home directory permissions

J

jon

Hi all,

Our users are initially set up with a home directory on our windows
2000 domain controller. We do this as explained in
http://support.microsoft.com/?kbid=320043. I know by design, when this
is done, the permissions are set to administrators - full control and
%username% full control. This is working just fine. My question is:
Is there a way to change those default permissions or groups? Can it
be set up to give full control to the user and administrator and
inherit permissions from the parent directory? The reason is, I would
like another group (Help Desk) to have read permissions on all home
directories. I can do this manually for each users home directory with
the administrator account but having it set up by default would be
preferred.

Thanks in advance.
 
P

Peter_Julian

| Hi all,
|
| Our users are initially set up with a home directory on our windows
| 2000 domain controller. We do this as explained in
| http://support.microsoft.com/?kbid=320043. I know by design, when
this
| is done, the permissions are set to administrators - full control and
| %username% full control. This is working just fine. My question is:
| Is there a way to change those default permissions or groups? Can it
| be set up to give full control to the user and administrator and
| inherit permissions from the parent directory? The reason is, I would
| like another group (Help Desk) to have read permissions on all home
| directories. I can do this manually for each users home directory
with
| the administrator account but having it set up by default would be
| preferred.
|
| Thanks in advance.
|

First off: a user's home directory should only be accessible by the user
and the system, not the administrator. User's homefolders should not
inherit from the \users root (and by default- they don't). So even the
admin can't modify files there without the user knowing it (he needs to
take ownership which the admin can't then give away). Its a question of
principle, admin is not God and you need to give your users every
possible incentive to rely on home folders for documents that need
backups and remote access.

What you may consider is simply creating a group called HomeReader, for
example, placing admin and help desk members in it and modifying the
home folders collectively to afford HomeReaders read access. If thats
not good enough, then create a hidden share as the root (\Users$)
prefereably on a seperate partition.

Your server has enough work to do that it needs not have to fight with
opportunistic locks because someone at the help desk has write-opened a
session with a file that the user is actively modifying. Thats begging
for problems and a much more difficult server/domain to maintain.

The only way i can access a users folder is to netmeet, VNC or SMS
remote into his station. And thats how it should be.
Not to mention quotas and a simple service running as system to verify
for illegal file extensions being stored.

Here is a guide in the case you prefer the other way:

Create a hidden share (ie d:\Users$)

set the share permission to Authenticated Users = Full Control

set the NTFS permissions to...
Creator/Owner = Full Control (Subfolders and Files)
System = Full Control (This folder, Subfolders and Files)
User Groups = List Folder/Read Data and
Create Folders/Append Data" (This Folder Only)
Administrators = None
Everyone = None

set the home folder: \\Server\Users$\%username%
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

another permissions Q 2
Windows 8.1 permissions/files delete? 7
Home directory permissions 1
Random files losing NTFS Permissions 2
Home Directory Permissions 1
Command Line Security/Usage 2
Losing Folder Permissions 1
Home Folder Permissions 3

Top