asked on
Urgent: Correct Share and NTFS permissions to Home folder
Hi, setup home folder with everyone in share, read and list, everyone showed up in NTFS, and left the same
I set the permissions for home folder as per http://www.alexcomputerbubble.com/using-group-policy-preferences-gpp-to-map-user-home-drive/
SYSTEM = Full Control
CREATOR OWNER = Full Control
LOCAL\Administrators = Full Control
For the Authenticated Users group the following has to be set up ONLY:
Traverse folder; Create folder; Write attributes; Write extended attributes; Read permissions; Change permissions
This was a home directory which i migrated with robocopy, copied permissions as well, when i use the above, users can see the and access the other shares, (if they choose to) they still see the H: as expected, the run command is knocked off so they wont be able to browse to it, can someone outline what the best share and NTFS permissions are for this? I plan on using ABE in future, but dont have time right now to do it, just want to deny users access to other files in the user folder
I set the permissions for home folder as per http://www.alexcomputerbubble.com/using-group-policy-preferences-gpp-to-map-user-home-drive/
SYSTEM = Full Control
CREATOR OWNER = Full Control
LOCAL\Administrators = Full Control
For the Authenticated Users group the following has to be set up ONLY:
Traverse folder; Create folder; Write attributes; Write extended attributes; Read permissions; Change permissions
This was a home directory which i migrated with robocopy, copied permissions as well, when i use the above, users can see the and access the other shares, (if they choose to) they still see the H: as expected, the run command is knocked off so they wont be able to browse to it, can someone outline what the best share and NTFS permissions are for this? I plan on using ABE in future, but dont have time right now to do it, just want to deny users access to other files in the user folder
Active Directory
Last Comment
Indie101
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks I only want to change the ACL on one folder, the Users folder, so pretty sure your link doesnt apply to it
I dont know what to set acl to for authenticated user, have tried different combinations but its working now, just want to restrict it so they cant see each others folders
I dont know what to set acl to for authenticated user, have tried different combinations but its working now, just want to restrict it so they cant see each others folders
Well, I just do something similar for a project with a client.
Change USERNAME for the actual username or password.
Change USERNAME for the actual username or password.
function SingleFolder{
[cmdletbinding()]
param(
[Parameter(Mandatory=$true,position=0)][string]$Folder
)
BEGIN{
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("USERNAME", 'Modify','ContainerInherit,ObjectInherit', 'None', 'Allow')
}
PROCESS{
$Path = $Folder
$Acl = (Get-Item $Path).GetAccessControl('Access')
$Acl.SetAccessRule($Ar)
Set-Acl -path $Path -AclObject $Acl
}
END{}
}
ASKER
Thanks just run that from remote PS session
Is there an easier way? Just approx 100 uses are in security group and there is just one folder
Many thanks just that your solution Is one I can't see right now (I'm sure once dust settles I will just not sure how to affect it)
Many thanks again
Is there an easier way? Just approx 100 uses are in security group and there is just one folder
Many thanks just that your solution Is one I can't see right now (I'm sure once dust settles I will just not sure how to affect it)
Many thanks again
In the username, add the name of the group.. :)
In the username, add the name of the group... it works as well
ASKER
I've added the usernames to the authenticated group not sure what else you're looking for me to do thanks
What I'm trying to say is that you can Add individual user or group to the "Username".
"Authenticated Users" it's a built-in group so... you can use the peace code like this:
I mean it's a bad practice to add individual Users to Permissions folders, you need to use a group with the 100 people in there and just add the group. isn't it simpler?...
"Authenticated Users" it's a built-in group so... you can use the peace code like this:
function SingleFolder{
[cmdletbinding()]
param(
[Parameter(Mandatory=$true,position=0)][string]$Folder
)
BEGIN{
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("Authenticated Users", 'Modify','ContainerInherit,ObjectInherit', 'None', 'Allow')
}
PROCESS{
$Path = $Folder
$Acl = (Get-Item $Path).GetAccessControl('Access')
$Acl.SetAccessRule($Ar)
Set-Acl -path $Path -AclObject $Acl
}
END{}
}
SingleFolder -folder "C:\Folder\That\You\Want\To\Add\The\GroupOrUser"
I mean it's a bad practice to add individual Users to Permissions folders, you need to use a group with the 100 people in there and just add the group. isn't it simpler?...
ASKER
Thanks but I haven't added I individual users to the group (I agree 100% that it's bad practice but I never do it)
I have a security group called staff-group added there are 100 or so members
It's the ACL for staff-group which I'm looking to amend
At present I have too many permissions they have access to mapped folder but can also see other folders if they really did some digging etc
What advanced NTFS permissions do I need to change staff-group to in order to achieve this goal?
I have a security group called staff-group added there are 100 or so members
It's the ACL for staff-group which I'm looking to amend
At present I have too many permissions they have access to mapped folder but can also see other folders if they really did some digging etc
What advanced NTFS permissions do I need to change staff-group to in order to achieve this goal?
what is the goal that you want to achieve? remove permissions?.
I think that you just need to do an audit of all the ACL of the folders and subfolders.
And start from there, to Add/Remove Permissions.
You can even use the same logic of that function to set the ALC of the folder.
For ex: FolderA (Group1,Group2) and folder B( Exchgroup1,exchgroup2)
But you want to set the ALC from FolderA to Folder B.
so at the end FolderA(Group1,Group2) and FolderB (Group1,Group2)
In this script, there's a couple of functions to set that. check the "SingleFolder" function...
https://gallery.technet.microsoft.com/scriptcenter/Copy-Files-from-folderA-to-29710ef9
I think that you just need to do an audit of all the ACL of the folders and subfolders.
And start from there, to Add/Remove Permissions.
You can even use the same logic of that function to set the ALC of the folder.
For ex: FolderA (Group1,Group2) and folder B( Exchgroup1,exchgroup2)
But you want to set the ALC from FolderA to Folder B.
so at the end FolderA(Group1,Group2) and FolderB (Group1,Group2)
In this script, there's a couple of functions to set that. check the "SingleFolder" function...
https://gallery.technet.microsoft.com/scriptcenter/Copy-Files-from-folderA-to-29710ef9
ASKER
Goal I want to achieve is users only having access to their own folder in users
I don't want them to see other users home folders
They won't know how to access through UNC but want to make sure
I've tried variations of amending acl , and so far if it's too restrictive the user doesn't have access to H:\ as I mentioned they now have access to it but can see other folders
I only need to change ACL for one group from what I can see anyone recommend what advanced NTFS permissions I can change to?
I don't want them to see other users home folders
They won't know how to access through UNC but want to make sure
I've tried variations of amending acl , and so far if it's too restrictive the user doesn't have access to H:\ as I mentioned they now have access to it but can see other folders
I only need to change ACL for one group from what I can see anyone recommend what advanced NTFS permissions I can change to?
I had to give authenticated users full control to see the H:\
What NTFS permissions do i need to set authenticated users to so that each user only can see and make changes to their own folder?
Home folder is mapped as folder in group policy preferences as \\servername\Users\%logonu