| Author |
Message |
Infotech
Guest
|
 Posted:
Fri Feb 11, 2005 5:29 am Post subject:
User Folders created by the system |
|
|
I have local users Home Folder (in User properties) set to connect to a
share on our file server. Microsoft recommends using
\\fileserver\users\userfolder. I decided to do that for all our users. The
security problem arises when the system creates the folder it inherits file
permissions from the parent folder, adding "Authenticated Users" group with
Read permission on every user folder it creates inside "Users". When that
happens I have to manually remove the group and being human I forget
sometimes. Is there a way to change this behavior? If I remove
"Authenticated Users" group from the parent directory "Users" no one will be
able to access their folders.
Thanks for your help
--
Infotech |
|
| Back to top |
|
 |
Stuart Mackie [MCSE MCSA]
Guest
|
| Posted:
Fri Feb 11, 2005 6:30 am Post subject:
Re: User Folders created by the system |
|
|
Hi. When using the AD users and computers console the default behaviour in
Win2k3 is to inherit parent permissions. To make sure future users have the
correct permissions without having to manually adjust them you will need to
alter your parent folder permissions. An example of permissions you could
use would be:
'Parent Folder' NTFS Permissions
System - Full Control
Domain users - Read & Execute (see below before applying)
List Folder Contents
Read
Domain Admins - Full Control (This depend on company policy)
Before Accepting/Applying the above changes, click Advanced, select the
Domain Users entry, click Edit and set Apply onto to 'This Folder and Files'
(i.e. NOT This Folder, Subfolder and Files).
Adjust the above permissions to accomodate your company policy i.e. Admin
permissions on user home folders etc.
Share Permissions
Domain Users - Full Control
Domain Admins - Full Control
When you now create a new user, for the home folder section use
\\fileserver\\users\\%username% The AD console will create the %username%
folder which will inherit the parent permissions. Since the Domain Users
permission only applies to the Parent folder only, this permission will not
be inherited and the AD console will add the Full Control permission for the
user.
--
Hth,
Stuart Mackie
www.stu.uk.com
MCSA: & MCSE: Security
"Infotech" <adsf> wrote in message
news:u3Tvcg8DFHA.2608@TK2MSFTNGP10.phx.gbl...
| Quote: | I have local users Home Folder (in User properties) set to connect to a
share on our file server. Microsoft recommends using
\\fileserver\users\userfolder. I decided to do that for all our users. The
security problem arises when the system creates the folder it inherits file
permissions from the parent folder, adding "Authenticated Users" group with
Read permission on every user folder it creates inside "Users". When that
happens I have to manually remove the group and being human I forget
sometimes. Is there a way to change this behavior? If I remove
"Authenticated Users" group from the parent directory "Users" no one will
be able to access their folders.
Thanks for your help
--
Infotech
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Fri Feb 11, 2005 6:48 am Post subject:
Re: User Folders created by the system |
|
|
I understand the behavior is different between Windows 2000 and Windows
2003. The link below may help. If using Windows 2003 is suggests disabling
forcing inheritance to the child folders in the advanced page of security
settings. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;817009
You can also turn off the ability for the parent folder to propagate its
permissions to child folders (turning off inheritance). To do this, follow
these steps: 1. In the Windows Server 2003 Active Directory Users and
Computers utility, double-click the parent folder.
2. On the Security tab, click Advanced.
3. Click to clear the Allow inheritable permissions from the parent to
propagate to this object and all child objects check box.
4. Click OK.
"Infotech" <adsf> wrote in message
news:u3Tvcg8DFHA.2608@TK2MSFTNGP10.phx.gbl...
| Quote: | I have local users Home Folder (in User properties) set to connect to a
share on our file server. Microsoft recommends using
\\fileserver\users\userfolder. I decided to do that for all our users. The
security problem arises when the system creates the folder it inherits file
permissions from the parent folder, adding "Authenticated Users" group with
Read permission on every user folder it creates inside "Users". When that
happens I have to manually remove the group and being human I forget
sometimes. Is there a way to change this behavior? If I remove
"Authenticated Users" group from the parent directory "Users" no one will
be able to access their folders.
Thanks for your help
--
Infotech
|
|
|
| Back to top |
|
|
Infotech
Guest
|
| Posted:
Fri Feb 11, 2005 8:26 pm Post subject:
Re: User Folders created by the system |
|
|
Thanks! I was afraid I would have to change them on the parent folder then
go a reset all the other permissions. Thankfully that's not the case.
Thanks.
--
Infotech
"Stuart Mackie [MCSE MCSA]" <newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com>
wrote in message news:ek2GKE9DFHA.2756@TK2MSFTNGP15.phx.gbl...
| Quote: | Hi. When using the AD users and computers console the default behaviour
in Win2k3 is to inherit parent permissions. To make sure future users have
the correct permissions without having to manually adjust them you will
need to alter your parent folder permissions. An example of permissions
you could use would be:
'Parent Folder' NTFS Permissions
System - Full Control
Domain users - Read & Execute (see below before applying)
List Folder Contents
Read
Domain Admins - Full Control (This depend on company policy)
Before Accepting/Applying the above changes, click Advanced, select the
Domain Users entry, click Edit and set Apply onto to 'This Folder and
Files' (i.e. NOT This Folder, Subfolder and Files).
Adjust the above permissions to accomodate your company policy i.e. Admin
permissions on user home folders etc.
Share Permissions
Domain Users - Full Control
Domain Admins - Full Control
When you now create a new user, for the home folder section use
\\fileserver\\users\\%username% The AD console will create the %username%
folder which will inherit the parent permissions. Since the Domain Users
permission only applies to the Parent folder only, this permission will
not be inherited and the AD console will add the Full Control permission
for the user.
"Infotech" <adsf> wrote in message
news:u3Tvcg8DFHA.2608@TK2MSFTNGP10.phx.gbl...
I have local users Home Folder (in User properties) set to connect to a
share on our file server. Microsoft recommends using
\\fileserver\users\userfolder. I decided to do that for all our users.
The security problem arises when the system creates the folder it inherits
file permissions from the parent folder, adding "Authenticated Users"
group with Read permission on every user folder it creates inside "Users". |
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in