Windows 2000 share security

A

Allison

I have set up profiles for my Windows 2000 users (primarily because we are
using Citrix). All of the profiles take the form of the username, and all
profiles are located under one folder which is shared. Whenever a profile
is created, the user's profile folder will give the local Administrators
Group, System Account, and the User Account full control over that directory
and it's contents. Also, the permissions on the profile folder is not set
to allow inheritance. What I want to do is give one of my system
technicians the ability to modify or delete any of these profiles for admin
functions. Whenever a profile is created, I need this technician's account
to have Full Control over all of the profiles much like the way the
Administrators Group, System Account, and the User Account are. Is there a
way to set this to be the default permissions on any new profile folders?

Thanks
 
E

Eric Shen [MSFT]

Hi Allison,

In order to change the NTFS default permission of a folder, the best way is
to use inheritance. Assign the default permissions as Administrators Group,
System Account, and the User Account as well as the technician to the top
level folder and let the child folders inherit this permission. In this
case, the child folder can still have their personalized permission which
is unique.

For example,

TOPFLDR <Te-Full Control>
- FLDRA <USRA-Full Control>
- FLDRB <USRB-Full Control>

In this case, FLDRA and FLDRB will inherit the permission of Te and then
add their own permission for the specific user. Te can access all the
folders but USRA and USRB can only access their own folder.

As an alternative way, you can use Xcals.exe to add the permissions
manually if you wouldn't use inheritance. Please refer to the following
article:

318754 HOW TO: Use Xcacls.exe to Modify NTFS Permissions
http://support.microsoft.com/?id=318754

Please check the above information and then let me know if you have further
questions. I look forward to hearing from you.

Regards,

Eric Shen
Product Support Services
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Get Secure! - www.microsoft.com/security
 
A

Allison

Thanks Eric.

I do however have one more question. If I were to create a new user and a
profile, I would have to manually go to that user's folder and set
inheritance, correct? From what I have seen, a new profile folder does not
have inheritance checked by default.
 
E

Eric Shen [MSFT]

Hi Allison,

Profile folder is generated automatically by system. System creates it and
then set the permissions on it so it will not inherit the permission from
the parent folder. You can try to use xcacls.exe in this case. Please feel
free to let me know if you encounter difficulties.

I look forward to hearing from you.

Regards,

Eric Shen
Product Support Services
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

Get Secure! - www.microsoft.com/security
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top