Authenticated Users should have Read access to \\SERVER\Homes, each individual user should have Full Control to \\SERVER\Homes\username.
Don Guyer Systems Engineer - Information Services Prudential, Fox & Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com -----Original Message----- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Monday, November 08, 2010 11:48 AM To: NT System Admin Issues Subject: Home Folder Permissions reset Hey list, I'm sure this is something that has been touched on before, but my quick search through the list archives didn't get anything concrete... I'm looking to lock down permissions on user home folders. I'm unsure on how, but one user was able to access the contents of another and that will have to be stopped ASAP. I'd like some help on what are the correct permissions, as I have a few questions. Let me explain what things are like currently. Right now, home folder permissions are as follows: There is a \\SERVER\Homes share. The _sharing_ permissions on this folder is set to "Everyone" has Change, "Domain Admins" has Full control. Each user has a home folder under this share (i.e.: \\SERVER\Homes\Username) with the following permissions: DOMAN\Username has Modify SERVER\Administrators has Full Control SERVER\Users has Read and Execute[1] SYSTEM has full control CREATOR OWNER has no permissions And now, several questions: A) What are the correct sharing permissions? Should "Everyone" be changed to "Domain Users"? Should Domain Admins not be in that list? B) What is the SYSTEM permissions for? Is it needed? C) SERVER\Administrators vs DOMAIN\Domain Admins... Which is more appropriate? I'm working on a script to reset these permissions, probably with xcacls. I need to find my old cacls script first, or write it from scratch. If somebody has a working script for this handy, I'd love a copy. [1] The SERVER\Users group appears to be part of my problem, as I didn't intend for other users to be able to read and/or execute files on another user's home folder, but this was an inherited permission I missed. --Matt Ross Ephrata School District ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin