Toll Group Information Technology File & Print Server Setup under Tollgroup

File & Printer Servers Setup under Tollgroup

Active Directory – File & Print Server

Toll Group IT Information Technology

Version: 0.1
Author: Theo Theodorou

Copyright 2009 Toll Holdings Commercial in Confidence

All rights reserved. This document contains confidential and Toll Holdings Ltd – Corporate
commercially sensitive information of Toll Holdings, and except with Level 8
written permission of Toll Holdings, such information shall not be
380 St Kilda Road
published or disclosed to others, or used for any other purpose and
the document shall not be duplicated in whole or in part. Melbourne, VIC 3004
Phone Number: 613 9694 2888

Version [Version] (uncontrolled if printed) Project [Subject] - Page 1 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

DOCUMENT VERSION and ACCEPTANCE

When this template is completed, it then becomes a controlled document. Changes to this document must be
recorded in version control. Recipients should remove superseded versions from circulation. The document is
authorised for release and use only when all appropriate signatures have been obtained.

PREPARED: DATE:___/___/___
(for acceptance)

ACCEPTED: DATE:___/___/___
(for release)

Version Date Author Comments Sections

0.1 Theo Theodorou

Document Location and Filename C:\Users\theoth\Documents\File Print Servers Setup.docx

Distribution Names Title

Version [Version] (uncontrolled if printed) Project [Subject] - Page 2 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

1 ASSUMPTIONS ............................................................................................................................. 4

2 PURPOSE .................................................................................................................................... 4

3 ACTIVE DIRECTORY ..................................................................................................................... 4

3.1 Active Directory Group Naming Convention .................................................................... 4

3.2 Active Directory Groups and Script Locations ................................................................. 4
3.2.1 Active Directory Groups..................................................................................... 4
3.2.2 Script Location .................................................................................................. 5
3.3 Permissions & Drive Mappings on clients........................................................................ 5
3.4 Active Directory Setup of Groups .................................................................................... 6
3.5 Script Format .................................................................................................................. 9
3.6 Server Setup ................................................................................................................. 10
3.6.1 Shares............................................................................................................. 10
3.6.2 Data Folder Structures .................................................................................... 10
3.6.3 User Folder Structures .................................................................................... 17
3.6.4 Active Directory User Account Modifications ................................................... 20

4 APPENDIX.................................................................................................................................. 22

4.1 Local Group Definitions ................................................................................................. 22

4.1.1 Setting of Folder Permissions .......................................................................... 24
4.1.2 Print................................................................................................................. 25
4.1.3 Manage Printers .............................................................................................. 25
4.1.4 Manage Documents ........................................................................................ 26

5 RELATED DOCUMENTATION ........................................................................................................ 27

Version [Version] (uncontrolled if printed) Project [Subject] - Page 3 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

1 Assumptions
 All File and Print servers under AD are running Windows Server 2003 R2 editions or higher.
 All user accounts are in Tollgroup
 Business Units are not granted Admin rights to File Print Servers
 Business Units and people are not granted Full control Permissions anytime

2 Purpose
The purpose of this document is to detail how to setup a Windows File and Print server to the Toll IT Groups
standards. This document is for the Tollgroup.local domain. Once setup, all users across the country will
have the same mapped drives on each site allowing easier maintenance and support. The Business Unit and
Service Desks can allocate users to groups without having to log onto the server.

3 Active Directory

3.1 Active Directory Group Naming Convention

Tollgroup Active Directory (AD) naming conventions for Security Groups being associated with file
and Print servers are as follows:
Servername_Sharename e.g Corfpmelp1_Risk

Under AD, renaming of Security Groups is allowed. If the server is renamed or upgraded, the
Security Groups can be used on the new server and renamed to match the naming convention
Under the Tollgroup domain, if the Security Groups require that you have a mixture of Toll &
Tollgroup users, the security group must be a Domain Local group.
If you only have Tollgroup users, then the Security Group should be a Domain Global group.
Each server must have its own Security group. It can contain other security groups and users.

