Jump to content

User Directory NTFS Question

Guest Dennis Procopio

By Guest Dennis Procopio
in Windows 2003 Server

 Share

Recommended Posts

Guest Dennis Procopio

Guest Dennis Procopio

Posted
Posted

We migrated a file server, manually. Using Folder Redirection with

permissions specified in best practices, we logged each of our users on to

the network and allowed Folder Redirection to create each user directory

under the "Users" share on the new server. We moved the data into each

folder respectively after this process.

 

The NTFS permissions suggested for the Users share (from MS Knowledge Base)

were that Creator Owner has Full Control on "this folder only." I'm assuming

this was a suggested best practice as MS assumes a new deployment, not a

migration, and that anything created underneath there would be under control

of the owner. Perhaps I'm wrong.

 

What happens now is that all of the folders list the user with full control

on "this folder only," and after I moved their old data into the folder, they

receive "access is denied" permissions on any given subfolder or file.

 

I've toyed with changing each user's right on their root folder to "Modify."

When looking at advanced ntfs permissions it then shows "Modify" on "This

folder, subfolders, and files," as well as "Full Control" on "This folder

only."

 

After applying "Modify" I checked "replace permissions on all child

objects..." and the problem was solved.

 

Is this a suitable practice? Is there a way that I could allow each user

"modify," respectively, from the root "Users" folder, without going through

the above process on each individual folder?

 

Also, local administrators group has full control on the root "users"

folder, but it does not seem to be propagating down to its subfolders,

whereas the other permissions on the Users ACL are...

 

Even a "best practices" permissions set for user folders would be

appreciated. I'd like to be able to get all of my subfolders consistent, as

well as allow consistent permissions on new folders as well.

 

I also can't tell who is receiving "access is denied" or not because my

users don't always report problems.

 

Thanks!

  • Replies 2
  • Created
  • Last Reply

Popular Days

Popular Days

Guest SBS Rocker

Guest SBS Rocker

Posted
Posted

Re: User Directory NTFS Question

 

Best practices for Users folders is to grant "Authenticated Users" (or some

prefer EVERYONE) FULL control at the share level which I presume is the

Users folder. For NTFS permissions on the Users folder you should have

 

Administrators=FULL

System=FULL

Everyone=LISt or READ turn on Inheritance to all child objects.

 

At the sub level for your users i.e \\Users\UserA you copy the Inherited

permissions, remove Everyone, add the userA=FULL and turn on inheritance to

all child objects.

 

 

"Dennis Procopio" <DennisProcopio@discussions.microsoft.com> wrote in

message news:F0BAD4BA-1B9E-4591-9FCF-5FA65ADE41CD@microsoft.com...

> We migrated a file server, manually. Using Folder Redirection with

> permissions specified in best practices, we logged each of our users on to

> the network and allowed Folder Redirection to create each user directory

> under the "Users" share on the new server. We moved the data into each

> folder respectively after this process.

>

> The NTFS permissions suggested for the Users share (from MS Knowledge

> Base)

> were that Creator Owner has Full Control on "this folder only." I'm

> assuming

> this was a suggested best practice as MS assumes a new deployment, not a

> migration, and that anything created underneath there would be under

> control

> of the owner. Perhaps I'm wrong.

>

> What happens now is that all of the folders list the user with full

> control

> on "this folder only," and after I moved their old data into the folder,

> they

> receive "access is denied" permissions on any given subfolder or file.

>

> I've toyed with changing each user's right on their root folder to

> "Modify."

> When looking at advanced ntfs permissions it then shows "Modify" on "This

> folder, subfolders, and files," as well as "Full Control" on "This folder

> only."

>

> After applying "Modify" I checked "replace permissions on all child

> objects..." and the problem was solved.

>

> Is this a suitable practice? Is there a way that I could allow each user

> "modify," respectively, from the root "Users" folder, without going

> through

> the above process on each individual folder?

>

> Also, local administrators group has full control on the root "users"

> folder, but it does not seem to be propagating down to its subfolders,

> whereas the other permissions on the Users ACL are...

>

> Even a "best practices" permissions set for user folders would be

> appreciated. I'd like to be able to get all of my subfolders consistent,

> as

> well as allow consistent permissions on new folders as well.

>

> I also can't tell who is receiving "access is denied" or not because my

> users don't always report problems.

