Home drive permissions not working!
Hi all,
I'm pulling my hair out over this very simple problem. All users on the domain are able to access (read/write) any other users home drive.
Here are my permissions:
M:\Staff - SHARE Permissions
Authenticated Users - Change, Read
M:\Staff - NTFS Permissions
Authenticated Users - Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Permissions
CREATOR OWNER - Full
SYSTEM - Full
M:\Staff\brete - Example user NTFS Permissions
Brete - Full
Administrators - Full
CREATOR OWNER - Full
SYSTEM - Full
Any ideas? Thanks in advance!
I'm pulling my hair out over this very simple problem. All users on the domain are able to access (read/write) any other users home drive.
Here are my permissions:
M:\Staff - SHARE Permissions
Authenticated Users - Change, Read
M:\Staff - NTFS Permissions
Authenticated Users - Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Permissions
CREATOR OWNER - Full
SYSTEM - Full
M:\Staff\brete - Example user NTFS Permissions
Brete - Full
Administrators - Full
CREATOR OWNER - Full
SYSTEM - Full
Any ideas? Thanks in advance!
How are you mapping the shares? From group policy or the user's account properties?
You have to be careful when dealing with Share permissions & NTFS permissions, they combine to yield the most restrictive settings.
Consider hiding the user's home directory in "Staff", & mapping it that way.
/F
You have to be careful when dealing with Share permissions & NTFS permissions, they combine to yield the most restrictive settings.
Consider hiding the user's home directory in "Staff", & mapping it that way.
/F
Also be careful with inheritance. You should apply 'Read' NTFS permissions at the home directories' parent folder and assign the permission to that folder only. That way users can navigate to the top-level folder without having unintended access to other user home folders underneath it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are you saying that any user (who it not a member of Administrators), can go into M:\Staff\brete and read/write/delete new files and existing files?
Have a look in the Advanced permissions dialog box to see if any further details are shown.
The share permission on 'Authenticated User: Change, Read', simply means that when connecting via that share, the maximium permissions anyone will have (regardless of NTFS permissions) will be Change, Read.
Have a look in the Advanced permissions dialog box to see if any further details are shown.
The share permission on 'Authenticated User: Change, Read', simply means that when connecting via that share, the maximium permissions anyone will have (regardless of NTFS permissions) will be Change, Read.
Reading quickly through your permissions:
Authenticated Users - Change, Read
This means that everyone who's authenticated on your domain has change rights, so if you restrict these, you can refuse others to change anything on that share.
Regards,
LucF