Permissions on User Directory - Access Denied

I have a very strange situation. On my Win2k DC, all the user directories are stored under the share 'Home' \ username . everything was fine till last week when a user reported that he cannot do anything other then view in his personal folder. Something weired has happend, all the permissions seem to be fine, i even looked via CACLS and the user has permissions, but they cannot do anyting, modify or write, all they can do is read. if i create a new folder outside of 'home' eveything this fine, but all the user directories under home cannot be accessed for modification except for the domain admins, does anyone have any suggestions or seen this problem before, please let me know.

Thanks!
z969307Asked:
Who is Participating?
 
jon37325Commented:
There is an alternative that you have share permissions that do not coinside with your security permissions. This is often overlooked by many administrators. What you need to make sure is that on your security "tab" and your Sharing permissions are lined up correctly. This can cause serious issues. Just double check both sides and you should be fine.
0
 
cannerCommented:
TRY getting full access to the Directory .

take over the ownership of the directory and then grant the user access again.

sometimes you have to do this 2 times to get the problem fixed

0
 
GATOR420Commented:
Sounds like someone did an apply to all subdirectories when they created a directory higher than where you are and gave it Read Only permissions. You might just end up have to re-permission everyone now.
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
pcbratCommented:
what are the permissions on the "Home" directory? Have you changed something there and then had it propogate down?

dawne :)
0
 
z969307Author Commented:
Thanks for all your comments guys, I figured out the problem, either me or the other admin took off the 'full' and 'change' permission under the 'Share Permissions' and i think this was trickling down, users can modify within their directories after i checked the full and change options. I will split up the point.

I will add bonus point to anyone of you who can assist me with what the standard permissions hierarchy should be on shared user directories on a LAN. And the proper way of doing it. Currently I have the Domain Admin and the user access to the folder, I have taken out everything else, thanks for you help in advance.

Z
0
 
irjeffbCommented:
It is almost always best to just set the share permissions to Everyone - Full Control.  The folders should be secured with NTFS Security, not Share permissions.  This also makes it A LOT easier to manage.
0
 
z969307Author Commented:
If everyone has full control then everyone else will be getting into everyone elses folders, i don't want the janitors reading the strategic plans.
Thanks
0
 
irjeffbCommented:
If the folders are properly secured with NTFS Permissions, nobody will get to any data they are not allowed to get to.  Adding the Share Permission level of "security" only unneccessarily complicates things.

If you have a folder and the Share Permissions are Everyone - Full Control, and the NTFS Permissions are Administrator - Full Control (no other entries in Security), ONLY the Administrator account will get in the folder.
0
 
pcbratCommented:
If this is just a users home directory then I would suggest using a $ to hide it as an Admin share...

this is what we do..

we have users that have their My Doc redirected....the have a mapping in their user properties that maps the "Z drive to their personal directory...they have full control over it and no one else except the admin can see it....

we dont share that directory that holds all their personel folders....its hidden

\\servername\users$\usernamefolder

dawne
0
 
irjeffbCommented:
pcbrat...
that will work if all of your client PCs are win2k or XP.  Pre-2k cannot map to a folder under a share, only directly to the share.
0
 
pcbratCommented:
you are right....and I am...(all win2k/xp)..

:)
0
 
z969307Author Commented:
Thanks for all the tips. Dawn, your tip was helpful, it is the most basic thing as a net admin you should know which i overlooked, i had my user directories open, I will implement the hidden share on it immediately. The share permission will be everyone 'FCR' and the NTFS on each individual user folder would be that user full control and the domain admins full control and nothing else.

I really appreciate all the comments and suggestions.

Thanks to all.
0
 
pcbratCommented:
Your welcome....and glad to know we couls help....sometimes even the best of us overlook the simple things....thats why we have places like EE to help other IT people out there!

got each others back as they say :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.