Solved

Active Directory Home Folder Permission

Posted on 2014-04-07
24
4,626 Views
Last Modified: 2014-05-06
I believe by default Active Directory gives Full permission to a user's Home Folder.  Is there a way to change the default to use Modify instead?
0
Comment
Question by:iNetSystem
  • 9
  • 7
  • 5
  • +2
24 Comments
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 39983568
Active Directory doesn't give the "permission" when creating user's home folder, the permission is inherit from the root of the shared folder.

it only creates the "folder" as of the user, so if you want to modify the permission.

change "creator owner" with the permission that you prefer.
0
 

Author Comment

by:iNetSystem
ID: 39983595
OK that makes sense. When I look at creator owner under the top level share it has "Special Permissions".  What would I need to do?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39983720
This is not true
When you create Home directory root share, you are granting authenticated users change share permissions according to below article
http://support.microsoft.com/kb/555046

Now when you create home directory from user properties\profiles tab, it will create new folder underneath root folder with same name as user and grant user full control permission on his home directory no matter Creator owner group is there or not on home drive root directory OR if you change Creator owner permissions

If you want users to have modify permissions, you need to manually go to every user home directory and remove full control permissions from there

Roaming profile are the one where you don't have permissions to access roaming profiles and hence you need to take ownership of roaming profile folder prior to edit them.
But its not the case here

Mahesh.
0
 

Author Comment

by:iNetSystem
ID: 39983765
Hmmm...

So is it standard practice to allow users to have full permissions to their home folder where they can change permissions and take ownership or more standard to have the folder created then go in to it and change it?
0
 

Author Comment

by:iNetSystem
ID: 39983847
Mahesh,

Are you positive I would need to manually change each folder after creation to change from Full to Modify?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39983873
Yes,
You may use script to do that but it seems to be complex script because every home directory have its associated user full control and you need to make change per directory per associated user

OR

You can simply change that permissions manually when you create home directory at start

may be some expert can help you with script
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39983881
Also note that every user has full control permissions to his home drive only
0
 
LVL 9

Accepted Solution

by:
discgman earned 500 total points
ID: 39983889
So is it standard practice to allow users to have full permissions to their home folder where they can change permissions and take ownership or more standard to have the folder created then go in to it and change it?

Yes, or otherwise you are manually giving people full permissions if they want to do adds or changes on their own files. You can do a script, but it must be a script that propagates down to the root of each folder or else all the files in the folders are not changed.  Here is technet link for more information.

http://social.technet.microsoft.com/Forums/scriptcenter/en-US/815ce790-529f-4223-804d-374bfcac91c3/script-to-automate-change-of-folder-permissions-and-ownership-based-on-the-name-of-the-folder?forum=ITCG
0
 

Author Comment

by:iNetSystem
ID: 39983932
discgman,

That is incorrect.  With MODIFY permissions a person can add, delete, modify, etc.
0
 
LVL 9

Expert Comment

by:discgman
ID: 39984224
inetsystem, that is correct.
0
 

Author Comment

by:iNetSystem
ID: 39984515
As standard practice all of our user's home folders are Modify only.  They can add, modify and delete contents no problem.  Are you suggesting something else?
0
 
LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 39985375
Hi,

I have another suggestion, instead of modifying NTFS permission.

You can change the Share permission as modify.

For the Home Directory folder let us say, \\in-dc01\users

Users share permission has to be changed to Modify.

Since users access the folder via share the modify permission only be effective, full permission wont work.

Hope this helps.

Cheers,
Prem
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 35

Expert Comment

by:Mahesh
ID: 39985638
Hi Prem,

Only Home directory root folder will get shared and authenticated users group has already got change share permissions on this root share

By design Home directory will get created with full control NTFS permissions for respective user.

So, only option left can be change user full control NTFS permissions to modify on respective home directory.

Mahesh.
0
 
LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 39986118
Hi Mahesh,

Yes, If we change the Share permission for the Authenticated Users as modify, then the users will get only modify permission. Instead of full permission, Even though they have full NTFS permission in the folder.

Since the user will access the folder via share. The least permission between share and NTFS will take the priority.

So here it will be modify permission will work.

Please let me know if you have any concern.

Regards,
Prem
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39986134
Note that authenticated users are already having change share permissions on home drive root folder

So where you are going to provide them modify permissions now ?

Note that whenever you set home drives, system will automatically grant those users full control permissions on respective home folder
author can grant each user modify NTFS permissions on his own home drive maximumly ?

Mahesh.
0
 
LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 39986172
If Share permission is Modify, user will receive modify permission only. even if the NTFS permission is FULL.

