Solved

file server/2003 - only want a user to have permissions to create home folders on server

Posted on 2010-08-22
14
490 Views
Last Modified: 2013-12-02
Hello guys and thanks in advance for your time and expertise.  
I have four or five users that I would like to have permissions to create home folders for users on our network (on our file server) and that's it.
 The server is 2003 and we are at the functional level of 2003.
 I have the file server in a servers OU and I went through the delegation of control wizard and that doesn't seem to be the answer for me.  I guess I could give the users permissions on the root drive (where our home folders are located), but I just wanted to check here to see if I'm handling this in the best way.  I guess what these users will need to do is log onto the fille server and then create home folders for users and that's all I want them to do.  The previous admin had them in the Domain Admins group which is just nuts but that's the way it was.  Anyway,  please let me know your input and recommendations for handling this operation.  Your help is greatly appreciated.
0
Comment
Question by:pendal1
  • 7
  • 4
  • 2
14 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 33497754
Generally you should set permissions in both areas (NTFS/SHARE and setting OU delegation).

In order to have proper delegation you will to set the delegation on the OU but you also need to make sure that the group or user is also in this OU when you set the delegation.

I would recommend creating a group call "home folder administrators" and added your 4-5 users to this group and put it in the Servers OU. Then set the delegation on this group.

Here is some more helpful info from techtarget.com
http://searchenterprisedesktop.techtarget.com/generic/0,295582,sid192_gci1050027,00.html

Hope this helps~!
0
 

Author Comment

by:pendal1
ID: 33497841
Thanks spec01.  THat definitely helped and gave me some tips.  Here's what I'm thinking of doing.:  create an administrative ou.  I would put the home folder administrators in this administrative ou.  I would then create a sub ou to the servers ou and nest the file servers in the file servers ou.  I would then delegate control on the file servers ou and give the home folder administrators control over only shared objects because that's all they're going to be working with.  I also had to add the users to the Terminal users group so they could rdp into the servers.  Home you agree with that.
I was testing this and security wise it seemed to work.  The users really couldn't do anything except work with shared folders.  I could create a new folder, and delete the folder.  However, I couldn't delete any of the existing folders and that would be a problem.  I guess this is where you're saying I have to give these users additional ntfs permissions on the root of these home folders.  Would that be correct?  Please let me know what you think of the way I have this laid out.  Your help is greatly appreciated.  
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 33497843
Im not sure why we have to delegate OU permissions but i do agree wiith the suggestion to create a group. By default the ntfs permissions would give them access to the users group which they would probably be members of. I would suggest editing permissions at the root of the drive to remove the users group and add the group you created. For the permissions, assign special permissions to only create folders. Of course you would then have to make sure the users home folders allow them the access they need to create and delete files for their own folder.  http://support.microsoft.com/kb/308419
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 33499807
You delegate control so that they can setup the home folder within the users AD account.

For the NTFS permissions, just set allow inheritance on all of the folders they do not have access to. You should be able to do this from the top level Shared folder.

You are on the right track.
0
 

Author Comment

by:pendal1
ID: 33507259
OK - Here's where I'm at now.  As you guys no, I want these four or five users to create home folders/delete home folders on our file server.  That's it.  Spec01, you bring up a good point about setting up the home folder within the users (user population) AD accounts.  With that in mind, do I have to delegate control of the user's OU and give my home folder administrators control over ACCOUNT OBJECTS OR CONTROL OVER THE ABILITY TO CREATE, MANAGE, AND DELETE ACCOUNT OBJECTS..  Additionally, do I have to delegate control over the file servers ou and then give the home folder administrators control over SHARED FOLDERS.  And then finally give the hiome folder administrators ntfs permissions on the root of the home folders share.  Hope that makes sense and thanks for the help.
0
 

Author Comment

by:pendal1
ID: 33507399
Here's something that I found strange.  I gave my test user full control of the home folder share.  This is the share that has all of the home folders.  I can create a new folder and then delete this new folder.  However,  I'm unable to delete any of the existing home folders or view their contents.  What am I missing here as I gave this user full control of the home folder share.  Thanks.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:pendal1
ID: 33518118
my problem now is the ntfs permissions are not propogating to the child shares and the files therein.  The guys who set them up previously turned off inheritance on these child folders.  I could force new permissions via replace but I don't want to do that because each folder has permissions specific to a user and I can't simulate that at the top level of the share.  The only user that has the access I need is the administrator but I hate to give these people that kind of access on this server.  If anyone knows of a way to propogate the ntfs permissions - I've love to hear it.  Thanks.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 33520672
The point is not have permissions inheritance from the parent so other users cant read a different users files. What you need to do is give the person that is assigned to the folder fulll permissions to this folder that is to contain their files.
0
 

Author Comment

by:pendal1
ID: 33526878
OriNetworks - these people that I'm trying to setup are going to be home folder administrators.  I need them to create/delete and view user's home folder contents if necessary, because as I said, they are going to manage this data.  I would need this level of permissions to be inherited on all the home folders but it's not happening because inheritance is turned off on all the child objects (shares.)  And I can't replace permissions because then I loose the individuals user's permissions on their shares.  I think my only hope is to make these users administrators on the server.  I hate to do it but I will let you know how what works.
0
 

Author Comment

by:pendal1
ID: 33527285
Here's what I've done.  This solution so far, based on your recommendations and my testing, is the best I've been able to come up with.   I created a domain local security group and gave that group full control of the top level share.  I then created a global security group, composed of my home folder admins, and nested that group in my domain local security group.  
However, because of inheritance and because explicit permissions having to stay put on the child objects (home folders -the specific user permissiions on their shares) I was unable to replace permissions and set them up as I would like and let them propogate because then I would loose my explicit permissions.  There just doesn't seem anyway around that.
So for these home folder administrators to do what they need to do:  create folders/delete folders and view the contents of folders - I had to put my home folder admins in the local admins group which has permissions on all of the releveant objects.  I'm not thrilled with these guys having such rights on my file server but we have to start delegating some of this data management as our user population is huge.  Anyway, this is the only way this process works.  And it is much better than having these guys with domain admin rights.  Now they can only screw up my fille server, and while that would suck, at least they can't screw up the entire domain.
If anyone has a better way with less permissions for these guys on my file server - I'd love to implement it.  Appreciate any comments on the way I've handled this.  Thanks very much.  
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 33554142
Sorry for the misunderstanding, I was thinking they only needed to create the users home folder and not have to view the contents. Since you have a large user base the first thing that comes to mind is scripting and the easiest way would be powershell. Personally i'm not familiar enough to be able to generate an entire script specifically for this purpose but its rather easy to find script and compile them to accomplish this. It sounds like you need

Lookup a list of all child folders and | (pipe) the results to set permissions to add your admin group.

Here are a few linnks to get started
http://www.powershell.nu/2009/02/13/set-folder-permissions-using-a-powershell-script/

http://blogs.msdn.com/b/johan/archive/2008/10/01/powershell-editing-permissions-on-a-file-or-folder.aspx

and for checking existing permissions: http://powershell.com/cs/blogs/tips/archive/2009/03/05/checking-file-and-folder-permissions.aspx

I hope this helps.
0
 
LVL 17

Accepted Solution

by:
OriNetworks earned 500 total points
ID: 33554171
0
 

Author Closing Comment

by:pendal1
ID: 33629962
Thanks for your time and patience in helping me resolve this problem.  Much appreciated.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now