L
Lee
Summary: When a client logoff process creates a user's
roaming profile folder it does obey NTFS settings on the
profile root.
Details:
* Windows 2000/2003 server, Windows 2000/XP client
* Share permissions on profile root: everyone:full
* NTFS settings on profile root (CACLS format):
Inheritance:ON
authenticated users:create (this folder only)
creator owner:MODIFY (OI)(CI)(NP)(IO)
<domain>\Profile Admins:Full (OI)(CI)
administrators:full (OI)(CI)
system:full (OI)(CI)
* When a generic subfolder is created by a normal user
using Explorer, it inherits the proper permissions. I.e.
the user does NOT have full control of the created folder.
* When the subfolder (%username%.pds) is created by the
logon/logoff process it does NOT inherit permissions and
contains the following ACL:
Inheritance:OFF
administrators:full
system:full
<domain>\%username%:full
* This behavior has been replicated across many servers
and many clients
How is this possible???
The parent ACL says that normal users cannot create child
objects and maintain permission authority! This is
reflected when an object is created with Explorer. It
acts like there is some special communication between the
client and server saying that a profile is being written.
NTFS isn't broken, right? I am at a loss.
aTdHvAaNnKcSe
- Lee
roaming profile folder it does obey NTFS settings on the
profile root.
Details:
* Windows 2000/2003 server, Windows 2000/XP client
* Share permissions on profile root: everyone:full
* NTFS settings on profile root (CACLS format):
Inheritance:ON
authenticated users:create (this folder only)
creator owner:MODIFY (OI)(CI)(NP)(IO)
<domain>\Profile Admins:Full (OI)(CI)
administrators:full (OI)(CI)
system:full (OI)(CI)
* When a generic subfolder is created by a normal user
using Explorer, it inherits the proper permissions. I.e.
the user does NOT have full control of the created folder.
* When the subfolder (%username%.pds) is created by the
logon/logoff process it does NOT inherit permissions and
contains the following ACL:
Inheritance:OFF
administrators:full
system:full
<domain>\%username%:full
* This behavior has been replicated across many servers
and many clients
How is this possible???
The parent ACL says that normal users cannot create child
objects and maintain permission authority! This is
reflected when an object is created with Explorer. It
acts like there is some special communication between the
client and server saying that a profile is being written.
NTFS isn't broken, right? I am at a loss.
aTdHvAaNnKcSe
- Lee