3.2 Active Directory Groups and Script Locations

3.2.1 Active Directory Groups
Active directory groups are located under the following Organisational Unit:
Tollgroup.local\Groups\BusinessUnit\Users – All User Security groups
Tollgroup.local\Groups\BusinessUnit\Computers – All SCCM Security groups
Tollgroup.local\Groups\BusinessUnit\Distribution – All Email lists

Version [Version] (uncontrolled if printed) Project [Subject] - Page 4 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

3.2.2 Script Location

The scripts are located in the netlogon folder of each Domain Controller.
Each script can only be edited by a Domain Admin

3.3 Permissions & Drive Mappings on clients

An Active Directory group needs to be created to allow the mapping of drives to client workstations.
This group is made up for each File & Print server and is named with the following convention:
Servername_AllUsers e.g. Corfpmelp1_AllUsers
This group should be located under Tollgroup.local\Groups\BusinessUnit\Users in Active Directory.
All Tollgroup users run a logon script called tollit.bat.
This batch file runs and maps local drives based on AD security groups using a kix script,
specifically setup for each File & Print server. Only users logging on under the Tollgroup domain
will automatically have drives mapped to their workstations.
In order for the script to map the drives, they must be part of two Active Directory groups. These
groups are as follows:
 Servername_AllUsers
 Servername_Sharename
Two groups are used in the logon batch file. This speeds up the logon process so it doesn‟t
process all security groups for each user on logon. The script only processes the
ServerName_AllUsers groups. If you are a member of one of these groups, it then processes the
script relevant for the file/print server. If you are not a member of any of the ServerName_AllUsers
groups, the script exits and no client drives are mapped.
If you only require people to have access to the share but do require client drive mappings, then
only put the person in the Servername_Sharename group.

Version [Version] (uncontrolled if printed) Project [Subject] - Page 5 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

3.4 Active Directory Setup of Groups

In Active Directory, we create groups to map client drives. These groups are only used once
throughout Toll.
The group creation process shown below is using TollExpress as an example. Replace TollExpress
with IPEC, Priority etc, when creating groups.
The example below breaks the groups into server locations. This is optional but allows the ability to
give the granular control over who can edit groups in the organisation. The Manager for Toll
Express can manage all groups across Toll for the Business Unit. The Manager can also delegate
control to his underlings to control their server groups if required.

 When naming a group, the following must be adhere to:

 No spaces in the Name (underscores _ are allowed to replace spaces)
 Where possible, use Camel Case, (mixture of Upper & Lower case characters)
 All new words to start with a capital Letter i.e. TEDarwin2K3_Dids_Restricted
 Description must be filled out
 Notes must be filled out

Active Directory Group Creation

Open Active Directory User and

Computer Snap-In.
Select Tollgroup.local
Select Groups
Select TollExpress
Select Users
Select Darwin

Version [Version] (uncontrolled if printed) Project [Subject] - Page 6 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

Right click on the right hand side and

select New, Group

Enter the name of the AD group you

want to create, example shown.
Format should be:
ServerName_ShareName

Description Field
Text: “share on ServerName”
Where the share name is put in front
and the ServerName is the server you
are working on, e.g. Account share on
TEDarvin2K3

Notes field
Fill in the following into the Notes Field
Need to populate this as there is
nothing there.
Owner: {Owner of the BU}
You need to be part of the

Version [Version] (uncontrolled if printed) Project [Subject] - Page 7 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

ServerName_AllUsers group for this to

map.
This maps to Server: {ServerName}
Share: {Name of Share}
Drive Mapping: {Drive Mapping}
Script: {Kix script name of file}

Example script for Toll Express as follows:

 Stuff you need to Change (Blue)
 Template (Bold - Black)

Owner: Bert Petchell

You need to be part of the TEDarwin2k3_AllUsers group for this to map.
This maps to Server: TEDarwin2k3
Share: Accounts
Drive Mapping: L
Script: \kix\Map_TEDarwin2k3.kix

Version [Version] (uncontrolled if printed) Project [Subject] - Page 8 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

3.5 Script Format

The format of the script is as follows:
;====================================================
; Servername - File Server Drive mappings for {Toll Business Unit}
; Created by {Person}
;Date: {xx/xx/xxxx}
;====================================================
; Mappings only apply if user is a member of the {ServerName_AllUsers} group

Dim $Server_Name
$Server_Name = "spdfpregp1" „Put server name in here
If InGroup("spdfpregp1_AllUsers") „ checks to see if in the AllUsers group
USE P: /Del /PERSISTENT „Deletes drive mapping if it exists
USE P: \\$Server_Name\Public „Creates drive mapping
If InGroup("SPDFPREGP1_Admin") „Checks AD group if user is in it
USE R: /Del /PERSISTENT „If in the group, deletes map if it exists
USE R: \\$Server_Name\Admin „If in the group, maps the drive
EndIf
EndIf

Version [Version] (uncontrolled if printed) Project [Subject] - Page 9 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

3.6 Server Setup

 All Permissions are done from the root of the share
 No shares are created other than from the root
 If other shares or permissions are required, move the folder out to the root of the Data folder

3.6.1 Shares
Permissions for shares are set as
follows:
Group: Authenticated Users
Permissions: Full Control

3.6.2 Data Folder Structures

The structure of the folders should be followed as:
o D:\Data
.
Data Folder
This folder is the root for all shares.

