Solved

Offline Files Synchronization - Best Practices

Posted on 2009-05-20
9
1,126 Views
Last Modified: 2012-05-07
In the scenario below, we have all Server 2003 Standard servers in an Active Directory domain environment.  All users run XP Pro with at least SP2.

Each branch at our organization has a Server 2003 Standard Edition server that the users store their 'My Documents' on.  Each users' home directory is mapped to a drive letter (in our example, we'll use H:\), and that drive letter is the location that the 'My Documents' folder points to.  The laptop users have 'Offline Files' enabled, and the files sync when the user logs on and off the computer.  According to Microsoft KB275461 (http://support.microsoft.com/kb/275461), the best solution is to provide all users with at least READ access to the root directory of the users' shared folder (ie \\SERVER\USERS\).  However, if we do this, that means Joe Smith (a user with very little rights on the network) can read all the files located in Jane Doe's user directory (\\SERVER\USERS\JDOE\).  What is the best practices to use in order for each user to have a home directory located on \\SERVER\USERS\ that will allow laptop users to successfully sync their files as well as not let any other users access another user's files.

I hope I've explained myself well, and I apologize if I did not.

To summarize, we have a shared directory on the server called \\SERVER\USERS.  Each user has his/her own directory under that root directory.  Currently, we are experiencing issues with laptop users that are getting "Access Denied" error (as seen in Microsoft KB275461) and we need a solution without giving all users the access to read another user's files.

Thanks!
0
Comment
Question by:olinccu
  • 5
  • 3
9 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24434851
You should download, install and enable ABE(access based enumeration)
http://technet.microsoft.com/en-us/library/cc784710(WS.10).aspx
 
Then the users will only see their own folder and nobody elses
0
 

Author Comment

by:olinccu
ID: 24434893
That is definitely an awesome feature.  However, I do not believe that would fix my issue.  Following the KB article from Microsoft that says to give ALL USERS at least READ access to the root share folder, that would then give users access to read all files in that folder.  So that, to me, will not be solved by the ABE feature.  Even if it no longer listed the folder when they're browsing the network folders, they could still get to it via UNC, which is still a security risk that we cannot take.
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 500 total points
ID: 24435044
I believe that if you grant Read permissions on just the Parent folder, you'd then be ok.
accessbased.bmp
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:olinccu
ID: 24435223
So, to clarify, I would give READ access to all domain users on the root directory \\SERVER\USERS only.  Then, let's say I have a user named Jane Doe.  I would then make sure her permissions only give her (and appropriate administrative users) rights to her directory and the domain users would not be a part of her permissions.  Is that correct?  That definitely makes sense as far as keeping things secure.  Thanks for your input so far!
0
 
LVL 18

Expert Comment

by:Don S.
ID: 24435253
Here are the MS recommended permissions that I have used extensively and work correctly:

Redirected Folders Parent:

Creator Owner = Full Control, Subfolders and Files Only
Domain Users = List Folder/Read Data, Create Folders/Append Data - This Folder Only
System =  Full Control, This Folder, Subfolders and Files
Admistrators =  Full Control, This Folder, Subfolders and Files
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24435266
Yes, the way that it is set up here as shown above, users get access denied if trying to browse to other users folders.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24435305
0
 

Author Closing Comment

by:olinccu
ID: 31583645
I was hoping this would be the solution (or something similar).  But posting the question and having responses (and proof) that solidifies the answer is why I'm glad I've joined EE.  Thanks!!
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24435378
You're welcome!!!
 
And welcome to EE
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question