?
Solved

Home drive permissions not working!

Posted on 2007-08-11
7
Medium Priority
?
336 Views
Last Modified: 2013-11-05
Hi all,

I'm pulling my hair out over this very simple problem. All users on the domain are able to access (read/write) any other users home drive.

Here are my permissions:

M:\Staff - SHARE Permissions

Authenticated Users - Change, Read

M:\Staff - NTFS Permissions

Authenticated Users - Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Permissions
CREATOR OWNER - Full
SYSTEM - Full

M:\Staff\brete - Example user NTFS Permissions

Brete - Full
Administrators - Full
CREATOR OWNER - Full
SYSTEM - Full


Any ideas? Thanks in advance!

0
Comment
Question by:dkattan
5 Comments
 
LVL 32

Expert Comment

by:LucF
ID: 19677528
Hello dkattan,

Reading quickly through your permissions:
Authenticated Users - Change, Read

This means that everyone who's authenticated on your domain has change rights, so if you restrict these, you can refuse others to change anything on that share.

Regards,

LucF
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 19677536
How are you mapping the shares?  From group policy or the user's account properties?

You have to be careful when dealing with Share permissions & NTFS permissions, they combine to yield the most restrictive settings.

Consider hiding the user's home directory in "Staff", & mapping it that way.

/F
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 19677574
Also be careful with inheritance.  You should apply 'Read' NTFS permissions at the home directories' parent folder and assign the permission to that folder only.  That way users can navigate to the top-level folder without having unintended access to other user home folders underneath it.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 2000 total points
ID: 19678479
It you use group policy to re-direct My Documents then the folders and permissions are created and set automatically, I would use that metod in preference to setting all the permissions automatically http://technet2.microsoft.com/windowsserver/en/library/cad7966e-c9b6-495f-b7bb-2a9673f69f4f1033.mspx?mfr=true
0
 
LVL 8

Expert Comment

by:ajbritton
ID: 19680010
Are you saying that any user (who it not a member of Administrators), can go into M:\Staff\brete and read/write/delete new files and existing files?

Have a look in the Advanced permissions dialog box to see if any further details are shown.

The share permission on 'Authenticated User: Change, Read', simply means that when connecting via that share, the maximium permissions anyone will have (regardless of NTFS permissions) will be Change, Read.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question