>

> Thanks!

Guest Dennis Procopio

Guest Dennis Procopio

Posted
Posted

Re: User Directory NTFS Question

 

Here's what I did:

 

Share Permissions on "Users": Everyone - Full Control

 

NTFS Permissions on "Users:"

 

Local Admins - FC - This folder, subfolders, & files

CREATOR OWNER - FC - Subfolders and files only

Domain Admins - FC This folder, subfolders, & files

Everyone - Traverse Folder.., List Folder.., Read Attributes.., Create

Folders.. - This Folder Only

SYSTEM - FC - This folder, subfolders, & files

 

After creating this folder, I configured Group Policy to create a folder for

the user under the Users share when the user logs in. Here's what the ACL

looks like once folder redirection does it's thing (testuser being an example

username):

 

Local Admins - FC - This folder, subfolders, & files

CREATOR OWNER - FC - Subfolders and files only

Domain Admins - FC This folder, subfolders, & files

testuser - FC - This folder only

SYSTEM - FC - This folder, subfolders, & files

 

After doing this, I'd copy or move the data to the user's folder. I'd check

the individual's ACL, ensure that they are the owner, propagate ownership

down to child objects, then propagate NTFS permissions down.

 

The "FC - This folder only" username entry created by Folder Redirection in

combination with CREATOR OWNER on subfolders and files, including propagation

of ownership/ntfs rights, should allow that user to create new folders and

files in their root directory, as well as modify anything existing that was

migrated.

 

Looking at effective permissions on test names shows full control for the

user. I'm hoping that this resolved the problem for the data I have moved,

helps others along, and allows for reliable and secure folder creation for

new users on the network.

 

Thanks for the help.

 

Dennis Procopio

 

 

 

"SBS Rocker" wrote:

> Best practices for Users folders is to grant "Authenticated Users" (or some

> prefer EVERYONE) FULL control at the share level which I presume is the

> Users folder. For NTFS permissions on the Users folder you should have

>

> Administrators=FULL

> System=FULL

> Everyone=LISt or READ turn on Inheritance to all child objects.

>

> At the sub level for your users i.e \\Users\UserA you copy the Inherited

> permissions, remove Everyone, add the userA=FULL and turn on inheritance to

> all child objects.

>

>

> "Dennis Procopio" <DennisProcopio@discussions.microsoft.com> wrote in

> message news:F0BAD4BA-1B9E-4591-9FCF-5FA65ADE41CD@microsoft.com...

> > We migrated a file server, manually. Using Folder Redirection with

> > permissions specified in best practices, we logged each of our users on to

> > the network and allowed Folder Redirection to create each user directory

> > under the "Users" share on the new server. We moved the data into each

> > folder respectively after this process.

> >

> > The NTFS permissions suggested for the Users share (from MS Knowledge

> > Base)

> > were that Creator Owner has Full Control on "this folder only." I'm

> > assuming

> > this was a suggested best practice as MS assumes a new deployment, not a

> > migration, and that anything created underneath there would be under

> > control

> > of the owner. Perhaps I'm wrong.

> >

> > What happens now is that all of the folders list the user with full

> > control

> > on "this folder only," and after I moved their old data into the folder,

> > they

> > receive "access is denied" permissions on any given subfolder or file.

> >

> > I've toyed with changing each user's right on their root folder to

> > "Modify."

> > When looking at advanced ntfs permissions it then shows "Modify" on "This

> > folder, subfolders, and files," as well as "Full Control" on "This folder

> > only."

> >

> > After applying "Modify" I checked "replace permissions on all child

> > objects..." and the problem was solved.

> >

> > Is this a suitable practice? Is there a way that I could allow each user

> > "modify," respectively, from the root "Users" folder, without going

> > through

> > the above process on each individual folder?

> >

> > Also, local administrators group has full control on the root "users"

> > folder, but it does not seem to be propagating down to its subfolders,

> > whereas the other permissions on the Users ACL are...

> >

> > Even a "best practices" permissions set for user folders would be

> > appreciated. I'd like to be able to get all of my subfolders consistent,

> > as

> > well as allow consistent permissions on new folders as well.

> >

> > I also can't tell who is receiving "access is denied" or not because my

> > users don't always report problems.

> >

> > Thanks!

>

>

>

 Share
Go to topic listing
×
×
  • Create New...