subject:"RE\: Home Folder Permissions reset"

Re: Home Folder Permissions reset

2010-11-08 Thread Matthew W. Ross

I don't know why icacls wasn't working for the files, but it was setting 
permissions on the folders. I did try the *.* wildcard, but it didn't seem to 
work either. It was frustrating, and my users were without their home folders 
for a little bit today. Not exactly how I wanted things to go, but it worked 
out.


--Matt Ross
Ephrata School District


- Original Message -
From: Andrew S. Baker
[mailto:asbz...@gmail.com]
To: NT System Admin Issues
[mailto:ntsysad...@lyris.sunbelt-software.com]
Sent: Mon, 08 Nov 2010
19:26:30 -0800
Subject: Re: Home Folder Permissions reset


> iCACLS will work on files, but you need to use *.* rather than just list the
> folder names.
> 
> 
> FILEACL is also recommended, and I use it in a number of scripts.
> 
> 
> *ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
> *Exploiting Technology for Business Advantage...*
> * *
> 
> 
> 
> On Mon, Nov 8, 2010 at 5:33 PM, Matthew W. Ross
> wrote:
> 
> > Thanks Ben, I'll see if I can't find FILEACL and make use of it.
> >
> > In the mean time, I have fixed my problem... for now. I was able to use
> the
> > existing commands available from MS, but with a few problems. My biggest
> > problem was that icacls.exe seems to be able to set permissions on
> folders,
> > but not files when I pass the recursive command. (Anybody know how to make
> > icacls do this?) So I had to resort to using the old cacls.exe for the
> > actual permissions.
> >
> > Here's the little script I had to use to make it work, which I ran from
> the
> > root of the home share:
> >
> > @echo off
> > REM --- Make  a list of folders.
> > dir /A:D /B /-C /D > CurrentFolders.txt
> > REM --- Make the Administrator's group Owner, so we can redo permissions.
> > for /f %%i in (CurrentFolders.txt) do takeown /f %%i /R /A
> > REM --- Remove the inheritance for each folder.
> > for /f %%i in (CurrentFolders.txt) do icacls %%i /inheritance:R /T /C /L
> /Q
> > REM --- Apply the permissions I want on each folder.
> > for /f %%i in (CurrentFolders.txt) do cacls %%i /t /e /c /g "DOMAIN\%%i":C
> > for /f %%i in (CurrentFolders.txt) do cacls %%i /t /e /c /g
> > "ADMINISTRATORS":C
> > for /f %%i in (CurrentFolders.txt) do cacls %%i /t /e /c /g "DOMAIN\Domain
> > Admins":F
> >
> > Now, off to find and try FILEACL.
> >
> >
> > --Matt Ross
> > Ephrata School District
> >
> >
> > - Original Message -
> > From: Ben Scott
> > [mailto:mailvor...@gmail.com]
> > To: NT System Admin Issues
> > [mailto:ntsysad...@lyris.sunbelt-software.com]
> > Sent: Mon, 08 Nov 2010
> > 13:40:37 -0800
> > Subject: Re: Home Folder Permissions reset
> >
> >
> > > On Mon, Nov 8, 2010 at 11:47 AM, Matthew W. Ross
> > >  wrote:
> > > > There is a \\SERVER\Homes share. The _sharing_ permissions on this
> > folder
> > > is set to "Everyone" has Change, "Domain Admins" has Full control.
> > >
> > >   I tend to lean towards Users=Full, and doing everything in NTFS
> > > permissions.  Sometimes I'll get slightly fancier, and so something
> > > like Administrators=Full, Users=Modify.
> > >
> > >   I "never" get fine grained in share permissions.  Share permissions
> > > are a vestige from back when Microsoft still thought FAT was a good
> > > idea and many computers thus didn't *have* the capability of doing
> > > permissions at the filesystem level.
> > >
> > > > SERVER\Administrators vs DOMAIN\Domain Admins... Which is more
> > > appropriate?
> > >
> > >   That's entirely up to you and your organization and your needs.
> > > Perhaps not all server admins are domain admins, or perhaps  not all
> > > domain admins are server admins.
> > >
> > > > I'm working on a script to reset these permissions, probably with
> > xcacls.
> > > I
> > > > need to find my old cacls script first, or write it from scratch. If
> > > somebody
> > > > has a working script for this handy, I'd love a copy.
> > >
> > >   I find FILEACL (free third-party tool) is the least-bad for working
> > > with DACLs (permissions) on files and folders.All of Microsoft's
> > > tools suck.  CACLS, XCACLS.EXE, and XCACLS.VBS suck *a lot*.  In
> > > particular, IIRC, none of them are aware of NTFS inheritance, which
> > > can cause them to actively break things.  ICACLS at least does

Re: Home Folder Permissions reset

2010-11-08 Thread Andrew S. Baker

iCACLS will work on files, but you need to use *.* rather than just list the
folder names.


