Yes, I was talking NTFS perms. For new users here, we map their home drives using AD, which automagically gives them Full Perms to this folder. We've never ran into any issues doing it this way and don't see a need to change it up, for fear of the user messing with their folder.
Don Guyer Systems Engineer - Information Services Prudential, Fox & Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com -----Original Message----- From: James Winzenz [mailto:james.winz...@hotmail.com] Sent: Monday, November 08, 2010 12:26 PM To: NT System Admin Issues Subject: Re: Home Folder Permissions reset I think Don was referring to the NTFS permissions, not the Share permissions. Each admin has to decide whether they want their users to have full control to their individual user folders (business may also dictate). Yes, full control would allow them to change the permissions on his/her folder, including removing the local admin group. From my experience, I usually do the following for the NTFS permissions: -For the top-level "Homes" folder (we call it "Users"), we usually just do domain users - read/list folder contents plus administrators - full control -for the individual user folders, I do administrators - full control and the individual user - modify. I also remove any inherited permissions when the folder is originally created, including Creator/Owner. Regarding share permissions, everyone has a different opinion on this. Some go the route of just leaving the share permissions at Everyone - Full Control and restricting permissions using the NTFS permissions. Some go a step further and restrict both Share and NTFS permissions. The thing to keep in mind is that when combining Share and NTFS permissions, the most restrictive always wins. So if Share permissions are set to Everyone - Full Control, and NTFS permissions for a certain group are set to read only, members of that group (assuming they don't have explicit permissions or are not members of another group that has more permissions) would have read only access. As for SYSTEM, I did some researching on this a while back, and found that for a volume containing only files/folders, it does not appear to be necessary. We have removed it from our data volumes without noticing any issues at all. HTH, James -----Original Message----- From: Matthew W. Ross Sent: Monday, November 08, 2010 10:04 AM To: NT System Admin Issues Subject: RE: Home Folder Permissions reset Read access to the Share allows users to write to their home folders? Also, doesn't full control allow a user to change his permissions? --Matt Ross Ephrata School District ----- Original Message ----- From: Don Guyer [mailto:don.gu...@prufoxroach.com] To: NT System Admin Issues [mailto:ntsysad...@lyris.sunbelt-software.com] Sent: Mon, 08 Nov 2010 08:56:43 -0800 Subject: RE: Home Folder Permissions reset > Authenticated Users should have Read access to \\SERVER\Homes, each > individual user should have Full Control to \\SERVER\Homes\username. > > Don Guyer > Systems Engineer - Information Services > Prudential, Fox & Roach/Trident Group > 431 W. Lancaster Avenue > Devon, PA 19333 > Direct: (610) 993-3299 > Fax: (610) 650-5306 > don.gu...@prufoxroach.com > > > -----Original Message----- > From: Matthew W. Ross [mailto:mr...@ephrataschools.org] > Sent: Monday, November 08, 2010 11:48 AM > To: NT System Admin Issues > Subject: Home Folder Permissions reset > > Hey list, > > I'm sure this is something that has been touched on before, but my quick > search through the list archives didn't get anything concrete... > > I'm looking to lock down permissions on user home folders. I'm unsure on > how, but one user was able to access the contents of another and that > will have to be stopped ASAP. I'd like some help on what are the correct > permissions, as I have a few questions. > > > Let me explain what things are like currently. Right now, home folder > permissions are as follows: > > There is a \\SERVER\Homes share. The _sharing_ permissions on this > folder is set to "Everyone" has Change, "Domain Admins" has Full > control. > > Each user has a home folder under this share (i.e.: > \\SERVER\Homes\Username) with the following permissions: > > DOMAN\Username has Modify > SERVER\Administrators has Full Control > SERVER\Users has Read and Execute[1] > SYSTEM has full control > CREATOR OWNER has no permissions > > And now, several questions: > > A) What are the correct sharing permissions? Should "Everyone" be > changed to "Domain Users"? Should Domain Admins not be in that list? > > B) What is the SYSTEM permissions for? Is it needed? > > C) SERVER\Administrators vs DOMAIN\Domain Admins... Which is more > appropriate? > > I'm working on a script to reset these permissions, probably with > xcacls. I need to find my old cacls script first, or write it from > scratch. If somebody has a working script for this handy, I'd love a > copy. > > [1] The SERVER\Users group appears to be part of my problem, as I didn't > intend for other users to be able to read and/or execute files on > another user's home folder, but this was an inherited permission I > missed. > > > --Matt Ross > Ephrata School District > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