All shared folders should be located

under the D:\Data folder

Version [Version] (uncontrolled if printed) Project [Subject] - Page 10 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

Data Folder Setup

Right click on the Data folder
Select Properties
Make sure that Do not share this
folder is selected

Right click on the Data folder

Select Properties
Click Advanced
Untick “Allow inheritable permissions
from the parent to propagate to this
object and all child objects”
Select Copy

Version [Version] (uncontrolled if printed) Project [Subject] - Page 11 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

Select OK

Right click the Data folder

Select Properties
Select the Security Tab

Remove the following groups

 Creator Owner
 Users

Version [Version] (uncontrolled if printed) Project [Subject] - Page 12 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

At this point, you need to enter in the

Active Directory group which the
Administrative personnel are going to
manage the files. These are usually
the BU admin people who need to
manage the server. They DO NOT get
Admin rights to the server. Toll
Express is used here as an example.
Click Add
Add the security group you require,
select OK
Permissions: Modify
Select OK

NB: The security group will be called:

BULocalServerAdmins,
where BU is the Business Unit i.e.
Express, IPEC, etc.
This group give the BU Admins the
right and permissions across any new
folder that are created.

This can only be created by a domain

admin as this group sits under Rights
and Roles. Once created, it can be
added by anyone,
Right click the Data Folder
Select Properties
Click Advanced
Tick “Replace permissions entries on
all child objects with entries shown
here that apply to child object”

Select OK

Select Yes
Select OK

Version [Version] (uncontrolled if printed) Project [Subject] - Page 13 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

Data Folder Shares Setup

Create a folder under the data folder.
Example shown is Accounts

Right click on the Just created Folder

Select Properties
Select the Sharing Tab

Select Share This Folder

Comment (optional): Put one in if you
require it

Version [Version] (uncontrolled if printed) Project [Subject] - Page 14 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

Click Permissions

Remove the group called Everyone

Group: Add “Authenticated Users”
Permissions: Full control
Select OK

Select Caching
Select File or programs from the
share will not be available offline

Version [Version] (uncontrolled if printed) Project [Subject] - Page 15 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

Select the Security Tab

Click Add
Add the security group to the share.
The security group should be:
ServerName_Share
In the example shown, the share is
Accounts. The server name is
TeDarwin2k3, the security group
added is TeDarwin2k3_Accounts
Permissions: Modify

Right click the Folder you have

created
Select Properties
Click Advanced
Note: Inheritance from the D:\Data
folder. The only folder that should not
be inherited is the AD group for each
share.
Select OK

Version [Version] (uncontrolled if printed) Project [Subject] - Page 16 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

3.6.3 User Folder Structures

The structure of the folders should be followed as:
 D:\Users

Users Folder
This folder is the root for all
Home Drives.

Right click the Users

Folder
Select Properties
Select Share This Folder
ShareName: Users$
Comment: Optional if
required

Select Permissions
Group: Authenticated
Users
Permissions: Full Control

Right click on the Users

folder
Select Properties
Click Advanced

Version [Version] (uncontrolled if printed) Project [Subject] - Page 17 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

Untick “Allow inheritable

permissions from the
parent to propagate to this
object and all child objects”
Select Copy
Select OK

Remove all groups except:

Administrators of the
local server and System

Select OK

At this point, if you need

the BU admins guys to
have access to all home
folders, you should also
add the AD group at this
point as well.

Extra Group Permissions:

Modify

Under the Users folder,

create all user home drives
as there username
Right click on the user
home folder, select
Properties

Version [Version] (uncontrolled if printed) Project [Subject] - Page 18 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

Add the user to the folder

Permissions: Modify

Click on the Advanced

Tab
The permissions should be
inherited from the Users
folder, with the user added
to each home folder
individually.