FILEACL is also recommended, and I use it in a number of scripts.


*ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker>
*Exploiting Technology for Business Advantage...*
* *



On Mon, Nov 8, 2010 at 5:33 PM, Matthew W. Ross wrote:

> Thanks Ben, I'll see if I can't find FILEACL and make use of it.
>
> In the mean time, I have fixed my problem... for now. I was able to use the
> existing commands available from MS, but with a few problems. My biggest
> problem was that icacls.exe seems to be able to set permissions on folders,
> but not files when I pass the recursive command. (Anybody know how to make
> icacls do this?) So I had to resort to using the old cacls.exe for the
> actual permissions.
>
> Here's the little script I had to use to make it work, which I ran from the
> root of the home share:
>
> @echo off
> REM --- Make  a list of folders.
> dir /A:D /B /-C /D > CurrentFolders.txt
> REM --- Make the Administrator's group Owner, so we can redo permissions.
> for /f %%i in (CurrentFolders.txt) do takeown /f %%i /R /A
> REM --- Remove the inheritance for each folder.
> for /f %%i in (CurrentFolders.txt) do icacls %%i /inheritance:R /T /C /L /Q
> REM --- Apply the permissions I want on each folder.
> for /f %%i in (CurrentFolders.txt) do cacls %%i /t /e /c /g "DOMAIN\%%i":C
> for /f %%i in (CurrentFolders.txt) do cacls %%i /t /e /c /g
> "ADMINISTRATORS":C
> for /f %%i in (CurrentFolders.txt) do cacls %%i /t /e /c /g "DOMAIN\Domain
> Admins":F
>
> Now, off to find and try FILEACL.
>
>
> --Matt Ross
> Ephrata School District
>
>
> - Original Message -
> From: Ben Scott
> [mailto:mailvor...@gmail.com]
> To: NT System Admin Issues
> [mailto:ntsysad...@lyris.sunbelt-software.com]
> Sent: Mon, 08 Nov 2010
> 13:40:37 -0800
> Subject: Re: Home Folder Permissions reset
>
>
> > On Mon, Nov 8, 2010 at 11:47 AM, Matthew W. Ross
> >  wrote:
> > > There is a \\SERVER\Homes share. The _sharing_ permissions on this
> folder
> > is set to "Everyone" has Change, "Domain Admins" has Full control.
> >
> >   I tend to lean towards Users=Full, and doing everything in NTFS
> > permissions.  Sometimes I'll get slightly fancier, and so something
> > like Administrators=Full, Users=Modify.
> >
> >   I "never" get fine grained in share permissions.  Share permissions
> > are a vestige from back when Microsoft still thought FAT was a good
> > idea and many computers thus didn't *have* the capability of doing
> > permissions at the filesystem level.
> >
> > > SERVER\Administrators vs DOMAIN\Domain Admins... Which is more
> > appropriate?
> >
> >   That's entirely up to you and your organization and your needs.
> > Perhaps not all server admins are domain admins, or perhaps  not all
> > domain admins are server admins.
> >
> > > I'm working on a script to reset these permissions, probably with
> xcacls.
> > I
> > > need to find my old cacls script first, or write it from scratch. If
> > somebody
> > > has a working script for this handy, I'd love a copy.
> >
> >   I find FILEACL (free third-party tool) is the least-bad for working
> > with DACLs (permissions) on files and folders.All of Microsoft's
> > tools suck.  CACLS, XCACLS.EXE, and XCACLS.VBS suck *a lot*.  In
> > particular, IIRC, none of them are aware of NTFS inheritance, which
> > can cause them to actively break things.  ICACLS at least does
> > inheritance right, but is very limited in what it can do.  SUBINACL
> > can do a lot but has rather cumbersome syntax.  SETACL (another
> > third-party tool) can do everything but its syntax makes SUBINACL look
> > good.  FILEACL seems to suck the least.
> >
> >   I find the following FILEACL idioms to be highly useful.
> >
> >   Report all directly applied ACEs, one object per line:
> >
> >   FILEACL.EXE d:\foo /SUB /FILES /LINE /NOINHERITED
> >
> >   Clear all direct ACEs and propigate inheritable ACEs from parent:
> >
> >   FILEACL d:\foo /REPLACE /INHERIT /SUB /FILES
> >
> >   An ACE is an Access Control Entry, i.e., a given
> > subject+permissions+flags combination in an ACL.  A "direct ACE" is an
> > ACE set on an object, rather than inherited from a parent.  In my
> > book, ideally, most ACEs should be inherited; direct ACEs should be
> > the exceptions.  For example, you would want direct ACEs on your
> > "username" folders, and everything within those folders inherited.
> >
> > -- Ben
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Home Folder Permissions reset

2010-11-08 Thread greg.sweers

Backups are also key.  Built in tools use that account to do a whole list of 
things.  System should have full access pretty much everywhere.

