Incorrect Home Drive Mappings

[mattcdse]

Hi all,

I have a very odd problem. I work at a university in england and therefore we have several thousand users logging onto a Microsoft Network using Active Directory. Our student have their home directories mapped to various servers around campus by altering their profile settings in the AD on the user accounts. The paths are of the form \\server\folder\.....\folder\username. The share gives full control to everyone, but the locks down via NTFS permissions so that users can only access their own folder.

The odd thing that occasionally happens is that the home drive will map to somewhere random in the path and not to the users folder. As the user does not have rights to do anything in that folder, they cannot browse out of it, read or write to it or anything at all. Therefore they cannot store files in their My Documents and any application that writes files to My Documents at startup fails to run. The later problem is the more serious as it acually effects the services we can provide, where as storage can be workedaround using removable media.

Any ideas??

Cheers,

Matt

[jeff.sadowski]

What maps the home directories?

At my work I have startup scripts in group policy take care of mapping home directories with variables such as %user%

open a cmd prompt as some test user accounts and make sure your startup script variables you use are pointing to the right location

I use a script that does the following

net use v: /delete > NUL:

net use W: /delete > NUL:

net use X: /delete > NUL:

net use Y: /delete > NUL:

net use Z: /delete > NUL:

net use V: \\<server1>\<directory1>\<folderpath>\%username% /persistent:yes > NUL:

net use W: \\<server1>\<directory2> /persistent:yes > NUL:

net use X: \\<server2>\<directory3> /persistent:yes > NUL:

net use Y: \\<server3>\<directory4> /persistent:yes > NUL:

net use Z: \\<sambaserver>\%username% /persistent:yes > NUL:

script c:\windows\system32\prnmngr.vbs -d -p \\<printserver>\<printer>

script c:\windows\system32\prnmngr.vbs -ac -p \\<printserver>\<printer>

notice with a linux samba server you can have a share as a user and only that user can see it.

samba is a pain to setup properly though if anyone needs help with samba I'd recommend http://fedoraforum.org

I gave you printer removal and creation as well to guaranty that they have the latest drivers for some of this you might want to create

if statments around and check a file created by the script that can be date changed so that the script doesn't have to run it all each time.

only if you change the datechanged file

[annakin108]

My first question is why is the path so deep? "\\servername\share\...\share\username" Is it possible to shorten that? Also, assuming you are using 2003 there is an install called Access based enumaration. It will hide all of the folders that the use doesn't have access to. This can be found on MS's website. Usualy when the drive mapping doesn't map all the way there is a security issue... "NTFS" Also, you will have to become very familiar with NTFS it will pay off in the long run. As a side note I do agree on mapping the home directories within the profile. I like to keep the GPO's at a minimum. Hope this helps..

[mattcdse]

Thanks Jeff and annakin108,

Jeff - We have considered the scripting option, but because our file servers are spilt up into various schools and the departments within the schools and the various courses and the year of the student, the path gets very long and doesn't follow a set pattern. We're also talking about 10000+ users. Therefore we can't create a universal script to creta the mapping. This is a shame because it would be a quick easy fix.

annakin108 - The above should explain why our paths can be quite long. The NTFS rights are fine as the user is only given access to their specific folder and their username isn't mentioned anywhere else.

I have been given one thing to test and that is to enable "Computer Configuration >> Administrative Templates >> System >> Logon >> Always wait for network at computer startup and logon" in Group Policy. The MS blurb about this setting is extremely contradictory, but does seem to suggest that it might help. We have a staff member who we're using as a guinea pig so watch this space I guess.

Cheers,

Matt

[cluberti]

I was actually about to suggest that one to you yesterday, but got distracted elsewhere. It actually does generally help when things like this happen, as it can alleviate race conditions where logon scripts or startup scripts are running while networking is also coming up.