network browsing (by appending "$" to their share names), and somehow this has had the effect of completely preventing the user from accessing their own roaming profile folder (which is very good). I must confess that I find this behaviour perplexing - nonetheless it is very welcome!
I guess I'll just have to live with the fact that if a user deletes their own Desktop folder, then it's their own loss! Luckily I've got frequent backups of all these shares going, so that should go some way to mitigating damage.
answered Oct 13 '15 at 12:15
snoopy91snoopy91
687
answered Oct 13 '15 at 12:15
snoopy91snoopy91
687
answered Oct 13 '15 at 12:15
snoopy91snoopy91
687
answered Oct 13 '15 at 12:15
snoopy91snoopy91
687
687
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f728420%2fwhat-is-the-best-way-to-prevent-a-windows-domain-user-from-deleting-their-home-d%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I've dealt with this as well like most admins.. The folders will be generated again at next login. If a user looses their own content and looses their own work how is IS to blame? We can't - and aren't supposed to - climb into our folks minds. Hopefully you have policy in place that covers all this kind of stuff.
– Tim Brigham
Oct 12 '15 at 16:43
3
Don't redirect the My Documents folder to the same share as the roaming profile. Create separate shares for each of those. How is it that they're seeing and accessing the roaming profile folder directly?
– joeqwerty
Oct 12 '15 at 17:13
@TimBrigham Whilst we can't be to blame for user stupidity, it is part of the job description to anticipate likely avenues of stupidity and put in place preventative measures...Users, by definition, are not IT experts. They can and will make stupid mistakes. We need to make that as difficult for them to accomplish as possible and as easy to recover from as possible.
– Steve365
Oct 12 '15 at 21:48
@Steve365. With all due respect it is not ITs job to prevent user stupidity. Help mitigate common mistakes and provide an avenue of recovery (like file and folder history)- absolutely. We are also responsible for educating the users so that even those with the IQ of a half grown radish get the message that performing action X is a career limiting move (in this case deleting the desktop). We can not fix stupid but, with enough pain and effort, it can be cured, but sadly not prevented.
– Jim B
Oct 13 '15 at 1:41
@JimB I've yet to meet someone who got fired for deleting their desktop folder ;-) Anyway, let's agree to disagree on this one...
– Steve365
Oct 13 '15 at 8:26