Active Directory Home Folder Permission
I believe by default Active Directory gives Full permission to a user's Home Folder. Is there a way to change the default to use Modify instead?
ASKER
OK that makes sense. When I look at creator owner under the top level share it has "Special Permissions". What would I need to do?
This is not true
When you create Home directory root share, you are granting authenticated users change share permissions according to below article
http://support.microsoft.com/kb/555046
Now when you create home directory from user properties\profiles tab, it will create new folder underneath root folder with same name as user and grant user full control permission on his home directory no matter Creator owner group is there or not on home drive root directory OR if you change Creator owner permissions
If you want users to have modify permissions, you need to manually go to every user home directory and remove full control permissions from there
Roaming profile are the one where you don't have permissions to access roaming profiles and hence you need to take ownership of roaming profile folder prior to edit them.
But its not the case here
Mahesh.
When you create Home directory root share, you are granting authenticated users change share permissions according to below article
http://support.microsoft.com/kb/555046
Now when you create home directory from user properties\profiles tab, it will create new folder underneath root folder with same name as user and grant user full control permission on his home directory no matter Creator owner group is there or not on home drive root directory OR if you change Creator owner permissions
If you want users to have modify permissions, you need to manually go to every user home directory and remove full control permissions from there
Roaming profile are the one where you don't have permissions to access roaming profiles and hence you need to take ownership of roaming profile folder prior to edit them.
But its not the case here
Mahesh.
ASKER
Hmmm...
So is it standard practice to allow users to have full permissions to their home folder where they can change permissions and take ownership or more standard to have the folder created then go in to it and change it?
So is it standard practice to allow users to have full permissions to their home folder where they can change permissions and take ownership or more standard to have the folder created then go in to it and change it?
ASKER
Mahesh,
Are you positive I would need to manually change each folder after creation to change from Full to Modify?
Are you positive I would need to manually change each folder after creation to change from Full to Modify?
Yes,
You may use script to do that but it seems to be complex script because every home directory have its associated user full control and you need to make change per directory per associated user
OR
You can simply change that permissions manually when you create home directory at start
may be some expert can help you with script
You may use script to do that but it seems to be complex script because every home directory have its associated user full control and you need to make change per directory per associated user
OR
You can simply change that permissions manually when you create home directory at start
may be some expert can help you with script
Also note that every user has full control permissions to his home drive only
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
discgman,
That is incorrect. With MODIFY permissions a person can add, delete, modify, etc.
That is incorrect. With MODIFY permissions a person can add, delete, modify, etc.
inetsystem, that is correct.
ASKER
As standard practice all of our user's home folders are Modify only. They can add, modify and delete contents no problem. Are you suggesting something else?
Hi,
I have another suggestion, instead of modifying NTFS permission.
You can change the Share permission as modify.
For the Home Directory folder let us say, \\in-dc01\users
Users share permission has to be changed to Modify.
Since users access the folder via share the modify permission only be effective, full permission wont work.
Hope this helps.
Cheers,
Prem
I have another suggestion, instead of modifying NTFS permission.
You can change the Share permission as modify.
For the Home Directory folder let us say, \\in-dc01\users
Users share permission has to be changed to Modify.
Since users access the folder via share the modify permission only be effective, full permission wont work.
Hope this helps.
Cheers,
Prem
Hi Prem,
Only Home directory root folder will get shared and authenticated users group has already got change share permissions on this root share
By design Home directory will get created with full control NTFS permissions for respective user.
So, only option left can be change user full control NTFS permissions to modify on respective home directory.
Mahesh.
Only Home directory root folder will get shared and authenticated users group has already got change share permissions on this root share
By design Home directory will get created with full control NTFS permissions for respective user.
So, only option left can be change user full control NTFS permissions to modify on respective home directory.
Mahesh.
Hi Mahesh,
Yes, If we change the Share permission for the Authenticated Users as modify, then the users will get only modify permission. Instead of full permission, Even though they have full NTFS permission in the folder.
Since the user will access the folder via share. The least permission between share and NTFS will take the priority.
So here it will be modify permission will work.
Please let me know if you have any concern.
Regards,
Prem
Yes, If we change the Share permission for the Authenticated Users as modify, then the users will get only modify permission. Instead of full permission, Even though they have full NTFS permission in the folder.
Since the user will access the folder via share. The least permission between share and NTFS will take the priority.
So here it will be modify permission will work.
Please let me know if you have any concern.
Regards,
Prem
Note that authenticated users are already having change share permissions on home drive root folder
So where you are going to provide them modify permissions now ?
