Solved

Share Permissions

Posted on 2007-11-29
4
1,480 Views
Last Modified: 2013-12-04
I have a major issue with end-users being able to see other users home drives. This is what I have. Win2003 servers with Active Directory. I have a folder called Home Drives and the share permissions are Administrator, Everyone group and system. The NTFS permissions are Administrator, Creator Owner and system. What might I have setup wrong. If I remove the everyone group from the share, then no one can see their home drive. Is there a best practice for share and NTFS permissions when setting up home drive shares?

Thank you for your input.
0
Comment
Question by:sjacobi
4 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 20372961
most common solution for home folders is to create them hidden (with $ sign at the end)
also microsoft recommended solution it to configure share permissions everyone full control and limit access permissions to folders only by ntfs permissions
0
 
LVL 16

Accepted Solution

by:
2PiFL earned 500 total points
ID: 20373238

Remove Everyone from the Share permissions and Add Authenticated Used with Read / Write to the Share Permissions.

On the Security Tab of the top level Home folder Add Administrator and System with Full Control and Authenticated Users with Read / Write.  Then Click the Advanced button, Select Authenticated Users, Click Edit and in the "On To" box select "This folder only".  Click Ok until your out.

Then on each individual Home folder give Read / Write to the individual User on the Security tab.

You can also apply the Access Based Enumeration MSI so that users only see the folders that they have rights to.                  
0
 
LVL 16

Expert Comment

by:kshays
ID: 20373495
Most people will remove everything out of the share permissions and add in "everyone" will full control.  THen remove all security groups from the NTFS tab and start adding in what they want from there to control access since the administration and troubleshooting is easier at this point.

If you are not comfortable using the everyone on the share tab with full control then do as 2PiFL suggested and use the "authenticated users", but I would give them full control on the share so you can explicitly control the NTFS.

Remember the least restrictive permissions will always apply when comparing share v/s ntfs.  That's the reason most people give either everyone/authenticated users full control on the share and share only.

0
 

Expert Comment

by:DoradoITTeam
ID: 20398034
I created an scripts that does it, and i have worked great, im sharing only the root part of the folder
Ex.
Home Folders - Share Name = \\fileserver\homeusers$ permission to everyone

Inside that folder i created an structure for departments and then user name Ex.
\\fileserver\homeusers$\accounting\user1, then assigned NTFS permission to User1 folder

Attached there is a VBscript that automatically creates the user drive when the user log on for the first time, dcserver1 is my domain controller where i put all files that maybe needed for any computer like cacls, takeown files, the fileserver1 is my home users drive fileserver and prnserver1 is my print server, hope this helps

Dim WshShell

Set WshShell = CreateObject("wscript.Shell")

Const RSettings_RegFile = "\\dcserver1\System_Files$\GPO_Files\RS_Spanish.reg"

 'Retrieve System Folder

		strComputer = "."

		Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")

		Set colOSItems = objWMIService.ExecQuery("SELECT * FROM Win32_OperatingSystem")

			For Each objOSItem In colOSItems

  				strSystemFolder = objOSItem.SystemDirectory

			Next

'Verify if Logo App exists

  'Verify Takeown exists

	Set objFSO = CreateObject("Scripting.FileSystemObject")

		If objFSO.FileExists( strSystemFolder  & "\Logon_Logo.exe") Then

    	  ' Do nothing

		Else

    	  ' Copy the file from specific location

		Const OverwriteExisting = False

		Set objFSO = CreateObject("Scripting.FileSystemObject")

		objFSO.CopyFile "\\dcserver1\System_Files$\Logon_logo.exe" , strSystemFolder & "\", OverwriteExisting    	   

		End If	
 

 WshShell.Run strSystemFolder  & "\Logon_Logo.exe"
 

'***************************************************

'********** Retrieve Current Logon User ************

'***************************************************
 

	Set wshNetwork = CreateObject("WScript.Network")

	strUser = wshNetwork.UserName

	'strGroup = "DL-SEC-IT-Staff"

	strAdminGroup = "SFNET/Administrator"

	

	'WScript.Echo "Current User: " & strUser

'***************************************************

'******* Verify if Folder Directory Exists *********

''**************************************************
 

	Set objFSO = CreateObject("Scripting.FileSystemObject")

	strHomePath = "\\fileserver1\privado$\Informatica\" & strUser
 

	If objFSO.FolderExists(strHomePath) Then

	    Set objFolder = objFSO.GetFolder(strHomePath)

	Else

		'Create it if doesn't exist    

		Set objFSO = CreateObject("Scripting.FileSystemObject")

		Set objFolder = objFSO.CreateFolder(strHomePath)	    

		'Assign folder permisions	

		WshShell.run "cacls " & strHomePath & " /t /e /g " & strUser & ":F",  7, False	

		WshShell.run "cacls " & strHomePath & " /t /e /g " & strAdminGroup & ":F",  7, False	

'		WshShell.run "cacls " & strHomePath & " /t /e /g " & strGroup & ":R",  7, False	

		'Reset Default Permisions

        WshShell.run "cacls " & strHomePath & " /e /r " & "BUILTIN\Administrators",  7, False	

		WshShell.run "cacls " & strHomePath & " /e /r " & """BUILTIN\Users""",  7, False	        

		WshShell.run "cacls " & strHomePath & " /e /r " & """NT AUTHORITY\SYSTEM""",  7, False	

		WshShell.run "cacls " & strHomePath & " /e /r " & """CREATOR OWNER""",  7, False	

		
 

		'Verify Takeown exists

		Set objFSO = CreateObject("Scripting.FileSystemObject")

		

		If objFSO.FileExists( strSystemFolder  & "\takeown.exe") Then

    	  ' Do nothing

		Else

    	  ' Copy the file from specific location
 

		Set objFSO = CreateObject("Scripting.FileSystemObject")

		objFSO.CopyFile "\\dcserver1\System_Files$\takeown.exe" , strSystemFolder & "\", OverwriteExisting    	   

		End If	

		'Take Ownership of Folder

		WshShell.run "takeown /f " & strHomePath,  7, True

	End If
 

'************************************************************

'******************** MAP USER DRIVE ************************

'************************************************************

	

	WshShell.Run "net use x: " & strHomePath,7,False

'************************************************************

'******************* MAP DEPTO DRIVE ************************

'************************************************************

	WshShell.Run "net use y: " & "\\fileserver1\ITPublic$" ,7,False	
 

'************************************************************

'******************* MAP PUBLIC DRIVE ***********************

'************************************************************

	WshShell.Run "net use z: " & "\\fileserver1\Public$" ,7,False	
 

'************************************************************

'******************* MAPPING PRINTERS ***********************

'************************************************************

'	wshNetwork.AddWindowsPrinterConnection "\\printserver1\nps_it_3"

'	wshNetwork.SetDefaultPrinter "\\printserver1\nps_it_3"

	

'************************************************************

'**************** CHANGE REGIONAL SETTINS *******************

'************************************************************

    WshShell.Run "regedit /s " & RSettings_RegFile

'************************************************************

'****************** CLOSE DESKTOP LOGO **********************

'************************************************************

	Set objWMIService = GetObject("winmgmts:" _

    	& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
 

	Set colProcessList = objWMIService.ExecQuery _

    	("Select * from Win32_Process Where Name = 'Logon_Logo.exe'")
 

	For Each objProcess in colProcessList

    	objProcess.Terminate()

	Next	

Open in new window

0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now