Re: Share and NTFS permissions - the right mix?!

Richard Price <richardprice@xxxxxxxxx> wrote:
Hi,

After thinking I had it all nice and sorted, a user goes and does
something which completely invalidated my prior belief.

My setup is thus:

Windows 2003 R2 server hosting network share \\domain\Users\

Under \\domain\Users are a load of directories - richard, martin,
jenny, sam et al. They are users private folders, each mapped to
desktop drive U:\ for the various users when they log into their
desktops.

What I want to accomplish is thus:

Users can see all directories in \\domain\Users, but they cannot see
the contents of those directories, delete those directories or add new
directories.

Users have full control within their own directory under \\domain
\Users

Can anyone recommend the best mix of Share and NTFS permissions to do
this? The solution I have ended up with requires the following:

\\domain\Users Share permissions - Everyone: read, write
\\domain\Users NTFS permissions - Everyone: read, write explicitly
denied

\\domain\Users\richard - no inherited permissions, richard has Full
Control within this folder (as does Domain Admin et al)

This has given me basically the situation I want to end up with, with
one small niggle. It allows richard to access his files perfectly
fine, create new ones and delete old ones et al within his own
directory. It allows richard to see all folders in \\domain\Users
fine, but he cannot access their contents at all. This is exactly how
I want it to work, so so far so good on that front.

The niggle is that the write explicitly denied at the NTFS level has
the effect of denying Domain Admins write access also, which means one
of two things:

1. I create a Security Group containing everyone but Domain Admins
(sounds ugly).
2. I remove the deny each and every time I want to add a new directory
or remove an old one (sounds ugly, and also not only Domain Admins
will be doing this as I want to farm that task out to Account
Operators).

So, is there any way to accomplish my task without ending up with
either of the two 'solutions' needing to be implemented?

Is there a better way to do what I am doing?

Cheers
Richard

For the parent share, everyone=full control is fine.
For the NTFS permissions on the parent folder, check out the following KB
article - it will explain how to make sure your *new* stuff is correct, at
any rate. It won't necessarily help you if the permissions on your existing
folders are squashed.

Note - home directories are a pretty archaic thing at this point - you don't
need them. If you use folder redirection via group policy, you can still map
U: to "\\server\share$\%username%\My Documents" in your login script - but
the KB article should apply to home directories as well. You can use folder
redirection to the home directory, but I don't see the point. If you do use
folder redirection at all, my advice would be to untick the option for
"Grant user exclusive access" and make sure the permissions are correct as
per the following.

(and I like to make the parent share hidden from browsing, e.g., users$)

How to dynamically create security-enhanced redirected folders by using
folder redirection in Windows 2000 and in Windows Server 2003
http://support.microsoft.com/kb/274443

---
SUMMARY
In Microsoft Windows 2000 and in Microsoft Windows Server 2003, as an
administrator, you can customize desktops by using Folder Redirection. You
can redirect the following folders by using Active Directory and Group
Policy:
.. Application Data
.. Desktop
.. My Documents
.. My Documents/My Pictures
.. Start Menu
You can find more information about Folder Redirection by searching Windows
Help for Folder Redirection.

When you redirect folders to a shared location on a network, users need both
read and write access to this location so that the users can read the
contents these folders. However, in some scenarios, you may not want to
grant read access.


= Create security-enhanced redirected folders =

To make sure that only the user and the domain administrators have
permissions to open a particular redirected folder, do the following:

1. Select a central location in your environment where you would like to
store Folder Redirection, and then share this folder. In this example,
FLDREDIR is used.

2. Set Share Permissions for the Everyone group to Full Control.

3. Use the following settings for NTFS Permissions:
. CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
. System - Full Control (Apply onto: This Folder, Subfolders and Files)
. Domain Admins - Full Control (Apply onto: This Folder, Subfolders
and Files)
. Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
. Everyone - List Folder/Read Data (Apply onto: This Folder Only)
. Everyone - Read Attributes (Apply onto: This Folder Only)
. Everyone - Traverse Folder/Execute File (Apply onto: This Folder
Only)

4. Configure Folder Redirection Policy as outlined in Windows Help. Use a
path similar to \\server\FLDREDIR\username to create a folder under the
shared folder, FLDREDIR.

Because the Everyone group has the Create Folder/Append Data right, the
group members have the proper permissions to create the folder; however, the
members are not able to read the data afterwards.

The Username group is the name of the user that was logged on when you
created the folder. Because the folder is a child of the parent folder, it
inherits the permissions that you assigned to FLDREDIR. Also, because the
user is creating the folder, the user gains full control of the folder
because of the Creator Owner Permission setting.


REFERENCES
For additional information, click the article number below to view the
article in the Microsoft Knowledge Base:
232692 (http://support.microsoft.com/kb/232692/EN-US/) Folder Redirection
Feature in Windows



.

Relevant Pages

  • Re: Folder Redirection
    ... I fixed the permissions on the folder. ... Then in the Server Management ... "Home Folder" error when running the Add User Wizard ... I would setup a GPO for folder redirection & link it at the ...
    (microsoft.public.windows.server.sbs)
  • RE: Read Only in My Documents after adding to script
    ... Thank you for posting to the SBS Newsgroup. ... Share level permissions for folder redirection Share ...
    (microsoft.public.windows.server.sbs)
  • Re: Folder Redirection
    ... I'm not assuming this is a permission issue, but you can find the default permissions in this KB. ... "Home Folder" error when running the Add User Wizard ... Not sure what that Backup page of the Server Mgmt. ... I would setup a GPO for folder redirection & link it at the MyBusiness OU, ...
    (microsoft.public.windows.server.sbs)
  • Re: tool for user profiles migration
    ... Folder Redirection ... I believe Folder Redirection with using Offline Files will be the better solution for many environments. ... However, I usually just implement Folder Redirection with the My Documents folder, and not the others, due to the overhead of data and backup capacities on the server. ... Profile and Folder Redirection In Windows Server 2003 (Explains the differences between a Roaming profile and a non-roaming profile, recommending to not use Roaming Profiles and just use Folder Redirection: ...
    (microsoft.public.windows.server.general)
  • Re: My Documents Folder Redirection
    ... This option controls ... permissions on the newly-created redirected folder. ... selected, and the target directory doesn't yet exist, Folder Redirection ...
    (microsoft.public.backoffice.smallbiz2000)
Loading