Tick “Allow inheritable

permissions from the
parent to propagate to this
object”

NB: when you add the user

under AD to point to the
home folders, you are
asked if you want to grant
Full Control to the user,
select NO.

Version [Version] (uncontrolled if printed) Project [Subject] - Page 19 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

3.6.4 Active Directory User Account Modifications

Find the user in Active Directory

Open the user account

Select the Profile Tab

Version [Version] (uncontrolled if printed) Project [Subject] - Page 20 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

Select Connect
Select H Drive
To: type in the following
\\ServerName\Users$\%userna
me%
Where ServerName is the name
of the server you are working on.
Enter in the above string, will
resolve the username for you.

Select NO
If you select Yes, this gives Full
Control Permissions to the user.
We don‟t want that because they
can then change the security of
the folder, which would be bad!
Say NO

Select OK

Version [Version] (uncontrolled if printed) Project [Subject] - Page 21 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

4 Appendix

4.1 Local Group Definitions

Listed below are the key groups that affect File and Print servers. These groups are controlled via Group
Policy using Active Directory.

Group Description Default User Rights

Administrators Members of this group have full control of the  Access this computer from the
computer, and they can assign user rights network
and access control permissions to users as  Adjust memory quotas for a
necessary. The Administrator account is a process
default member of this group. When a  Allow logon locally
computer is joined to a domain, the Domain
 Allow logon through Terminal
Admins group is added to this group Services
automatically. Because this group has full
control of the computer, use caution when  Back up files and directories
you add users to it.  Bypass traverse checking
 Change the system time
 Change the time zone
 Create a page file
 Create global objects
 Create symbolic links
 Debug programs
 Force shutdown from a remote
system
 Impersonate a client after
authentication
 Increase scheduling priority
 Load and unload device drivers
 Log on as a batch job
 Manage auditing and security
log
 Modify firmware environment
variables
 Perform volume maintenance
tasks
 Profile single process
 Profile system performance
 Remove computer from docking
station
 Restore files and directories
 Shut down the system

 Take ownership of files or other

objects

Backup Members of this group can back up and  Access this computer from the
Operators restore files on a computer, regardless of network
any permissions that protect those files. This  Allow logon locally

Version [Version] (uncontrolled if printed) Project [Subject] - Page 22 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

is because the right to perform a backup  Back up files and directories

takes precedence over all file permissions.  Bypass traverse checking
Members of this group cannot change
 Log on as a batch job
security settings.
 Restore files and directories
 Shut down the system

Power Users By default, members of this group have no  No Default User rights
more user rights or permissions than a
standard user account. The Power Users
group in previous versions of Windows was
designed to give users specific administrator
rights and permissions to perform common
system tasks. In this version of Windows,
standard user accounts inherently have the
ability to perform most common configuration
tasks, such as changing time zones. For
legacy applications that require the same
Power User rights and permissions that were
present in previous versions of Windows,
administrators can apply a security template
that enables the Power Users group to
assume the same rights and permissions
that were present in previous versions of
Windows.

Remote Members of this group can log on to the  Allow logon through Terminal
Desktop Users computer remotely. Services

Users Members of this group can perform common  Access this computer from the
tasks, such as running applications, using network
local and network printers, and locking the  Allow logon locally
computer. Members of this group cannot  Bypass traverse checking
share directories or create local printers. By
default, the Domain Users, Authenticated  Change the time zone
Users, and Interactive groups are members  Increase a process working set
of this group. Therefore, any user account
 Remove the computer from a
that is created in the domain becomes a docking station
member of this group.
 Shut down the system

Version [Version] (uncontrolled if printed) Project [Subject] - Page 23 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

4.1.1 Setting of Folder Permissions

Permissions Description
Traverse For folders: Traverse Folder allows or denies moving through
Folder/Execute File folders to reach other files or folders, even if the user has no
permissions for the traversed folders. (Applies to folders only.)
Traverse folder takes effect only when the group or user is not
granted the Bypass traverse checking user right in the
Group Policy snap-in. (By default, the Everyone group is
given the Bypass traverse checking user right.)

For files: Execute File allows or denies running program files.

(Applies to files only).

Setting the Traverse Folder permission on a folder does not

automatically set the Execute File permission on all files
within that folder.
List Folder/Read List Folder allows or denies viewing file names and subfolder
Data names within the folder. List Folder only affects the contents
of that folder and does not affect whether the folder you are
setting the permission on will be listed. (Applies to folders
only.)

