Re: "Best practices" for Users' home directory file permissions

From: CyberDroog (CyberDroog_at_ClockworkOrange.com)
Date: 03/10/05 

Date: Thu, 10 Mar 2005 19:45:05 GMT

On 10 Mar 2005 10:33:00 -0800, "Craig" <craigcaughlin@yahoo.com> wrote:

>Can someone give me some advice on file permisssions? What do you
>recommend for both sharing permissions and NTFS permissions for Users'
>home directories on a Server 2003 domain controller. I want to give
>user access to ONLY their own home directory. I've been told to allow
>full access via "sharing" permissions, and them tighten them down
>(that's kinda vague) with NTFS permissions. I'm not sure if that's
>"correct" or if there's a better way. I'm open to suggestions, links,
>examples, etc.

When share permissions and file permission conflict, the lesser of the two
takes effect. So a user really needs full share permissions in order to
have full file permissions through that share.

Most people seem to make a single folder and share named "Users", to which
all users have full share permissions. Within that folder, you would have
user folders such as asmith, ajones, etc. You apply file permissions to
the user folders which permit only that particular user to access the
folder. (For convenience I always include administrator with full rights.)

Alternatively, and what I like to do, you can make each user folder a
share. But in that case I would suggest using hidden shares (asmith$,
ajones$, etc.) to avoid cluttering up network neighborhood (I like to avoid
browsing as much as possible.) You can then create share permissions for
each user giving full access to their share. Having each user folder as a
share makes it easy to create a uniform mapped drive - for instance drive
U: can be the user folder of whatever user is logged on.

Another thing I refuse to do is to add one user to another users share or
folder permissions. I can't count the number of times I have been asked,
or even ordered to do this. E.g. some VIP wants his secretary to have full
access to his folder or vice versa. Don't do it. It's just begging for a
plate of spaghetti when it comes to share and file permissions. You can
always create a common folder for two or more people to share in such
cases. 

-- 
EGOTIST, n. A person of low taste, more interested in himself than in me.
  - Ambrose Bierce

Relevant Pages

  • RE: Home Directories Permissions!
    ... Home Directories (Home Folder, Users, whatever you call it) ... Everyone group: should have Full Control. ... Read, SPECIAL PERMISSIONS ...
    (microsoft.public.windows.file_system)
  • Re: Minimum NTFS Permissions - Theres such a thing???
    ... ?2001 Microsoft Corporation. ... HOW TO: Set Minimum NTFS Permissions Required for IIS 5.0 to Work WGID:198 ... " List Folder Contents" ...
    (microsoft.public.inetserver.iis.security)
  • Re: Unable to delete orphaned 1.5 GB System Restore folder
    ... The fact that the tech support is based in India has nothing to do with the ... If so you may want to leave this folder alone. ... down to all children folders because i can set those permissions to ... try deleting from the command line using system by using the AT ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Unable to delete orphaned 1.5 GB System Restore folder
    ... The only computers i fix are my own. ... If so you may want to leave this folder alone. ... it includes all subdirectories with inherited permissions. ... try deleting from the command line using system by using the AT ...
    (microsoft.public.windowsxp.security_admin)
  • RE: no OWA
    ... have the correct permissions was the "inetpub" folder. ... Correct the settings in IIS: ... click to check the "Hide All Microsoft Services" ...
    (microsoft.public.windows.server.sbs)