Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can't write to folder even though Active Directory effective permissions shows full control

Status
Not open for further replies.

mkrausnick

Programmer
Apr 2, 2002
766
US
Running Windows Server 2008 with about 50 users. I'm trying to move a few user "personal folders" to a different physical disk. The folder structure in both drives is the same:
<top level>\...\Users\<userID>.
In the current drive (D:) the Users folder has these explicit permissions: Traverse folder, List Folder, Read attributes, Read extended attributes. That allows users to open documents in other users' folders. Not good.
In the new drive (F:) I set up the Users folder to have explicit permissions of Traverse Folder only. In both cases, the individual's folder has inherited permissions, plus explicit "full control" for their own <userID> folder.

My desire is that if a user maps the parent "Users" folder, they not see anything, or even get "Access denied". But when I map their personal folder directly using UNC, they have full control and can create and delete files and folders in their <userID> folder.

Even though Active Directory effective permissions shows full control for a user in their personal folder, they can't create or save a file, and can't open their Outlook archive.pst.

If I have to, I'll give the Read Data permission to the parent "Users" folder but I'd rather not. So how do I configure Active Directory permissions to allow a user full control in their own <UserID> folder and at the same time no permissions at all in the "Users" folder or at least other users' <UserID> folder?

Also, I should add that the Users folder is referenced using an NT share called "Users$" which has permissions of "Full Control" for the Active Directory group that includes all users.

Thanks for any help.






Mike Krausnick
Dublin, California
 
I discovered the solution to my issue, in case anyone else has the same problem. I had set the NT permissions in the new USERS$ share on F: to "Read Only" whereas the USERS$ share on D: had "full control" permission. So once I the gave USERS$ share on F: full control permission, individual users are able to create and modify files in their <UserID> folders.

Regarding the concern about users being able to read other users' documents, I set the AD permissions on the new USERS folder to be the same as the original USERS folder, and set the security for the new USERS folder to "Apply to this folder only", rather than "This folder, subfolder and files". Now my users can't map or view the contents of other users' folders. Unfortunately, they can still map to the USERS parent folder and see the list of folders in it, which I would prefer them not to, but at least there's no data security issue.


Mike Krausnick
Dublin, California
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top