home directory permissions

[darahw]

I am having a problem with user home directories and the permissions that it automatially assigns.

I am setting the path to the user home directory in Users and Computers- properties and the profile tab- home folder option. And when I do this it is creating the directory on our SAN. When I go to the SAN and check the security permissions it automatically adds the SAN local admin account. I have checked and the parent directory "USERS" and it does NOT have any permissions for the SAN local admin group.

Does anyone know how to prevent the local admin account from appearing in the list?

 

[ITPangaeaArchitect]

not sure if you can prevent this when allowing automated creation of the folders...likely windows is recognizing that its a SAN, and adds the SAN admin creds in order to ensure data access can occur.

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+

 

[theravager]

It could be a issue with the folder inheriting the permission from the folder above.

 

[ITPangaeaArchitect]

he had mentioned that the parent folder doesn't have the SAN account listed

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+

 

[theravager]

Sorry I should of been more clear i was thinking of possibly the creator owner permission in particular

 

[darahw]

I am actually a SHE (I know, not very common)

Thanks for your help- I might open a case with Microsoft and have them verify.

 

[ITPangaeaArchitect]

sorry about that

MS may tell you to reproduce on server share vs. a SAN share to see if the problem persists (which it won't). I worked over there for a couple of years as a mentor, with this particular type of problem being inside the support boundaries for the team I was on. Back then (its been 2.5+ yrs), that would have been what you were told. Now, who knows....

I have a feeling that what you're going to find out is that the fiber channel (or whatever you are using) adds that permission for the SAN Admin account to anything to ensure the SAN Admin can fully administer data on the storage devices. This would make both technical and business sense.
Again, the easy test would be to create a new user or two, set their path to a share on a servers physical HDDs rather than the SAN...if the behavior doesn't occur there, its likely MS will end at that too, then send you to SAN manufacturer for explanation of why it does that.

Another possibility, that I forgot to ask, is if you are trying to put profiles on a clustered share (which is not supported I don't believe).

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+

 

[darahw]

I am so glad that you understand this problem. I was having a tough time getting it into words to explain it.

I just created a folder called "Test" on the E drive for one of our DC's.

I went into my test user account and in the profile tab- home drive I mapped it to:
\\domain_controller\e$\test\%username%

When I go the the directory that was created I see that this time it added in the domain\administrators group.

We are using NetApp SANs.

 

[ITPangaeaArchitect]

Ok so I think we are seeing a by design issue based off of what you saw in your test. Your results were exactly as expected. NetApp must be adding the SAN Admin account, rather than the fiber channel.
My bet is that if NetApp were removed from the picture and you still redirect to the SAN, you'd see the same results as with the local HDD (with the domain's administrators group being added with FC). Looks more like the NetApp Filer app performing the add of SAN Admins.

I would honestly think though that both would show up when using netapp...domain\administrators and San Admin account...if thats not the case, that I find strange.

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+

 

[darahw]

The domain\administrators group has many people that shouldn't have rights to the home drives. I work for a very large company and they get very granular with the groups that have rights to the home drives (home drive admins and the actual user are all that should have rights)


Is this a NetApp issue or a Microsoft issue?

With this scenario what would be the best way for help desk users with limited rights create home drives for new users they create? That is how all of this came about.

 

[ITPangaeaArchitect]

the administrators may, and likely is, inheriting from the parent folder there (check parent folder advanced security properties for any administrators entries. Administrators not having access should not cause any problem, as they can take ownership at any time and give themselves rights (by design and no way to prevent it outside of alteration of default user rights, which isn't a good idea).

I would have to say that all in all, its a NetApp issue. With that being said, I somewhat doubt either company will be able to truly help you. My hope is that you don't hear "its by design go away" from MS...but that's what I expect from their end.

I would talk to your TAM for your company and coax him or her into a grace case for the directory services group to take a look. That way you can potentially get a free look into it from MS point of view...my anticipation being they will say call NetApp for explanation as to why the SAN admin account (or group) gets added. All in all, its really a combined manufacturer case...both NetApp and MS should have a look and explain.
if i get a chance today, ill dig in more and see if I can find anything similar to your issue with NetApp being used.

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+

 

[darahw]

ADGod- thank you so much for the information that you have provided. Were you about to find out anything else?

Do you know of a script that would create the user directory with the correct permissions that we want to assign?

Again- THANKS.

 

[ITPangaeaArchitect]

It could be scfripted easily using subinacls, cacls, or xcacls, with the first being the best to use. The trick is, I think the SAN will put the perms right back on anyway for the reasons described before.

I did talk with some buddies at MS about this, and they were in agreeance on the cause I stated.

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+