Re: User Folders created by the system
From: Stuart Mackie [MCSE MCSA] (newsgroups_at_--REMOVE_THIS-NO_SPAM--stu.uk.com)
Date: 02/11/05
- Next message: Steven L Umbach: "Re: IPSEC VPN"
- Previous message: Josh: "Re: The local policy of this system does not allow you to log on interactively"
- In reply to: Infotech: "User Folders created by the system"
- Next in thread: Infotech: "Re: User Folders created by the system"
- Reply: Infotech: "Re: User Folders created by the system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Feb 2005 00:30:04 -0000
Hi. When using the AD users and computers console the default behaviour in
Win2k3 is to inherit parent permissions. To make sure future users have the
correct permissions without having to manually adjust them you will need to
alter your parent folder permissions. An example of permissions you could
use would be:
'Parent Folder' NTFS Permissions
System - Full Control
Domain users - Read & Execute (see below before applying)
List Folder Contents
Read
Domain Admins - Full Control (This depend on company policy)
Before Accepting/Applying the above changes, click Advanced, select the
Domain Users entry, click Edit and set Apply onto to 'This Folder and Files'
(i.e. NOT This Folder, Subfolder and Files).
Adjust the above permissions to accomodate your company policy i.e. Admin
permissions on user home folders etc.
Share Permissions
Domain Users - Full Control
Domain Admins - Full Control
When you now create a new user, for the home folder section use
\\fileserver\\users\\%username% The AD console will create the %username%
folder which will inherit the parent permissions. Since the Domain Users
permission only applies to the Parent folder only, this permission will not
be inherited and the AD console will add the Full Control permission for the
user.
-- Hth, Stuart Mackie www.stu.uk.com MCSA: & MCSE: Security "Infotech" <adsf> wrote in message news:u3Tvcg8DFHA.2608@TK2MSFTNGP10.phx.gbl... >I have local users Home Folder (in User properties) set to connect to a >share on our file server. Microsoft recommends using >\\fileserver\users\userfolder. I decided to do that for all our users. The >security problem arises when the system creates the folder it inherits file >permissions from the parent folder, adding "Authenticated Users" group with >Read permission on every user folder it creates inside "Users". When that >happens I have to manually remove the group and being human I forget >sometimes. Is there a way to change this behavior? If I remove >"Authenticated Users" group from the parent directory "Users" no one will >be able to access their folders. > > Thanks for your help > > -- > Infotech > >
- Next message: Steven L Umbach: "Re: IPSEC VPN"
- Previous message: Josh: "Re: The local policy of this system does not allow you to log on interactively"
- In reply to: Infotech: "User Folders created by the system"
- Next in thread: Infotech: "Re: User Folders created by the system"
- Reply: Infotech: "Re: User Folders created by the system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