Greg Sweers
CEO
ACTS360.com<http://www.acts360.com/>
P.O. Box 1193
Brandon, FL  33509
813-657-0849 Office
813-758-6850 Cell
813-341-1270 Fax

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Monday, November 08, 2010 12:27 PM
To: NT System Admin Issues
Subject: Re: Home Folder Permissions reset

Matt,

The SYSTEM permissions will allow the local computer to do things like DEFRAG 
those folders.

Here are some scripts that might help:


* http://kb.ultratech-llc.com/Scripts/?File=HomePerms.BAT





* 
http://KB.UltraTech-llc.com/Scripts/?File=Perms.BAT<http://kb.ultratech-llc.com/Scripts/?File=Perms.BAT>







ASB (My XeeSM Profile)<http://XeeSM.com/AndrewBaker>

Exploiting Technology for Business Advantage...



On Mon, Nov 8, 2010 at 11:47 AM, Matthew W. Ross 
mailto:mr...@ephrataschools.org>> wrote:
Hey list,

I'm sure this is something that has been touched on before, but my quick search 
through the list archives didn't get anything concrete...

I'm looking to lock down permissions on user home folders. I'm unsure on how, 
but one user was able to access the contents of another and that will have to 
be stopped ASAP. I'd like some help on what are the correct permissions, as I 
have a few questions.

Let me explain what things are like currently. Right now, home folder 
permissions are as follows:

There is a \\SERVER\Homes share. The _sharing_ permissions on this folder is 
set to "Everyone" has Change, "Domain Admins" has Full control.

Each user has a home folder under this share (i.e.: \\SERVER\Homes\Username) 
with the following permissions:

DOMAN\Username has Modify
SERVER\Administrators has Full Control
SERVER\Users has Read and Execute[1]
SYSTEM has full control
CREATOR OWNER has no permissions

And now, several questions:

A) What are the correct sharing permissions? Should "Everyone" be changed to 
"Domain Users"? Should Domain Admins not be in that list?

B) What is the SYSTEM permissions for? Is it needed?

C) SERVER\Administrators vs DOMAIN\Domain Admins... Which is more appropriate?

I'm working on a script to reset these permissions, probably with xcacls. I 
need to find my old cacls script first, or write it from scratch. If somebody 
has a working script for this handy, I'd love a copy.

[1] The SERVER\Users group appears to be part of my problem, as I didn't intend 
for other users to be able to read and/or execute files on another user's home 
folder, but this was an inherited permission I missed.


--Matt Ross
Ephrata School District

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Home Folder Permissions reset

2010-11-08 Thread Matthew W. Ross

Thanks Ben, I'll see if I can't find FILEACL and make use of it.

In the mean time, I have fixed my problem... for now. I was able to use the 
existing commands available from MS, but with a few problems. My biggest 
problem was that icacls.exe seems to be able to set permissions on folders, but 
not files when I pass the recursive command. (Anybody know how to make icacls 
do this?) So I had to resort to using the old cacls.exe for the actual 
permissions.

Here's the little script I had to use to make it work, which I ran from the 
root of the home share:

@echo off
REM --- Make  a list of folders.
dir /A:D /B /-C /D > CurrentFolders.txt
REM --- Make the Administrator's group Owner, so we can redo permissions.
for /f %%i in (CurrentFolders.txt) do takeown /f %%i /R /A
REM --- Remove the inheritance for each folder.
for /f %%i in (CurrentFolders.txt) do icacls %%i /inheritance:R /T /C /L /Q
REM --- Apply the permissions I want on each folder.
for /f %%i in (CurrentFolders.txt) do cacls %%i /t /e /c /g "DOMAIN\%%i":C
for /f %%i in (CurrentFolders.txt) do cacls %%i /t /e /c /g "ADMINISTRATORS":C
for /f %%i in (CurrentFolders.txt) do cacls %%i /t /e /c /g "DOMAIN\Domain 
Admins":F

Now, off to find and try FILEACL.


--Matt Ross
Ephrata School District


- Original Message -
From: Ben Scott
[mailto:mailvor...@gmail.com]
To: NT System Admin Issues
[mailto:ntsysad...@lyris.sunbelt-software.com]
Sent: Mon, 08 Nov 2010
13:40:37 -0800
Subject: Re: Home Folder Permissions reset


