When I create a user inside an OU, it is automaticaly assigned various groups. One of them is the "Domain Users" group. What happens is that the users have no access to any folders, not even the home folder.
If I than add the group "users" from the built-in groups, all users have access to every one's folders and files.
My objective is to give all access to the user's home folder only, and not let him have access to any other folders (not ever see them).
Windows in too complicated. I am used to netware and some linux.
Basic approach is:
1) Set up your folder structure
2) Create suitable group for the purpose
3) Give the group the required permissions in the folder(s)
4) Add users into the group
For your scenario you could give Domain Users the rights to access folders everybody needs to use but explicitly deny that group access to the home directory folder tree. Then you can grant access in that tree for each individual users or by other groups for department perhaps
Would it be correct or wise to delete some of the groups automaticaly assigned to the users (if you can, because if there are inheritances, windows will not let you delete), and then create a customized goup?
After studying mane books, I still don't know what is the best method to deny access to users other them the one(s) you want to.
Another rule of thumb is to only give users what they need - allowing access to other drives and folders will only encourage then to see what's there and perhaps use them as another filestore which then might not get backed up etc. If your needs are best served by your custom groups then use those in preference to the supplied ones. I wouldn't delete the supplied ones though; just remove the user(s) from membership and the group won't apply to them. I also would advise against customising the supplied groups, tempting as it may be. Sometimes it can save your bacon by having the defaults to go back to!