1) But then they would see all the other Users' folders even if they could
not access them, wouldn't they?
2) Thanks!
3) It is complicated to set it up the way I did, but it seems simpler to
maintain and locks things down. I'm intrigued by your idea, however. They
are running apps local on their PC, just accessing the data file on the
server.. with the exception of the one SQL app. They wouldn't use the RUNAS
or SU would they?
-----Original Message-----
From: Correa, Andre [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 05, 2001 10:39 AM
To: NT System Admin Issues
Subject: RE: Folder Convolutions
1)
Since you stated you have both Win2K clients and a Win2k server, you don't
need to explicitly share each user folder. Sharing Users$ is enough. Use
login script and map home drive like:
Net use h: \\Win2kSrv\Users$
I would also change the user permissions from Full control to Change, as
they will have all necessary permissions they need, but with Full control
they have the added luxury of attempting to lock you out of the folder, a
PITA when you have to take ownership of a folder with 18 levels.
2)
For the shared folder; your permissions seem OK to me
3)
Shared Apps: Very Intuitive!! I would have gone a different, perhaps more
complicated way....
My suggestion would be to lock out the users and use RUNAS (or SU from the
Resource Kit ~ looks like the better option) and setup a service account.
Give the service account permission to view the directory, and change the
shortcut to start SU instead of the actual program. You may have an icon on
all the users desks pointing to a network share, but you only have to create
a batch file (I prefer CMDs) once on the server, make a shortcut to it, and
copy it to the Desktop section of All Users for each workstation. All can
be scripted.
My $.02, and I hope it helps :)
____________________________________________
Andre Correa
Senior Manager/Information Technology
Lexitron, Inc
(201) 892-6399
-----Original Message-----
From: Dewar Charles R [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 05, 2001 10:48 AM
To: NT System Admin Issues
Subject: Folder Convolutions
Got a Windows 2000 Server with Windows 2000 clients (no AD). Here's what I
did and I would love other sysadmin opinions:
1) For home shares, I wanted each user to map directly to their folder. I
created the Users$ folder for organization and administration.
\\servername\Users$\username$\
Users$
Share=Admin (Full)
File Security=Everyone (Full)
Username$ (Changes with each user)
Share=User (Change)
File Security=Everyone (Full)
2) For folders shared by groups of users, I wanted them to be able to see
all the folder names but only have access to the ones they should have.
\\servername\Groups$\subfolder
Groups$
Share=Admin (Full)
Everyone (Change)
File Security=Everyone (Read, List Folder Contents)
Admin (Full)
subfolders
File Security=Specific Global Group (Modify)
Admin (Full)
3) Now the trickiest one: For shared application files, I wanted to be able
to map each user to a specific hidden share, but I did not want them to be
able to browse by double-clicking the mapped drive. The applications they
ran needed to be able to modify the data on the server, but I did not want
them to be able to easily delete the data through newbie behavior. Each of
the application shortcuts on their PC would access the files in the
subfolders *beyond* the share.
\\servername\Apps$\application
Apps$
Share=Admin (Full)
Everyone (Change)
File Security=Admin (Full)
Everyone (Traverse Folder) <--- Here's the important
part
application
File Security=Admin (Full)
Specific Global Group (Change)
Now, the hickie we came across is that the apps on the server like SQL and
Norton Antivirus could no longer access the folders in which we had removed
the Everyone rights. Adding SYSTEM and SERVICE accounts seemed to have fixed
that.
Now, I know I can do this much easier by mapping many drives, but I want to
keep things organized and simple for the users. Anyone know of a better way?
Charles R. Dewar
Systems Administrator
North Hills Hospital
Phone: 817.255.1777
Toll-free Fax: 866.947.3756
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