Read Data allows or denies viewing data in files. (Applies to

files only.)
Read Attributes Allows or denies viewing the attributes of a file or folder, such
as read-only and hidden. Attributes are defined by NTFS.
Read Extended Allows or denies viewing the extended attributes of a file or
Attributes folder. Extended attributes are defined by programs and may
vary by program.
Create Files/Write Create Files allows or denies creating files within the folder.
Data (Applies to folders only).

Write Data allows or denies making changes to the file and

overwriting existing content. (Applies to files only.)
Create Create Folders allows or denies creating folders within the
Folders/Append folder. (Applies to folders only.)
Data
Append Data allows or denies making changes to the end of
the file but not changing, deleting, or overwriting existing data.
(Applies to files only.)
Write Attributes Allows or denies changing the attributes of a file or folder,
such as read-only or hidden. Attributes are defined by NTFS.

The Write Attributes permission does not imply creating or

deleting files or folders, it only includes the permission to
make changes to the attributes of a file or folder. In order to
allow (or deny) create or delete operations, see Create
Files/Write Data, Create Folders/Append Data, Delete

Version [Version] (uncontrolled if printed) Project [Subject] - Page 24 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

Subfolders and Files, and Delete.

Write Extended Allows or denies changing the extended attributes of a file or
Attributes folder. Extended attributes are defined by programs and may
vary by program.

The Write Extended Attributes permission does not imply

creating or deleting files or folders, it only includes the
permission to make changes to the attributes of a file or
folder. In order to allow (or deny) create or delete operations,
see Create Files/Write Data, Create Folders/Append Data,
Delete Subfolders and Files, and Delete.
Delete Subfolders Allows or denies deleting subfolders and files, even if the
and Files Delete permission has not been granted on the subfolder or
file. (Applies to folders.)
Delete Allows or denies deleting the file or folder. If you do not have
Delete permission on a file or folder, you can still delete it if
you have been granted Delete Subfolders and Files on the
parent folder.
Read Permissions llows or denies reading permissions of the file or folder, such
as Full Control, Read, and Write.
Change Allows or denies changing permissions of the file or folder,
Permissions such as Full Control, Read, and Write
Take Ownership Allows or denies taking ownership of the file or folder. The
owner of a file or folder can always change permissions on it,
regardless of any existing permissions that protect the file or
folder.
Synchronize Allows or denies different threads to wait on the handle for the
file or folder and synchronize with another thread that may
signal it. This permission applies only to multithreaded,
multiprocess programs.

4.1.2 Print

The user can connect to a printer and send documents to the printer. By default, the Print permission is assigned to
all members of the Everyone group.

4.1.3 Manage Printers

The user can perform the tasks associated with the Print permission and has complete administrative control of the
printer. The user can pause and restart the printer, change spooler settings, share a printer, adjust printer
permissions, and change printer properties. By default, the Manage Printers permission is assigned to members of
the Administrators and Power Users groups.

By default, members of the Administrators and Power Users groups have full access, which means that the users
are assigned the Print, Manage Documents, and Manage Printers permissions.

Version [Version] (uncontrolled if printed) Project [Subject] - Page 25 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

4.1.4 Manage Documents

The user can pause, resume, restart, cancel, and rearrange the order of documents submitted by all other users.
The user cannot, however, send documents to the printer or control the status of the printer. By default, the
Manage Documents permission is assigned to members of the Creator Owner group.

When a user is assigned the Manage Documents permission, the user cannot access existing documents currently
waiting to print. The permission will only apply to documents sent to the printer after the permission is assigned to
the user.
Deny

All of the preceding permissions are denied for the printer. When access is denied, the user cannot use or manage
the printer or adjust any of the permissions.

Group Print Manage Documents Manage Printers

Administrators X X X
Creator Owner X X
Everyone X
Power Users X X X
1
Print Operators X X X
1
Server Operators X X X

1
Print Operators & Server Operators groups are located only on Domain Controllers

Version [Version] (uncontrolled if printed) Project [Subject] - Page 26 of 27

 Toll Group Information Technology File & Print Server Setup under Tollgroup

5 Related Documentation
The following documentation relates to this <Document Title>. Ensure that any changes are communicated
and updated by the correct means.

Document Name Description/Location/Owner/Version

<e.g. Business Requirements>

Version [Version] (uncontrolled if printed) Project [Subject] - Page 27 of 27