Modify rights doesn't give them the ability to delete files/folders. You have to go to the Advanced tab on permissions and edit their rights and check the box to enable them to delete their own home drive files/folders
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Tuesday, May 31, 2005 5:10 AM To: [email protected] Subject: RE: [ActiveDir] Home Directories The trouble is that Microsoft's idea of "locked down" and my idea of "locked down" don't match... I work in a college (and I think Debbie works in a similar environment) and there's no way I'd give users full control over even their own folders - the most they get is "modify" on everything in their user area. (Giving full allows them to change permissions - most will do this accidentally and manage to remove themselves from the list or they will give access to other users. In a work environment this may be a good thing - it allows users to share work on an ad-hoc basis. For students, it's typically a way to move "pirate" material around...) There's also a problem in that if users can create folders in the root share then they will - again, some will do this accidentally and lose work in that way; others will do it maliciously. Whichever, when you have 14,000 folders to worry about you don't want odd ones sneaking in :-) The downside of this is that you can't then have the folder created by the redirection process as the user logs on; no big deal - we script the user creation so we also create the home folder with the permissions we want (admins, system - full; user - modify) On a regular basis we also force the permissions and ownership back to what they should be - I've found setacl (http://setacl.sourceforge.net) to be easier to use for this than subinacl. Steve > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme > Sent: 27 May 2005 16:14 > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > The best practice permissions for the ROOT SHARE (for home > directories, roaming profiles & folder redirection) are > listed below. There is a lot of confusion about these perms, > b/c there are inconsistencies in MS doc. > I've tested these to make sure they work and (as you'll see) > they're pretty well locked down. > > The root share > ============== > ACL > Users*:Allow:List Folder & Create Folders > > Inheritance: This folder only (**** THIS IS TRICKY AND > IS NOT THE DEFAULT **** Set "Apply onto" to "THIS FOLDER ONLY") > > *Or another group that includes users who will have > folders under this root > > Creator Owner:Allow:Full > Inheritance: Subfolders & files only > > System:Allow:Full > Inheritance: This folder, subfolders & files > > Administrators: <depends> > Set based on Enterprise information security policy > > Share > Hidden share name (sharename$) > Share permissions: Everyone:Allow:Full > > ** Do not create individual user folders ** How folders are > created ======================= Home folders: created & > perm'd automatically > > Redirected folders: created, perm'd, user owner > > SUBINACL on Res Kit to change ownership if you must > create folder in advance. (Be sure to download newest patched > version of SubInACL from MS web site) > > Profiles: created & perm'd automatically > > > Hope this helps > > Dan > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, May 27, 2005 8:00 AM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > Yes, make sure that the top level home folder that your share > is pointing to does not have rights for those users to make > changes. They should only have rights at their individual folder. > > For instance: > > Share Level Perms > \\server\home1 is your home folder share which has the > following perms: > Administrators - FC > Domain Users - C > > NTFS Perms > That folder maps to h:\home1 on your server. Home1 should have the > following: > Administrators - FC > > There's a user folder under home1 that exists under home1 > that maps to JohnDoe such as h:\home1\johndoe. > > At the johndoe folder, you want to make sure the following > permissions are set: > Administrators - FC > JohnDoe - Modify > > > So now you can map the user's H: drive or whatever to > \\server\home1\johndoe. > > Hope that helps... > > :m:dsm:cci:mvp > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie > Sent: Friday, May 27, 2005 10:50 AM > To: '[email protected]' > Subject: RE: [ActiveDir] Home Directories > > But it also allows then to create new folders under the top > level Home share. Is there a way around that? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, May 27, 2005 10:40 AM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > Now that your share-level permissions are correct, you need > to add the individual user to their respective home folder > and grant modify permissions (ntfs). That should give them > change access to their files. > > :m:dsm:cci:mvp > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie > Sent: Friday, May 27, 2005 9:04 AM > To: '[email protected]' > Subject: RE: [ActiveDir] Home Directories > > > I appreciate all the feedback. I had to end up giving domain > users change access on the top level Home share folder. (On > both file and share) I removed domain users from the > individual home directory/folders. The problem I have with > the solution is that won't users be able to create folders in > the Home Folder? Is there a solution to this? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, May 27, 2005 8:30 AM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > Sorry. Please don't perceive my earlier post as > disrespecting your opinion. Simply typing in brevity. :) > > At any rate, I read it as a user end permission error, not as > a copy process failure. > > :m:dsm:cci:mvp > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Medeiros, Jose > Sent: Thursday, May 26, 2005 6:34 PM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > No problem in disagreeing, as long as we can respect each > others opinions. > > Granted Debbie did not give a us lot of details, but based > on what Debbie wrote, it sounds like she is having trouble > copying the files from the server, and if her users had full > control enabled on the original NT 4 home directory, then in > the middle of the move process she would probably have an > access denied even though she is the admin. > > By taking ownership of the files prior to her move this issue > would be resolved. She also stated that the permissions are > change ( Change for end users is better then Full control in > my option) and Debbie stated that she has moved some of the > files and that leads me to believe that the permissions on > the target server have at least write access at the Share and > NTFS permission level. > > I am also sure that Debbie was at least smart enough to > verify the share level and file permissions on the new target > server prior to posting on this list, however I doubt if she > went through all the files on the source server to verify > that none of them had full control as a ACL for the user > account in question. > > The other issue that she me be experiencing is that if the > files are currently in use the they will be locked also > stopping the move process from occurring. > > Well that's my two cents, > > Jose > > ------------------------------------------------------ > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, May 26, 2005 3:05 PM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > > I disagree. Taking ownership isn't going to fix the > permissions issues for the user at the opposite end. I'm > leaning towards a share-level permission problem, since 2003 > by default sets shares at Everyone:Read while NT was > Everyone:Full Control. > > :m:dsm:cci:mvp > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Medeiros, Jose > Sent: Thursday, May 26, 2005 4:00 PM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > Hi Debbie, > > This sounds like you need to take ownership of all the files > in each home directory before moving the data. > > Jose > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Ellis, Debbie > Sent: Thursday, May 26, 2005 12:45 PM > To: '[email protected]' > Subject: [ActiveDir] Home Directories > We are in the process of moving our user's home directories > from NT server to 2003 server. We have moved some and have > ran into a problem. > The user's are unable to delete or add but the effective > permissions is change access. Has anyone ran into this issue? > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
