I would make these suggestions accordingly,
Mapping all the users to the \\servername\sharename <file:///\\servername\sharename> and then using NTFS permissions to filter who can see what and when isn't a bad way of doing things, actually I have been doing this with ABE for a while and what people don't have access to they don't see, so nobody is none the wiser, the permissions are not hard to maintain if you understand NTFS permissions schemes, and auditing it is actually cleaner along with recovery, because you only need to export a minimal number of shares and then do a system restore, the permissions are there and import the share registry key and you are stylin. I am not sure if you have an additional server (s) for a DFS replication scheme for availability of this data, or a script that will execute a secure copy to another server(s) but this is a good way to provide to redundancy to the equation without a lot of pain. I agree that user data should be separate from departmental data, which should be separate from application data, I don't even think about storing application data on the same server (servers) as user and departmental data, because of data classification and availability concerns, also use of quotas and auditing is strongly suggested when dealing with any type of data of high importance to make sure you know who did what and when, and there is an audit trail for it, that can be harvested and stored and reviewed offline for forensics, or just general house-keeping purposes. What does concern me in your comments is SQL Data on the same directories as user and departmental shares, etc etc, what do you mean ( SQL backups?, the actual .MDF, LDF, NDF files themselves ( using the fileserver as a SQL server is a no-no unless you are using SBS, or a very small shop). Classification of SQL data should be different and probably more important than user and departmental data, and on part with application data, separation is key, most things SQL need to stay within the tightly controlled SQL environment, and only the DBA and the Sysadmin usually need access to that and sometimes not even the sysadmin. You can do the U:\ drive with a startup script You can lockdown the workstations with a GPO and the proper file permissions, abeit there are some places the user is going to need write privileges just to make applications work, but overall there permissions should only be that of a general user, not administrator. You can use various tools to script in the home directory and drive letter for users, I used cusrmgr.exe from the Windows 2000 resource kit to do this before, I am sure there are other Resource kit tools to assist in this matter. I agree mydocuments should be redirected to the user home folder accordingly, can be done via GPO again. If you want to pick my brain more offline, I would be happy to be your sounding board... Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 ________________________________ From: Jonathan Link [mailto:[email protected]] Sent: Wednesday, June 17, 2009 8:08 PM To: NT System Admin Issues Subject: Re: User Folders - Server 2008 best practices Don't mean to sound flippant, but if you're brought in to clean up, then clean up. Maximize availability of services, explain and plan downtime to minimize impact on the business, but ultimately, you're brought in to cleanup. If you don't have enough flexibility to clean up a mess, then you need to consider walking away. On Wed, Jun 17, 2009 at 3:13 PM, aci <[email protected]> wrote: TIA for any and all replies to this inquiry... I am coming in to clean up previous tech's migration/setup of a 2003 to 2008 windows domain. The existing network shares and user folders are a complete mess whereby everything is currently in one directory \\servername\netshare\*.* which is of course mapped at the root as a network drive accessible to all users on the domain. This includes a dozen security groups, SQL data, application directories and shared user folders. Typically when I am setting things up from scratch I put user data, database data and shared folders in completely different directories secured with share and NTFS permissions, mapping drives only to specific folders based upon "need to access" policies. In this case, with everything already set up, and several things difficult (not impossible) to move, I would like recommendations on best practices that I could apply to this situation 1. User's files (not to be saved to local workstation) a. manually map persistent U:\ drive to manually created & shared users directory (70 users) b. designated home directories in account properties\profile tab and add to logon script c. my doc's redirection to server \\servername\department\username (folder not shared) d. combination of some of the above 2. I know this is classic reverse darwinism, but My advisers see nothing wrong with mapping to the root of the netshare directory as long as permissions are set to deny/grant access as needed to folders and files. Of course, administering this is a permissions auditors nightmare, and I would rather do this on a mapped drive via group membership GPO's... thoughts on best way for me to make the recommendation [that it is always better to go with what your IT group advises given that is what you are paying them to do...] I mean that it is worth the effort to consolidate folders, create, test and assign GPO based mappings? All recommendations are highly appreciated. Thanks! Aci ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