Hi INetsystem,
Could you confirm the level of Share permission for Authenticated user in users share?

Regards,
Prem
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39986243
Hi Prem,

What you are posting above is the actual question of author?

Unfortunately the way Home drive permission set are such that it granted respective users full control NTFS permissions only and you need to set it manually

Check below article that is already posted in my earlier comment
http://support.microsoft.com/kb/555046

Mahesh.
0
 
LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 39986287
Hi Mahesh,

I Agree...

But when user access the home directory via "\\inddc01\users\ravi".

Here for ravi will have full NTFS permission, but when the network drive maps the folder to the user's system. they will have modify permission.

This is my point. If Requestor concern if NTFS full permission he can use some script to change the permission for all users.

If requestor concern about the users would get full permission. then he no need to worry. Since the permission what end user will get is modify. while accessing via share like \\inddc01\users\ravi" Since share permission is modify.

Do you agree?

Regards,
Prem
0
 

Author Comment

by:iNetSystem
ID: 39986507
At the Users share level Authenticated Users have Full Control.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39987141
Hi Prem,
The issue here is different, its not with modify or full control permissions

@iNetSystem

If I understand correctly, your problem is all users can browse another users home directory

However if you follow above KB article perfectly, you don't have to worry then whether users are having full control \Modify permissions on there home directories
http://support.microsoft.com/kb/555046

If you setup Home directories on Member server:
1st setup root folder with authenticated users change share permissions
Then go to security tab of that folder and go to advanced tab
1st remove inheritance check box and select add
Then remove creator owner
Then add authenticated users with Read permissions, Traverse folder \ Execute files, List Folder \ Read data and Read Attributes with permissions scope as This folder only

Means if you look at share tab of folder, only authenticated users will be there with change share permissions
Also on security tab only system, servername\administrators will have full control and servername\users (local users) will have read permissions and last one is the authenticated users with special permissions as mentioned in above KB article

If you have Home directory root share on DC, ensure that you will remove domain\users from NTFS security.

Now when you will create Home directories from active directory users properties, it will create home directory folder with respective user full control NTFS permissions on that directory. This is by design and required as this folder is used by respective domain user exclusively
Now even if user tries to access another user home folder, he will get access denied error

What you have set in your Home directories is that you have granted authenticated users full control on share permissions and also same time you have not restricted them through NTFS permissions

Microsoft has made Home drive access exclusively for users and one user cannot access another user home drive if set properly as above.
 
Mahesh.
0
 

Author Comment

by:iNetSystem
ID: 39987720
The Users folder is shared and Authenticated Users have Full control.
The Users folders has these NTFS permissions: Creator Owner, System, Domain Admins and Administrators have Full control.

In AD Users and Computers when a new account is created we have the Profile, Home Folder automatically connect to the U as the drive mapping and give it a path under the Users folder I am having a problem with.

When the new account is created the folder is created under Users but with the Full permissions.

With Full the user can change Ownership as well as remove accounts.  We only need them to add or delete their files.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39987942
The way you explained, you have kept authenticated users full control share permissions on users share
1st you need to remove full control share perms for authenticated users on home directory root share as indicated in KB so that they will get change  share perms only
Then go to security tab of that root folder and go to advanced tab
1st remove inheritance check box and select add
Then remove creator owner
Then add authenticated users with Read permissions, Traverse folder \ Execute files, List Folder \ Read data and Read Attributes with permissions scope as This folder only

This will restrict users with Full control NTFS permissions with their profile folder only and they can't even access another users home directory

Now you need to check if authenticated users have got full control on each users home drive, if you found you need to remove authenticated users from every home directory folder for user

Mahesh.
0
 
LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 39988063
Hi Mahesh,
Now you would have understood i am in the right path.

Hi iNetSystem,
For your requirement, changing the share permission for Users share from FULL to CHANGE will fullfil your requirement.
Instead of modifying all users homee folder....!!!

Let me know if you have any questions.

Cheers,
Prem
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39988096
Hi Prem,
You are right in theory that if share perms are change, then user should not get full control NTFS permissions (Effective permissions)

But Home directories are special case where user get full control NTFS permission on his respective home drive, however it not meant that he should get permissions to all home directories in root share.

Having share permissions as a full control is not a real issue here
Its possible to have authenticated users full control share permissions and still restrict user to his respective home directory only
Check below article for more info
http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

The IMP point here is he has not given authenticated users explicit NTFS permissions on home directory root share folder as stated in my earlier comment ( OR KB article) to restrict there access to only there respective home drive

I have just asked him to follow best practice with KB article

Mahesh.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now