> On Mon, Nov 8, 2010 at 11:47 AM, Matthew W. Ross
>  wrote:
> > There is a \\SERVER\Homes share. The _sharing_ permissions on this folder
> is set to "Everyone" has Change, "Domain Admins" has Full control.
> 
>   I tend to lean towards Users=Full, and doing everything in NTFS
> permissions.  Sometimes I'll get slightly fancier, and so something
> like Administrators=Full, Users=Modify.
> 
>   I "never" get fine grained in share permissions.  Share permissions
> are a vestige from back when Microsoft still thought FAT was a good
> idea and many computers thus didn't *have* the capability of doing
> permissions at the filesystem level.
> 
> > SERVER\Administrators vs DOMAIN\Domain Admins... Which is more
> appropriate?
> 
>   That's entirely up to you and your organization and your needs.
> Perhaps not all server admins are domain admins, or perhaps  not all
> domain admins are server admins.
> 
> > I'm working on a script to reset these permissions, probably with xcacls.
> I
> > need to find my old cacls script first, or write it from scratch. If
> somebody
> > has a working script for this handy, I'd love a copy.
> 
>   I find FILEACL (free third-party tool) is the least-bad for working
> with DACLs (permissions) on files and folders.All of Microsoft's
> tools suck.  CACLS, XCACLS.EXE, and XCACLS.VBS suck *a lot*.  In
> particular, IIRC, none of them are aware of NTFS inheritance, which
> can cause them to actively break things.  ICACLS at least does
> inheritance right, but is very limited in what it can do.  SUBINACL
> can do a lot but has rather cumbersome syntax.  SETACL (another
> third-party tool) can do everything but its syntax makes SUBINACL look
> good.  FILEACL seems to suck the least.
> 
>   I find the following FILEACL idioms to be highly useful.
> 
>   Report all directly applied ACEs, one object per line:
> 
>   FILEACL.EXE d:\foo /SUB /FILES /LINE /NOINHERITED
> 
>   Clear all direct ACEs and propigate inheritable ACEs from parent:
> 
>   FILEACL d:\foo /REPLACE /INHERIT /SUB /FILES
> 
>   An ACE is an Access Control Entry, i.e., a given
> subject+permissions+flags combination in an ACL.  A "direct ACE" is an
> ACE set on an object, rather than inherited from a parent.  In my
> book, ideally, most ACEs should be inherited; direct ACEs should be
> the exceptions.  For example, you would want direct ACEs on your
> "username" folders, and everything within those folders inherited.
> 
> -- Ben
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> 
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Home Folder Permissions reset

2010-11-08 Thread Ben Scott

On Mon, Nov 8, 2010 at 11:47 AM, Matthew W. Ross
 wrote:
> There is a \\SERVER\Homes share. The _sharing_ permissions on this folder is 
> set to "Everyone" has Change, "Domain Admins" has Full control.

  I tend to lean towards Users=Full, and doing everything in NTFS
permissions.  Sometimes I'll get slightly fancier, and so something
like Administrators=Full, Users=Modify.

  I "never" get fine grained in share permissions.  Share permissions
are a vestige from back when Microsoft still thought FAT was a good
idea and many computers thus didn't *have* the capability of doing
permissions at the filesystem level.

> SERVER\Administrators vs DOMAIN\Domain Admins... Which is more appropriate?

  That's entirely up to you and your organization and your needs.
Perhaps not all server admins are domain admins, or perhaps  not all
domain admins are server admins.

> I'm working on a script to reset these permissions, probably with xcacls. I
> need to find my old cacls script first, or write it from scratch. If somebody
> has a working script for this handy, I'd love a copy.

  I find FILEACL (free third-party tool) is the least-bad for working
with DACLs (permissions) on files and folders.All of Microsoft's
tools suck.  CACLS, XCACLS.EXE, and XCACLS.VBS suck *a lot*.  In
particular, IIRC, none of them are aware of NTFS inheritance, which
can cause them to actively break things.  ICACLS at least does
inheritance right, but is very limited in what it can do.  SUBINACL
can do a lot but has rather cumbersome syntax.  SETACL (another
third-party tool) can do everything but its syntax makes SUBINACL look
good.  FILEACL seems to suck the least.

  I find the following FILEACL idioms to be highly useful.

  Report all directly applied ACEs, one object per line:

FILEACL.EXE d:\foo /SUB /FILES /LINE /NOINHERITED

  Clear all direct ACEs and propigate inheritable ACEs from parent:

FILEACL d:\foo /REPLACE /INHERIT /SUB /FILES

  An ACE is an Access Control Entry, i.e., a given
subject+permissions+flags combination in an ACL.  A "direct ACE" is an
ACE set on an object, rather than inherited from a parent.  In my
book, ideally, most ACEs should be inherited; direct ACEs should be
the exceptions.  For example, you would want direct ACEs on your
"username" folders, and everything within those folders inherited.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Home Folder Permissions reset

2010-11-08 Thread Don Guyer

Yes, I was talking NTFS perms.

For new users here, we map their home drives using AD, which
automagically gives them Full Perms to this folder. We've never ran into
any issues doing it this way and don't see a need to change it up, for
fear of the user messing with their folder.

