Solved

User profiles folder and ntfs and share permissions best practices "Windows 2000 server"

Posted on 2004-07-30
10
2,587 Views
Last Modified: 2010-04-13
For a Windows 2000 server.

This is really a multipart question.

First: What are the best practices setup of permissions for shared folders, specifically profiles.

To begin with, if I have my profiles folder on drive d:, I won't have the root of d: shared except for the administrative share d$. In the root I remove the everyone full access ntfs permissions and make sure that administrator and system have full access. Should I also include backup and service full access? Any other full access. Am I missing anything important?

SIDE NOTE: I had learned the hard way that the system account needed full access to the d drive root because my Active Directory info was in the D and only had administrators full access the system would not load windows.

OK anyways...

Now I create a profiles folder with NTFS permissions to administrators full access, authenticated users full access, backup account full access and Share permissions full access to everyone.

Is this correct so far or is there a more appropriate method?

Next: When I look at the profiles on my server most of them say 0 bytes or you only have permission to view the info, something to that effect. If I take ownership of the folder, then I can see the contents etc. What is going on here, is that normal? Please explain the theory and real world concepts.








0
Comment
Question by:NportXport
  • 5
  • 5
10 Comments
 
LVL 2

Accepted Solution

by:
TASINetwork earned 250 total points
Comment Utility
Here is how i usually set up home directories/profiles:

-Create a folder in the root directory (D: in your case) called Home and/or Profiles.
-Set the security permissions on these folders to allow Domain Admins Full Control and Authenticated Users, Change
-Share the folders (I always share with a "$" at the end of the share name to hide it)
-The Home directories should inherit the permissions to allow administrators access
-Profiles will allow only that user permissions to that folder, so I usually take ownership and grant Domain Admins full control.

As far as the Profiles showing 9 bytes, this is correct with the default permissions. Only that specific user can view the contents, and the administrators are effectively denied access, hence not allowing them to view anything about the folder, including folder size until you add permissons to yourself.
0
 

Author Comment

by:NportXport
Comment Utility

So how do you backup the profiles folder if you only have domain admins and authenticated users? Don't you need the backup or service account to have full access?

Also, lets say as an example: You had 2000 profiles. Are you saying that you would individually go in and add domain admins to each account with full access? Or is there an easier way to take ownership of profiles while maintaining each individual user rights in his/her individual profile?
0
 
LVL 2

Expert Comment

by:TASINetwork
Comment Utility
With Roaming Profiles, the permissions are set per folder.  If you were to set the permissions on the root folder and force them down to each directory, then all folders would be accessible by all users (which you prob. don't want).

You should add your backup user to the Administrators group and the Backup Operators group.  Backup Operators can open any file for backup purposes (even if they do not specifically have access to it).  So, if you run a backup job, it will backup the profiles, you just won't be able to browse them yourself.  You can turn around and restore these files to a different location.

If you want to be able to browse the profiles though, you will have to take ownership and then re-create the permissions (including re-adding that user)
0
 

Author Comment

by:NportXport
Comment Utility
I do get what you are saying. You are more than have way with the answer and I will be giving you most or all the points.

Just a few more follow up questions.

So why do you want to be able to browse the profile?

Let's say you had 10,000 users. You would go in to each user and change the permissions so that you can browse there profile? I mean what are the benifiets of browsing a user's profile? Don't you just care about the home folders were they keep their data as opposed to the profile were their individual computer settings are kept?

By the way. On my network in the server I have some profiles who have the user as the owner and I can still browse the profile because the administrator is in with full access to that profile. How can that be?

The only way I can think of is being possible is that some would log in locally to the server as the user and add the administrator to their profile. I checked the server's profiles and it  only has administrators and my account as having logged in. They could have also deleted the profile after logging back in as administrator.

You do understand my confusion right?

0
 
LVL 2

Expert Comment

by:TASINetwork
Comment Utility
Only reason I can think of for browsing the profile (which in most cases you would NOT need to) is to snoop around.  The profiles are stored on the user's local PC too, so you don't really need to back it up in most cases.  If either the user's PC or the server profile is available, you won't loose the user's data.  Just bring back up the down PC and the profile will recreate itself in the location that it is missing.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:NportXport
Comment Utility
TASINetork

I just found this and it explains when a user profile is created and the administrator is not added that it is a bug and you should update to the newest service pack and you must use a group policy to force the addition of the administrator to the profile.

Interesting eh?

http://support.microsoft.com/default.aspx?scid=kb;EN-US;222043
0
 
LVL 2

Expert Comment

by:TASINetwork
Comment Utility
Thanks for the link!  I was just dealing with this at a client the other day, and would have loved to have known this!
0
 

Author Comment

by:NportXport
Comment Utility
So can I have some points back?

hee he ... just kiddin

I am glad it helped you.

Even though it says it in the document, will point it out anyway that you have to change the setting at the local group policy of the computer for it to work. Or at least that is what it appears to require. In other words this is not a Domain Group Policy.

It is helping me because I have to migrate profiles from an FFed UP domain to a new domain.

ADMT transffered the user ID and Computers but it could not redo the SIDs so I have to manually transferr thier profiles.

Lucky there are only 70 or so users. I am logging in on one workstation with every users account so their profile gets copied over, then I am adding the computer to the new domain and logging in with everyones account from the new domain, then I will log in as the administrator and copy each profile from the old domain on to the corresponding account on the new domain. Finally I will give set the allowed to use profile option to the new domain accounts.

If you know of an easier way PLEASE let me know.
0
 
LVL 2

Expert Comment

by:TASINetwork
Comment Utility
Don't know for SURE, but it MIGHT work:
Desktop DNA (http://ca.miramar.com/Products/Small_Office)
0
 

Author Comment

by:NportXport
Comment Utility
It doesn't look like something I can use.

Thanks anyway
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now