Re: home directory permissions
- From: "Peter_Julian" <pj@xxxxxxxxxxxxxxxxxx>
- Date: Sun, 26 Mar 2006 14:37:25 -0500
"jon" <studebak@xxxxxxxxx> wrote in message
news:1143253650.010676.269370@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| Hi all,
|
| Our users are initially set up with a home directory on our windows
| 2000 domain controller. We do this as explained in
| http://support.microsoft.com/?kbid=320043. I know by design, when
this
| is done, the permissions are set to administrators - full control and
| %username% full control. This is working just fine. My question is:
| Is there a way to change those default permissions or groups? Can it
| be set up to give full control to the user and administrator and
| inherit permissions from the parent directory? The reason is, I would
| like another group (Help Desk) to have read permissions on all home
| directories. I can do this manually for each users home directory
with
| the administrator account but having it set up by default would be
| preferred.
|
| Thanks in advance.
|
First off: a user's home directory should only be accessible by the user
and the system, not the administrator. User's homefolders should not
inherit from the \users root (and by default- they don't). So even the
admin can't modify files there without the user knowing it (he needs to
take ownership which the admin can't then give away). Its a question of
principle, admin is not God and you need to give your users every
possible incentive to rely on home folders for documents that need
backups and remote access.
What you may consider is simply creating a group called HomeReader, for
example, placing admin and help desk members in it and modifying the
home folders collectively to afford HomeReaders read access. If thats
not good enough, then create a hidden share as the root (\Users$)
prefereably on a seperate partition.
Your server has enough work to do that it needs not have to fight with
opportunistic locks because someone at the help desk has write-opened a
session with a file that the user is actively modifying. Thats begging
for problems and a much more difficult server/domain to maintain.
The only way i can access a users folder is to netmeet, VNC or SMS
remote into his station. And thats how it should be.
Not to mention quotas and a simple service running as system to verify
for illegal file extensions being stored.
Here is a guide in the case you prefer the other way:
Create a hidden share (ie d:\Users$)
set the share permission to Authenticated Users = Full Control
set the NTFS permissions to...
Creator/Owner = Full Control (Subfolders and Files)
System = Full Control (This folder, Subfolders and Files)
User Groups = List Folder/Read Data and
Create Folders/Append Data" (This Folder Only)
Administrators = None
Everyone = None
set the home folder: \\Server\Users$\%username%
.
- References:
- home directory permissions
- From: jon
- home directory permissions
- Prev by Date: Windows Explorer Problem
- Next by Date: Re: compatability mode in windows 2000 ?
- Previous by thread: home directory permissions
- Next by thread: Re: how to find out which disk does this refer to...
- Index(es):
Relevant Pages
|
