Urgent: Correct Share and NTFS permissions to Home folder

Indie101
Indie101 used Ask the Experts™
on
Hi, setup home folder with everyone in share, read and list, everyone showed up in NTFS, and left the same

I set the permissions for home folder as per http://www.alexcomputerbubble.com/using-group-policy-preferences-gpp-to-map-user-home-drive/

SYSTEM = Full Control
CREATOR OWNER = Full Control
LOCAL\Administrators = Full Control
For the Authenticated Users group the following has to be set up ONLY:
Traverse folder; Create folder; Write attributes; Write extended attributes; Read   permissions; Change permissions

This was a home directory which i migrated with robocopy, copied permissions as well, when i use the above, users can see the and access the other shares, (if they choose to) they still see the H: as expected, the run command is knocked off so they wont be able to browse to it, can someone outline what the best share and NTFS permissions are for this? I plan on using ABE in future, but dont have time right now to do it, just want to deny users access to other files in the user folder
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
At present I have  it shared with authenticated users, domain admins

I had to give authenticated users full control to see the H:\

What NTFS permissions do i need to set authenticated users to so that each user only can see and make changes to their own folder?

Home folder is mapped as folder in group policy preferences as \\servername\Users\%logonuser%
EE Rookie/Solution Guide/Topic Advisor and CEO Faru Bonon IT
Awarded 2018
Distinguished Expert 2018
Commented:

Author

Commented:
Thanks I only want to change the ACL on one folder, the Users folder, so pretty sure your link doesnt apply to it

I dont know what to set acl to for authenticated user, have tried different combinations but its working now, just want to restrict it so they cant see each others folders
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Jose Gabriel Ortega CastroEE Rookie/Solution Guide/Topic Advisor and CEO Faru Bonon IT
Awarded 2018
Distinguished Expert 2018

Commented:
Well, I just do something similar for a project with a client.
Change USERNAME for the actual username or password.
function SingleFolder{            
	[cmdletbinding()]            
	param(
		[Parameter(Mandatory=$true,position=0)][string]$Folder
	)
	BEGIN{
		$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("USERNAME", 'Modify','ContainerInherit,ObjectInherit', 'None', 'Allow')
	}
	PROCESS{
		$Path = $Folder
		$Acl = (Get-Item $Path).GetAccessControl('Access')
		$Acl.SetAccessRule($Ar)
		Set-Acl -path $Path -AclObject $Acl
	}
	END{}
} 

Open in new window

Author

Commented:
Thanks just run that from remote PS session

Is there an easier way? Just approx 100 uses are in security group and there is just one folder

Many thanks just that your solution Is one I can't see right now (I'm sure once dust settles I will just not sure how to affect it)

Many thanks again
Jose Gabriel Ortega CastroEE Rookie/Solution Guide/Topic Advisor and CEO Faru Bonon IT
Awarded 2018
Distinguished Expert 2018

Commented:
In the username, add the name of the group.. :)
Jose Gabriel Ortega CastroEE Rookie/Solution Guide/Topic Advisor and CEO Faru Bonon IT
Awarded 2018
Distinguished Expert 2018

Commented:
In the username, add the name of the group... it works as well

Author

Commented:
I've added the usernames to the authenticated group not sure what else you're looking for me to do thanks
Jose Gabriel Ortega CastroEE Rookie/Solution Guide/Topic Advisor and CEO Faru Bonon IT
Awarded 2018
Distinguished Expert 2018

Commented:
What I'm trying to say is that you can Add individual user or group to the "Username".
"Authenticated Users" it's a built-in group so... you can use the peace code like this:

function SingleFolder{            
	[cmdletbinding()]            
	param(
		[Parameter(Mandatory=$true,position=0)][string]$Folder
	)
	BEGIN{
		$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("Authenticated Users", 'Modify','ContainerInherit,ObjectInherit', 'None', 'Allow')
	}
	PROCESS{
		$Path = $Folder
		$Acl = (Get-Item $Path).GetAccessControl('Access')
		$Acl.SetAccessRule($Ar)
		Set-Acl -path $Path -AclObject $Acl
	}
	END{}
} 

SingleFolder -folder "C:\Folder\That\You\Want\To\Add\The\GroupOrUser"

Open in new window


I mean it's a bad practice to add individual Users to Permissions folders, you need to use a group with the 100 people in there and just add the group. isn't it simpler?...

Author

Commented:
Thanks but I haven't added I individual users to the group (I agree 100% that it's bad practice but I never do it)

I have a security group called staff-group added there are 100 or so members

It's the ACL for staff-group which  I'm looking to amend

At present I have too many permissions they have access to mapped folder but can also see other folders if they really did some digging etc

What advanced NTFS permissions do I need to change staff-group to in order to achieve this goal?
Jose Gabriel Ortega CastroEE Rookie/Solution Guide/Topic Advisor and CEO Faru Bonon IT
Awarded 2018
Distinguished Expert 2018

Commented:
what is the goal that you want to achieve? remove permissions?.

I think that you just need to do an audit of all the ACL of the folders and subfolders.
And start from there, to Add/Remove Permissions.

You can even use the same logic of that function to set the ALC of the folder.
For ex: FolderA (Group1,Group2)   and folder B( Exchgroup1,exchgroup2)
But you want to set the ALC from FolderA to Folder B.
so at the end FolderA(Group1,Group2) and FolderB (Group1,Group2)

In this script, there's a couple of functions to set that. check the "SingleFolder" function...

https://gallery.technet.microsoft.com/scriptcenter/Copy-Files-from-folderA-to-29710ef9

Author

Commented:
Goal I want to achieve is users only having access to their own folder in users

I don't want them to see other users home folders

They won't know how to access through UNC but want to make sure

I've tried variations of amending acl , and so far if it's too restrictive the user doesn't have access to H:\ as I mentioned they now have access to it but can see other folders

I only need to change ACL for one group from what I can see anyone recommend what advanced NTFS permissions I can change to?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial