About home directories for different Windows clients

About home directories for different Windows clients

Each Windows version has its own best way to map home directories on a server

Method \ Client version	Logon script with "subst" to directory below share - only one share needed Example	Logon script with "net use" to hidden share - one share for each user account Example	Logon script with "net use" to directory below share - only one share needed Example	Redirect "my documents" through policy to directory below share - only one share needed Example
Windows 9x, ME	Doesn't work (*1)	Works - only way	Doesn't work	Doesn't work
NT 3.5x, NT	Preferred	Works	Doesn't work	Doesn't work
Windows 2000, XP	Doesn't work (*2)	Works	Preferred	Preferred

*1) The subst command does not work well in Windows 9x. If you try use it in the same way as for windows NT you will find that users can move up to the root of the shares and view all other users home directories. Of course they cannot read the contents of the other users directories since they have no access right to them, but seeing them can be confusing or tempting.

*2) There is a bug in Windows 2000 that makes it impossible to use subst the same way as on NT4.

Conclusion

·	The only method that supports all Windows client platforms is to create a separate hidden share for each user.

·	If there only are NT type (NT, 2000, XP) clients, the best method is "one single share for all".

When creating shares

Remember that a user must have both directory access and share access in order to access a directory through a share. Most SetupBatcher user / group examples uses cacls.exe and sets directory permissions only. To set share permissions you must also use rmtshare.exe, see the example set share permissions.

How to check directory access permissions: start windows explorer, right-click on a directory, select "properties", click the "security" tab and then "permissions".

How to check share access permissions: start windows explorer, right-click on a directory, select "properties", click the "sharing" tab and then "permissions".

·	Always save the script file after creating multiple network shares. The old script (with a list of created shares) will be very useful if you ever want to erase or modify the shares.

For old clients like Windows 3.11 and 95, maximum length of share names is eight characters. (If you create shares on the form "accountname"+$ that are supposed to work with these clients, please remember to not use account names longer than seven characters for a total of eight characters. Tip: use the account name generator to create short account names.)

How to create hidden shares

SET AccountName=%col2%
SET HomeRoot=e:\users
SET HomePermissions=%AccountName%:F administrators:F System:F

Data.Loop
AD.Account.Create %ADOUPath%,%AccountName%,%AccountName%,%Password%
DOS md %HomeRoot%\%AccountName%
DOS echo y| cacls %HomeRoot%\%AccountName% /G %HomePermissions%
DOS net share %AccountName%$=%HomeRoot%\%AccountName%
Data.Endloop

The above lines is not a working script, it just contains the rows needed in order to explain what happens.

·	A directory for the user is created when md is executed.

·	The cacls command sets the directory access permissions to full control for administrators, the system and the account currently being created.

Net share creates the hidden share for the user - a dollar character ("$") in the end of a share name hides it. Access permissions through share will be everyone / full control, but that does not matter since "everyone" does not have directory access permissions. Net share and cacls must be executed on the server where directories are to be created. If you run SetupBatcher on another machine - replace DOS with DOSR or use rmtshare, see create home directories etc. on remote machine without DOSR.