binghamacademy
asked on
How to secure rediredted folders share so that users could not see each others profile?
Hi,
I have a windows2003 server network with XP pro clients and several users who share the computers, Since most of the computers are in a lab - and shared - I had setted up folder redirection on my documents, desktop and application data,
Now the problem i am having is that if a smart person types \\servername\home\redirect
he will see everyones profile including his and could open and see the content,
The Security Permissions on home are
Everyone: write
System: Full
Users: Read& Execute, List Folder Contents, Read
And the Sharing Permissions are everyone full control,
And the Security Permissions on RedirectedFolder are all inherited from the home drive,
Should i change the share permissions or is there something i am missing?
I have a windows2003 server network with XP pro clients and several users who share the computers, Since most of the computers are in a lab - and shared - I had setted up folder redirection on my documents, desktop and application data,
Now the problem i am having is that if a smart person types \\servername\home\redirect
he will see everyones profile including his and could open and see the content,
The Security Permissions on home are
Everyone: write
System: Full
Users: Read& Execute, List Folder Contents, Read
And the Sharing Permissions are everyone full control,
And the Security Permissions on RedirectedFolder are all inherited from the home drive,
Should i change the share permissions or is there something i am missing?
Brian Pierce
I assume that the permissions are all correcy and the users can see, but not access each others files - in that case you need to impliment access based enumeration http://www.windowsnetworking.com/articles_tutorials/Implementing-Access-Based-Enumeration-Windows-Server-2003.html
Dear,
I have my server setup like this :
Home Folder :
Authenticated Users Read&Execute
Administrators Full control
Then for each username, create a folder name of the username, and put the username access like :
\\server\home\username01
Username01 Full control
Administrators Full control
Then nobody could go inside the folder of the username, with another username.
Best Regards
I have my server setup like this :
Home Folder :
Authenticated Users Read&Execute
Administrators Full control
Then for each username, create a folder name of the username, and put the username access like :
\\server\home\username01
Username01 Full control
Administrators Full control
Then nobody could go inside the folder of the username, with another username.
Best Regards
ASKER
They can also access and open files on some bodys profile,
The ABE seams a good idea but my file server is also the domain controller and runs some other services as well - i.e it is already busy and i am afraid it the processing overhead it create may slow the server down,
So isn't there any other way of denying permissions to users on all folders except their own?
The ABE seams a good idea but my file server is also the domain controller and runs some other services as well - i.e it is already busy and i am afraid it the processing overhead it create may slow the server down,
So isn't there any other way of denying permissions to users on all folders except their own?
ASKER
Ok, the second comment was posted while i was replaying to the first one - give me some minutes and i will replay to that,
If you use a group policy to re-diredt folders then this is done autoamagically - see http://www.computerperformance.co.uk/w2k3/gp/group_policy_folder_redirect.htm
If you do it manually (why would you?) then do it as MadShiva suggests
If you do it manually (why would you?) then do it as MadShiva suggests
ASKER
The folder redirection was all created using group policy and i do not want to do it manually. But since i am having this problem will it be okay if i apply what MadShiva suggested ? and should i remove the users group after adding the authenticated users ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK but what is the difference b/n applying the Authenticated Users entry to "This Folder only" and "This folder and Subfolders, i am asking you this because on my current settings the entry for Users is set that way and since Authenticated Users is going to replace Users so that users can get into their profile - does this create a discrepancy,
the other reason - which i should have mentioned earlier - is my exact folder structure is as follows \\servername\home\redirect
So unless i apply the "This folder and Subfolders" in the home share those settings may not get inherited to the profiles inside the redirectedfloders folder - and since i would like to apply this changes on the share level, i.e in the home drive - what is you advise ?
Many Thanks
the other reason - which i should have mentioned earlier - is my exact folder structure is as follows \\servername\home\redirect
So unless i apply the "This folder and Subfolders" in the home share those settings may not get inherited to the profiles inside the redirectedfloders folder - and since i would like to apply this changes on the share level, i.e in the home drive - what is you advise ?
Many Thanks
ASKER
Ok - I am going to Apply the above for This Folder and SubFolders and see if it can solve it and will post back the results ASA i have them ( i am in working on a school environment - so I will try the changes at the week end)
Ok, I guess the easiest way to explain this is start my instructions from the folder immediately above your user's profile folders. It's important to use the exact settings I specified or else you'll apply settings to all your users' subfolders, and you don't want that.
ASKER
I still would prefer to apply all changes on a share level - so i am going to try that first and then if that created another problem i will have to do it on the folder that contain the user profiles,
(We are having a one week school break next week - so plenty of time to experiment - But i will take note of all share level permissions before doing anything)
But i believe that will fix it - so thank you,
Pff point should go to me