Note that whenever you set home drives, system will automatically grant those users full control permissions on respective home folder
author can grant each user modify NTFS permissions on his own home drive maximumly ?
Mahesh.
So where you are going to provide them modify permissions now ?
Note that whenever you set home drives, system will automatically grant those users full control permissions on respective home folder
author can grant each user modify NTFS permissions on his own home drive maximumly ?
Mahesh.
If Share permission is Modify, user will receive modify permission only. even if the NTFS permission is FULL.
Hi INetsystem,
Could you confirm the level of Share permission for Authenticated user in users share?
Regards,
Prem
Hi INetsystem,
Could you confirm the level of Share permission for Authenticated user in users share?
Regards,
Prem
Hi Prem,
What you are posting above is the actual question of author?
Unfortunately the way Home drive permission set are such that it granted respective users full control NTFS permissions only and you need to set it manually
Check below article that is already posted in my earlier comment
http://support.microsoft.com/kb/555046
Mahesh.
What you are posting above is the actual question of author?
Unfortunately the way Home drive permission set are such that it granted respective users full control NTFS permissions only and you need to set it manually
Check below article that is already posted in my earlier comment
http://support.microsoft.com/kb/555046
Mahesh.
Hi Mahesh,
I Agree...
But when user access the home directory via "\\inddc01\users\ravi".
Here for ravi will have full NTFS permission, but when the network drive maps the folder to the user's system. they will have modify permission.
This is my point. If Requestor concern if NTFS full permission he can use some script to change the permission for all users.
If requestor concern about the users would get full permission. then he no need to worry. Since the permission what end user will get is modify. while accessing via share like \\inddc01\users\ravi" Since share permission is modify.
Do you agree?
Regards,
Prem
I Agree...
But when user access the home directory via "\\inddc01\users\ravi".
Here for ravi will have full NTFS permission, but when the network drive maps the folder to the user's system. they will have modify permission.
This is my point. If Requestor concern if NTFS full permission he can use some script to change the permission for all users.
If requestor concern about the users would get full permission. then he no need to worry. Since the permission what end user will get is modify. while accessing via share like \\inddc01\users\ravi" Since share permission is modify.
Do you agree?
Regards,
Prem
ASKER
At the Users share level Authenticated Users have Full Control.
Hi Prem,
The issue here is different, its not with modify or full control permissions
@iNetSystem
If I understand correctly, your problem is all users can browse another users home directory
However if you follow above KB article perfectly, you don't have to worry then whether users are having full control \Modify permissions on there home directories
http://support.microsoft.com/kb/555046
If you setup Home directories on Member server:
1st setup root folder with authenticated users change share permissions
Then go to security tab of that folder and go to advanced tab
1st remove inheritance check box and select add
Then remove creator owner
Then add authenticated users with Read permissions, Traverse folder \ Execute files, List Folder \ Read data and Read Attributes with permissions scope as This folder only
Means if you look at share tab of folder, only authenticated users will be there with change share permissions
Also on security tab only system, servername\administrators will have full control and servername\users (local users) will have read permissions and last one is the authenticated users with special permissions as mentioned in above KB article
If you have Home directory root share on DC, ensure that you will remove domain\users from NTFS security.
Now when you will create Home directories from active directory users properties, it will create home directory folder with respective user full control NTFS permissions on that directory. This is by design and required as this folder is used by respective domain user exclusively
Now even if user tries to access another user home folder, he will get access denied error
What you have set in your Home directories is that you have granted authenticated users full control on share permissions and also same time you have not restricted them through NTFS permissions
Microsoft has made Home drive access exclusively for users and one user cannot access another user home drive if set properly as above.
Mahesh.
The issue here is different, its not with modify or full control permissions
@iNetSystem
If I understand correctly, your problem is all users can browse another users home directory
However if you follow above KB article perfectly, you don't have to worry then whether users are having full control \Modify permissions on there home directories
http://support.microsoft.com/kb/555046
If you setup Home directories on Member server:
1st setup root folder with authenticated users change share permissions
Then go to security tab of that folder and go to advanced tab
1st remove inheritance check box and select add
Then remove creator owner
Then add authenticated users with Read permissions, Traverse folder \ Execute files, List Folder \ Read data and Read Attributes with permissions scope as This folder only
Means if you look at share tab of folder, only authenticated users will be there with change share permissions
Also on security tab only system, servername\administrators will have full control and servername\users (local users) will have read permissions and last one is the authenticated users with special permissions as mentioned in above KB article
If you have Home directory root share on DC, ensure that you will remove domain\users from NTFS security.