Don Guyer
Systems Engineer - Information Services
Prudential, Fox & Roach/Trident Group
431 W. Lancaster Avenue
Devon, PA 19333
Direct: (610) 993-3299
Fax: (610) 650-5306
don.gu...@prufoxroach.com


-Original Message-
From: James Winzenz [mailto:james.winz...@hotmail.com] 
Sent: Monday, November 08, 2010 12:26 PM
To: NT System Admin Issues
Subject: Re: Home Folder Permissions reset

I think Don was referring to the NTFS permissions, not the Share 
permissions.  Each admin has to decide whether they want their users to
have 
full control to their individual user folders (business may also
dictate). 
Yes, full control would allow them to change the permissions on his/her 
folder, including removing the local admin group.  From my experience, I

usually do the following for the NTFS permissions:

-For the top-level "Homes" folder (we call it "Users"), we usually just
do 
domain users - read/list folder contents plus administrators - full
control
-for the individual user folders, I do administrators - full control and
the 
individual user - modify.  I also remove any inherited permissions when
the 
folder is originally created, including Creator/Owner.

Regarding share permissions, everyone has a different opinion on this.
Some 
go the route of just leaving the share permissions at Everyone - Full 
Control and restricting permissions using the NTFS permissions.  Some go
a 
step further and restrict both Share and NTFS permissions.  The thing to

keep in mind is that when combining Share and NTFS permissions, the most

restrictive always wins.  So if Share permissions are set to Everyone -
Full 
Control, and NTFS permissions for a certain group are set to read only, 
members of that group (assuming they don't have explicit permissions or
are 
not members of another group that has more permissions) would have read
only 
access.

As for SYSTEM, I did some researching on this a while back, and found
that 
for a volume containing only files/folders, it does not appear to be 
necessary.  We have removed it from our data volumes without noticing
any 
issues at all.

HTH,

James
-Original Message- 
From: Matthew W. Ross
Sent: Monday, November 08, 2010 10:04 AM
To: NT System Admin Issues
Subject: RE: Home Folder Permissions reset

Read access to the Share allows users to write to their home folders?

Also, doesn't full control allow a user to change his permissions?


--Matt Ross
Ephrata School District


- Original Message -
From: Don Guyer
[mailto:don.gu...@prufoxroach.com]
To: NT System Admin Issues
[mailto:ntsysad...@lyris.sunbelt-software.com]
Sent: Mon, 08 Nov 2010
08:56:43 -0800
Subject: RE: Home Folder Permissions reset


> Authenticated Users should have Read access to \\SERVER\Homes, each
> individual user should have Full Control to \\SERVER\Homes\username.
>
> Don Guyer
> Systems Engineer - Information Services
> Prudential, Fox & Roach/Trident Group
> 431 W. Lancaster Avenue
> Devon, PA 19333
> Direct: (610) 993-3299
> Fax: (610) 650-5306
> don.gu...@prufoxroach.com
>
>
> -Original Message-
> From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
> Sent: Monday, November 08, 2010 11:48 AM
> To: NT System Admin Issues
> Subject: Home Folder Permissions reset
>
> Hey list,
>
> I'm sure this is something that has been touched on before, but my
quick
> search through the list archives didn't get anything concrete...
>
> I'm looking to lock down permissions on user home folders. I'm unsure
on
> how, but one user was able to access the contents of another and that
> will have to be stopped ASAP. I'd like some help on what are the
correct
> permissions, as I have a few questions.
>
>
> Let me explain what things are like currently. Right now, home folder
> permissions are as follows:
>
> There is a \\SERVER\Homes share. The _sharing_ permissions on this
> folder is set to "Everyone" has Change, "Domain Admins" has Full
> control.
>
> Each user has a home folder under this share (i.e.:
> \\SERVER\Homes\Username) with the following permissions:
>
> DOMAN\Username has Modify
> SERVER\Administrators has Full Control
> SERVER\Users has Read and Execute[1]
> SYSTEM has full control
> CREATOR OWNER has no permissions
>
> And now, several questions:
>
> A) What are the correct sharing permissions? Should "Everyone" be
> changed to "Domain Users"? Should Domain Admins not be in that list?
>
> B) What is the SYSTEM permissions for? Is it needed?
&g

RE: Home Folder Permissions reset

2010-11-08 Thread Joseph L. Casale

http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

Give that a read...
I have used setacl and a script to interpret folder name into account name to 
tidy this up.
jlc

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Home Folder Permissions reset

2010-11-08 Thread Andrew S. Baker

Matt,

The SYSTEM permissions will allow the local computer to do things like
DEFRAG those folders.

