Permissions on large file server

[Guest Andrew Hodgson]

Hi all,

 

I have a question about permissions on a large file server we have at

the office.

 

We set up the server with a large drive (d:), and have the default

permissions on the root of the volume. We created directories in the

volume, and defined explicit permissions, blocking inheritance, and

removed all the default permissions barring the domain administrator,

the groups that need access to the relevant folder, and the local

administrator. We then shared the relevant directories out using

share permissions as the relevant groups that need access.

 

In the directories holding user profiles and the folders for the My

Documents redirection, we created the relevant folders and added the

relevant admin accounts to the list. We then added the domain users

group to be able to view directories under this folder, but defined

that this should only apply to the folder and nothing underneath it.

This works well - when we create a user, we create the folder, and

give the relevant user full control of the folder. The domain users

group does not appear in this folder, and the parent permissions are

inherited.

 

We are now wanting to take this a step further, by looking at how

specific users can gain access to the relevant folders for

administrative purposes, such as to change permissions on the relevant

folders (all folders on the server), without having to log in as the

domain administrator. We are quite happy if they could log in under

another domain account which has the relevant rights to do this, we

just need them to log in under an account which will be audited,

unlike the domain admin account, where anyone who knows the relevant

passwords can gain access therein.

 

Also, if there is a more secure way of doing the permissions for the

relevant profile/redirection directories, I would be interested to

know. We have seen for example that Vista (if left to create the

relevant directories) seems to set explicit permissions to the user,

barring the administrator or anyone else from accessing the files

underneath (unless the admin takes ownership of the folder).

 

We are using Windows Server 2003 R2 (SP2). Our domain is Windows

Server 2008 native, so if there would be any advantage in us upgrading

the file server to that, we would be interested to know.

 

Looking forward to anyone's thoughts in this matter,

Thanks,

Andrew.

[Guest Lanwench [MVP - Exchange]]

Re: Permissions on large file server

 

Andrew Hodgson <me3@privacy.net> wrote:

> Hi all,

>

> I have a question about permissions on a large file server we have at

> the office.

>

> We set up the server with a large drive (d:), and have the default

> permissions on the root of the volume. We created directories in the

> volume, and defined explicit permissions, blocking inheritance, and

> removed all the default permissions barring the domain administrator,

> the groups that need access to the relevant folder, and the local

> administrator. We then shared the relevant directories out using

> share permissions as the relevant groups that need access.

>

> In the directories holding user profiles and the folders for the My

> Documents redirection, we created the relevant folders and added the

> relevant admin accounts to the list. We then added the domain users

> group to be able to view directories under this folder, but defined

> that this should only apply to the folder and nothing underneath it.

> This works well - when we create a user, we create the folder and

> give the relevant user full control of the folder. The domain users

> group does not appear in this folder, and the parent permissions are

> inherited.

>

> We are now wanting to take this a step further, by looking at how

> specific users can gain access to the relevant folders for

> administrative purposes, such as to change permissions on the relevant

> folders (all folders on the server), without having to log in as the

> domain administrator. We are quite happy if they could log in under

> another domain account which has the relevant rights to do this, we

> just need them to log in under an account which will be audited,

> unlike the domain admin account, where anyone who knows the relevant

> passwords can gain access therein.

>

> Also, if there is a more secure way of doing the permissions for the

> relevant profile/redirection directories, I would be interested to

> know. We have seen for example that Vista (if left to create the

> relevant directories) seems to set explicit permissions to the user,

> barring the administrator or anyone else from accessing the files

> underneath (unless the admin takes ownership of the folder).

>

> We are using Windows Server 2003 R2 (SP2). Our domain is Windows

> Server 2008 native, so if there would be any advantage in us upgrading

> the file server to that, we would be interested to know.

>

> Looking forward to anyone's thoughts in this matter,

> Thanks,

> Andrew.

 

Dunno if this will do everything you wish, but ee

 

 

How to dynamically create security-enhanced redirected folders by using

folder redirection in Windows 2000 and in Windows Server 2003

 

http://support.microsoft.com/kb/274443

 

---

SUMMARY

In Microsoft Windows 2000 and in Microsoft Windows Server 2003, as an

administrator, you can customize desktops by using Folder Redirection. You

can redirect the following folders by using Active Directory and Group

Policy:

.. Application Data

.. Desktop

.. My Documents

.. My Documents/My Pictures

.. Start Menu

You can find more information about Folder Redirection by searching Windows

Help for Folder Redirection.

 

When you redirect folders to a shared location on a network, users need both

read and write access to this location so that the users can read the

contents these folders. However, in some scenarios, you may not want to

grant read access.

 

 

= Create security-enhanced redirected folders =

 

To make sure that only the user and the domain administrators have

permissions to open a particular redirected folder, do the following:

 

1. Select a central location in your environment where you would like to

store Folder Redirection, and then share this folder. In this example,

FLDREDIR is used.

 

2. Set Share Permissions for the Everyone group to Full Control.

 

3. Use the following settings for NTFS Permissions:

. CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)

. System - Full Control (Apply onto: This Folder, Subfolders and Files)

. Domain Admins - Full Control (Apply onto: This Folder, Subfolders

and Files)

. Everyone - Create Folder/Append Data (Apply onto: This Folder Only)

. Everyone - List Folder/Read Data (Apply onto: This Folder Only)

. Everyone - Read Attributes (Apply onto: This Folder Only)

. Everyone - Traverse Folder/Execute File (Apply onto: This Folder

Only)

 

4. Configure Folder Redirection Policy as outlined in Windows Help. Use a

path similar to \\server\FLDREDIR\username to create a folder under the

shared folder, FLDREDIR.

 

Because the Everyone group has the Create Folder/Append Data right, the

group members have the proper permissions to create the folder; however, the

members are not able to read the data afterwards.

 

The Username group is the name of the user that was logged on when you

created the folder. Because the folder is a child of the parent folder, it

inherits the permissions that you assigned to FLDREDIR. Also, because the

user is creating the folder, the user gains full control of the folder

because of the Creator Owner Permission setting.

 

 

REFERENCES

For additional information, click the article number below to view the

article in the Microsoft Knowledge Base:

232692 (http://support.microsoft.com/kb/232692/EN-US/) Folder Redirection

Feature in Windows