Now when you will create Home directories from active directory users properties, it will create home directory folder with respective user full control NTFS permissions on that directory. This is by design and required as this folder is used by respective domain user exclusively
Now even if user tries to access another user home folder, he will get access denied error
What you have set in your Home directories is that you have granted authenticated users full control on share permissions and also same time you have not restricted them through NTFS permissions
Microsoft has made Home drive access exclusively for users and one user cannot access another user home drive if set properly as above.
Mahesh.
ASKER
The Users folder is shared and Authenticated Users have Full control.
The Users folders has these NTFS permissions: Creator Owner, System, Domain Admins and Administrators have Full control.
In AD Users and Computers when a new account is created we have the Profile, Home Folder automatically connect to the U as the drive mapping and give it a path under the Users folder I am having a problem with.
When the new account is created the folder is created under Users but with the Full permissions.
With Full the user can change Ownership as well as remove accounts. We only need them to add or delete their files.
The Users folders has these NTFS permissions: Creator Owner, System, Domain Admins and Administrators have Full control.
In AD Users and Computers when a new account is created we have the Profile, Home Folder automatically connect to the U as the drive mapping and give it a path under the Users folder I am having a problem with.
When the new account is created the folder is created under Users but with the Full permissions.
With Full the user can change Ownership as well as remove accounts. We only need them to add or delete their files.
The way you explained, you have kept authenticated users full control share permissions on users share
1st you need to remove full control share perms for authenticated users on home directory root share as indicated in KB so that they will get change share perms only
Then go to security tab of that root folder and go to advanced tab
1st remove inheritance check box and select add
Then remove creator owner
Then add authenticated users with Read permissions, Traverse folder \ Execute files, List Folder \ Read data and Read Attributes with permissions scope as This folder only
This will restrict users with Full control NTFS permissions with their profile folder only and they can't even access another users home directory
Now you need to check if authenticated users have got full control on each users home drive, if you found you need to remove authenticated users from every home directory folder for user
Mahesh.
1st you need to remove full control share perms for authenticated users on home directory root share as indicated in KB so that they will get change share perms only
Then go to security tab of that root folder and go to advanced tab
1st remove inheritance check box and select add
Then remove creator owner
Then add authenticated users with Read permissions, Traverse folder \ Execute files, List Folder \ Read data and Read Attributes with permissions scope as This folder only
This will restrict users with Full control NTFS permissions with their profile folder only and they can't even access another users home directory
Now you need to check if authenticated users have got full control on each users home drive, if you found you need to remove authenticated users from every home directory folder for user
Mahesh.
Hi Mahesh,
Now you would have understood i am in the right path.
Hi iNetSystem,
For your requirement, changing the share permission for Users share from FULL to CHANGE will fullfil your requirement.
Instead of modifying all users homee folder....!!!
Let me know if you have any questions.
Cheers,
Prem
Now you would have understood i am in the right path.
Hi iNetSystem,
For your requirement, changing the share permission for Users share from FULL to CHANGE will fullfil your requirement.
Instead of modifying all users homee folder....!!!
Let me know if you have any questions.
Cheers,
Prem
Hi Prem,
You are right in theory that if share perms are change, then user should not get full control NTFS permissions (Effective permissions)
But Home directories are special case where user get full control NTFS permission on his respective home drive, however it not meant that he should get permissions to all home directories in root share.
Having share permissions as a full control is not a real issue here
Its possible to have authenticated users full control share permissions and still restrict user to his respective home directory only
Check below article for more info
http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx
The IMP point here is he has not given authenticated users explicit NTFS permissions on home directory root share folder as stated in my earlier comment ( OR KB article) to restrict there access to only there respective home drive
I have just asked him to follow best practice with KB article
Mahesh.
You are right in theory that if share perms are change, then user should not get full control NTFS permissions (Effective permissions)
But Home directories are special case where user get full control NTFS permission on his respective home drive, however it not meant that he should get permissions to all home directories in root share.
Having share permissions as a full control is not a real issue here
Its possible to have authenticated users full control share permissions and still restrict user to his respective home directory only
Check below article for more info
http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx
The IMP point here is he has not given authenticated users explicit NTFS permissions on home directory root share folder as stated in my earlier comment ( OR KB article) to restrict there access to only there respective home drive
I have just asked him to follow best practice with KB article
Mahesh.
it only creates the "folder" as of the user, so if you want to modify the permission.
change "creator owner" with the permission that you prefer.