Here are some scripts that might help:


   - * 
http://kb.ultratech-llc.com/Scripts/?File=HomePerms.BAT*
   - *http://KB.UltraTech-llc.com/Scripts/?File=Perms.BAT
*


*ASB *(My XeeSM Profile) 

*Exploiting Technology for Business Advantage...*
* *



On Mon, Nov 8, 2010 at 11:47 AM, Matthew W. Ross
wrote:

> Hey list,
>
> I'm sure this is something that has been touched on before, but my quick
> search through the list archives didn't get anything concrete...
>
> I'm looking to lock down permissions on user home folders. I'm unsure on
> how, but one user was able to access the contents of another and that will
> have to be stopped ASAP. I'd like some help on what are the correct
> permissions, as I have a few questions.
>
> Let me explain what things are like currently. Right now, home folder
> permissions are as follows:
>
> There is a \\SERVER\Homes share. The _sharing_ permissions on this folder
> is set to "Everyone" has Change, "Domain Admins" has Full control.
>
> Each user has a home folder under this share (i.e.:
> \\SERVER\Homes\Username) with the following permissions:
>
> DOMAN\Username has Modify
> SERVER\Administrators has Full Control
> SERVER\Users has Read and Execute[1]
> SYSTEM has full control
> CREATOR OWNER has no permissions
>
> And now, several questions:
>
> A) What are the correct sharing permissions? Should "Everyone" be changed
> to "Domain Users"? Should Domain Admins not be in that list?
>
> B) What is the SYSTEM permissions for? Is it needed?
>
> C) SERVER\Administrators vs DOMAIN\Domain Admins... Which is more
> appropriate?
>
> I'm working on a script to reset these permissions, probably with xcacls. I
> need to find my old cacls script first, or write it from scratch. If
> somebody has a working script for this handy, I'd love a copy.
>
> [1] The SERVER\Users group appears to be part of my problem, as I didn't
> intend for other users to be able to read and/or execute files on another
> user's home folder, but this was an inherited permission I missed.
>
>
> --Matt Ross
> Ephrata School District
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Home Folder Permissions reset

2010-11-08 Thread James Winzenz

I think Don was referring to the NTFS permissions, not the Share 
permissions.  Each admin has to decide whether they want their users to have 
full control to their individual user folders (business may also dictate). 
Yes, full control would allow them to change the permissions on his/her 
folder, including removing the local admin group.  From my experience, I 
usually do the following for the NTFS permissions:


-For the top-level "Homes" folder (we call it "Users"), we usually just do 
domain users - read/list folder contents plus administrators - full control
-for the individual user folders, I do administrators - full control and the 
individual user - modify.  I also remove any inherited permissions when the 
folder is originally created, including Creator/Owner.


Regarding share permissions, everyone has a different opinion on this.  Some 
go the route of just leaving the share permissions at Everyone - Full 
Control and restricting permissions using the NTFS permissions.  Some go a 
step further and restrict both Share and NTFS permissions.  The thing to 
keep in mind is that when combining Share and NTFS permissions, the most 
restrictive always wins.  So if Share permissions are set to Everyone - Full 
Control, and NTFS permissions for a certain group are set to read only, 
members of that group (assuming they don't have explicit permissions or are 
not members of another group that has more permissions) would have read only 
access.


As for SYSTEM, I did some researching on this a while back, and found that 
for a volume containing only files/folders, it does not appear to be 
necessary.  We have removed it from our data volumes without noticing any 
issues at all.


HTH,

James
-Original Message- 
From: Matthew W. Ross

Sent: Monday, November 08, 2010 10:04 AM
To: NT System Admin Issues
Subject: RE: Home Folder Permissions reset

Read access to the Share allows users to write to their home folders?

Also, doesn't full control allow a user to change his permissions?


--Matt Ross
Ephrata School District


- Original Message -
From: Don Guyer
[mailto:don.gu...@prufoxroach.com]
To: NT System Admin Issues
[mailto:ntsysad...@lyris.sunbelt-software.com]
Sent: Mon, 08 Nov 2010
08:56:43 -0800
Subject: RE: Home Folder Permissions reset



Authenticated Users should have Read access to \\SERVER\Homes, each
individual user should have Full Control to \\SERVER\Homes\username.

Don Guyer
Systems Engineer - Information Services
Prudential, Fox & Roach/Trident Group
431 W. Lancaster Avenue
Devon, PA 19333
Direct: (610) 993-3299
Fax: (610) 650-5306
don.gu...@prufoxroach.com


-Original Message-
From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
Sent: Monday, November 08, 2010 11:48 AM
To: NT System Admin Issues
Subject: Home Folder Permissions reset

Hey list,

I'm sure this is something that has been touched on before, but my quick
search through the list archives didn't get anything concrete...

I'm looking to lock down permissions on user home folders. I'm unsure on
how, but one user was able to access the contents of another and that
will have to be stopped ASAP. I'd like some help on what are the correct
permissions, as I have a few questions.


