Help with NTFS permissions

[texnut]

Hello all,

I need a bit of help setting up permissions on a share. The share is going to host all my users user-folders. The directory structure would look like this:

D:\Users <- root
\Users\jsmith
\Users\jdoe
\Users\etc ..

I want the default permissions to be such that a user can list the contents of D:\Users but cannot access any of the user sub folders unless explicitly given permission to do so by me (the Admin). This goes for there own folder as well - unless there is some way of automating the creation and permissions of their own folder (but that might be a whole other topic). Right now the permissions of D:\Users are as follows (the default):

CREATOR OWNER: Special
SYSTEM: Full
Administrators: Full
Users: Read & Exe, List Folder Contents, Read, Special

Any help with this would be greatly appreciated - thanks folks!

 

[baddos]

I'm assuming this is for a home drive? You probably don't want the users to have read/list folder access to the root as then it would be added to the child folders be default on creation.

If your server share would be \\server\users which is housed on the server as D:\Users then you setup the home drive in the profile tab of the account to be \\server\users\%username%. When you hit ok, it will create the folder inheriting the root folder's permissions and adding the new user to that folders permissions. Windows 2000 and later clients will map that home drive automatically to the subfolder.

I.E.

D:\users
> Adminstrators - Full Control
> Backup Group - Read/Write

D:\users\useraccountname
> Administrators - Full Control <-Inherited
> Backup Group - Read/Write <-Inherited
> useraccountname - Full Control <- Windows Added

 

[texnut]

Hi baddos,

Yes, it's for a home drive. I would agree with you normally, except in this particular case, all the users do need to be able to list the contents because of some cross sharing.

I guess what I will have to do is provide users with List rights and then remove it when I or AD creates the profile.

Oh well... thanks anyway!

 

[baddos]

Yes, if you specifically need them to have listing access to all of the folders then add that to the root. You'll just have to remember to remove that inheritance from the newly created subfolders.

I would suggest you not do this, and simply provide the other users with direct shortcut links to those folders. I.E. Create a link to \\server\users\bob and put it on Mary's desktop or something.

 

[texnut]

Ok I figured out a way to do this - this will hopefully be useful to others:

At the root folder (D:\Users)
Go to its properties page, Security Tab & click on Advanced.
Now click on Edit and uncheck "Include inheritable permissions ...". Make sure you select "Copy" when prompted.

Now, within the Advance Security Settings dialog, select Domain Users or ServerName\Users and click on edit.

Click the Clear All button. Now in the 'Apply to' field, make sure that "This folder only" is selected.

Place a check mark next to "List folder / read data".

Click OK all the way out.

Now go back in & go back to the Advanced section and click Edit again. Place a check mark next to "Replace all existing ...".

Click Apply and OK all the way out.

That's it!

 

[texnut]

Woops - looks like I spoke too soon, more on that in a bit ...

 

[texnut]

Ok - this is how you do it:

Share Permissions: 'Everyone' has Change & Read rights.
Security Permissions: Do not inherit from parent but copy. Apply permissions as stated above.

NOW it works!

 

[Davetoo]

Any reason that you're not assigning the users home profile in their ADUC object?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!