Let me explain what things are like currently. Right now, home folder
permissions are as follows:

There is a \\SERVER\Homes share. The _sharing_ permissions on this
folder is set to "Everyone" has Change, "Domain Admins" has Full
control.

Each user has a home folder under this share (i.e.:
\\SERVER\Homes\Username) with the following permissions:

DOMAN\Username has Modify
SERVER\Administrators has Full Control
SERVER\Users has Read and Execute[1]
SYSTEM has full control
CREATOR OWNER has no permissions

And now, several questions:

A) What are the correct sharing permissions? Should "Everyone" be
changed to "Domain Users"? Should Domain Admins not be in that list?

B) What is the SYSTEM permissions for? Is it needed?

C) SERVER\Administrators vs DOMAIN\Domain Admins... Which is more
appropriate?

I'm working on a script to reset these permissions, probably with
xcacls. I need to find my old cacls script first, or write it from
scratch. If somebody has a working script for this handy, I'd love a
copy.

[1] The SERVER\Users group appears to be part of my problem, as I didn't
intend for other users to be able to read and/or execute files on
another user's home folder, but this was an inherited permission I
missed.


--Matt Ross
Ephrata School District

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint securit

RE: Home Folder Permissions reset

2010-11-08 Thread Derek Johnson

Authenticated Users should have LIST access to \\SERVER\Homes, each individual 
user should have Modify to \\SERVER\Homes\username.



Derek A Johnson

Sr. Systems Administrator



National Association of Realtors

430 N. Michigan Ave.

Chicago, IL 60611



Email: djohn...@realtors.org



Cell: 262.496.9201

Desk: 312.329.8618



-Original Message-
From: Don Guyer [mailto:don.gu...@prufoxroach.com]
Sent: Monday, November 08, 2010 10:57 AM
To: NT System Admin Issues
Subject: RE: Home Folder Permissions reset



Authenticated Users should have Read access to 
\\SERVER\Homes, each individual user should have Full 
Control to \\SERVER\Homes\username.



Don Guyer

Systems Engineer - Information Services

Prudential, Fox & Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com<mailto:don.gu...@prufoxroach.com>





-Original Message-

From: Matthew W. Ross [mailto:mr...@ephrataschools.org]

Sent: Monday, November 08, 2010 11:48 AM

To: NT System Admin Issues

Subject: Home Folder Permissions reset



Hey list,



I'm sure this is something that has been touched on before, but my quick search 
through the list archives didn't get anything concrete...



I'm looking to lock down permissions on user home folders. I'm unsure on how, 
but one user was able to access the contents of another and that will have to 
be stopped ASAP. I'd like some help on what are the correct permissions, as I 
have a few questions.





Let me explain what things are like currently. Right now, home folder 
permissions are as follows:



There is a \\SERVER\Homes share. The _sharing_ 
permissions on this folder is set to "Everyone" has Change, "Domain Admins" has 
Full control.



Each user has a home folder under this share (i.e.:

\\SERVER\Homes\Username) with the following 
permissions:



DOMAN\Username has Modify

SERVER\Administrators has Full Control

SERVER\Users has Read and Execute[1]

SYSTEM has full control

CREATOR OWNER has no permissions



And now, several questions:



A) What are the correct sharing permissions? Should "Everyone" be changed to 
"Domain Users"? Should Domain Admins not be in that list?



B) What is the SYSTEM permissions for? Is it needed?



C) SERVER\Administrators vs DOMAIN\Domain Admins... Which is more appropriate?



I'm working on a script to reset these permissions, probably with xcacls. I 
need to find my old cacls script first, or write it from scratch. If somebody 
has a working script for this handy, I'd love a copy.



[1] The SERVER\Users group appears to be part of my problem, as I didn't intend 
for other users to be able to read and/or execute files on another user's home 
folder, but this was an inherited permission I missed.





--Matt Ross

Ephrata School District



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



---

To manage subscriptions click here:

http://lyris.sunbelt-software.com/read/my_forums/

or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>

with the body: unsubscribe ntsysadmin





~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



---

To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/

or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>

with the body: unsubscribe ntsysadmin



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Home Folder Permissions reset

2010-11-08 Thread Matthew W. Ross

Read access to the Share allows users to write to their home folders?

Also, doesn't full control allow a user to change his permissions?


--Matt Ross
Ephrata School District


- Original Message -
From: Don Guyer
[mailto:don.gu...@prufoxroach.com]
To: NT System Admin Issues
[mailto:ntsysad...@lyris.sunbelt-software.com]
Sent: Mon, 08 Nov 2010
08:56:43 -0800
Subject: RE: Home Folder Permissions reset


> Authenticated Users should have Read access to \\SERVER\Homes, each
> individual user should have Full Control to \\SERVER\Homes\username.
> 
> Don Guyer
> Systems Engineer - Information Services
> Prudential, Fox & Roach/Trident Group
> 431 W. Lancaster Avenue
> Devon, PA 19333
> Direct: (610) 993-3299
> Fax: (610) 650-5306
> don.gu...@prufoxroach.com
> 
> 
> -Original Message-
> From: Matthew W. Ross [mailto:mr...@ephrataschools.org] 
> Sent: Monday, November 08, 2010 11:48 AM
> To: NT System Admin Issues
> Subject: Home Folder Permissions reset
> 
> Hey list,
> 
> I'm sure this is something that has been touched on before, but my quick
> search through the list archives didn't get anything concrete...
> 
> I'm looking to lock down permissions on user home folders. I'm unsure on
> how, but one user was able to access the contents of another and that
> will have to be stopped ASAP. I'd like some help on what are the correct
> permissions, as I have a few questions.
> 
> 
> Let me explain what things are like currently. Right now, home folder
> permissions are as follows:
> 
> There is a \\SERVER\Homes share. The _sharing_ permissions on this
> folder is set to "Everyone" has Change, "Domain Admins" has Full
> control.
> 
> Each user has a home folder under this share (i.e.:
> \\SERVER\Homes\Username) with the following permissions:
> 
> DOMAN\Username has Modify
> SERVER\Administrators has Full Control
> SERVER\Users has Read and Execute[1]
> SYSTEM has full control
> CREATOR OWNER has no permissions
> 
> And now, several questions:
> 
> A) What are the correct sharing permissions? Should "Everyone" be
> changed to "Domain Users"? Should Domain Admins not be in that list?
> 
> B) What is the SYSTEM permissions for? Is it needed?
> 
> C) SERVER\Administrators vs DOMAIN\Domain Admins... Which is more
> appropriate?
> 
> I'm working on a script to reset these permissions, probably with
> xcacls. I need to find my old cacls script first, or write it from
> scratch. If somebody has a working script for this handy, I'd love a
> copy.
> 
> [1] The SERVER\Users group appears to be part of my problem, as I didn't
> intend for other users to be able to read and/or execute files on
> another user's home folder, but this was an inherited permission I
> missed.
> 
> 
> --Matt Ross
> Ephrata School District
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> 
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> 
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> 
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> 
> 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Home Folder Permissions reset

2010-11-08 Thread Don Guyer

Authenticated Users should have Read access to \\SERVER\Homes, each
individual user should have Full Control to \\SERVER\Homes\username.

Don Guyer
Systems Engineer - Information Services
Prudential, Fox & Roach/Trident Group
431 W. Lancaster Avenue
Devon, PA 19333
Direct: (610) 993-3299
Fax: (610) 650-5306
don.gu...@prufoxroach.com


-Original Message-
From: Matthew W. Ross [mailto:mr...@ephrataschools.org] 
Sent: Monday, November 08, 2010 11:48 AM
To: NT System Admin Issues
Subject: Home Folder Permissions reset

Hey list,

I'm sure this is something that has been touched on before, but my quick
search through the list archives didn't get anything concrete...

I'm looking to lock down permissions on user home folders. I'm unsure on
how, but one user was able to access the contents of another and that
will have to be stopped ASAP. I'd like some help on what are the correct
permissions, as I have a few questions.


Let me explain what things are like currently. Right now, home folder
permissions are as follows:

There is a \\SERVER\Homes share. The _sharing_ permissions on this
folder is set to "Everyone" has Change, "Domain Admins" has Full
control.

Each user has a home folder under this share (i.e.:
\\SERVER\Homes\Username) with the following permissions:

DOMAN\Username has Modify
SERVER\Administrators has Full Control
SERVER\Users has Read and Execute[1]
SYSTEM has full control
CREATOR OWNER has no permissions

And now, several questions:

A) What are the correct sharing permissions? Should "Everyone" be
changed to "Domain Users"? Should Domain Admins not be in that list?

B) What is the SYSTEM permissions for? Is it needed?

C) SERVER\Administrators vs DOMAIN\Domain Admins... Which is more
appropriate?

I'm working on a script to reset these permissions, probably with
xcacls. I need to find my old cacls script first, or write it from
scratch. If somebody has a working script for this handy, I'd love a
copy.

[1] The SERVER\Users group appears to be part of my problem, as I didn't
intend for other users to be able to read and/or execute files on
another user's home folder, but this was an inherited permission I
missed.


--Matt Ross
Ephrata School District

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Home Folder Permissions reset

Re: Home Folder Permissions reset

RE: Home Folder Permissions reset

Re: Home Folder Permissions reset

Re: Home Folder Permissions reset

RE: Home Folder Permissions reset

RE: Home Folder Permissions reset

Re: Home Folder Permissions reset

Re: Home Folder Permissions reset

RE: Home Folder Permissions reset

RE: Home Folder Permissions reset

RE: Home Folder Permissions reset

12 matches

Site Navigation

Mail list logo

Footer information