Jump to content

Home directory permission soup

Guest Rickard

By Guest Rickard
in Windows 2003 Server

 Share

Recommended Posts

Guest Rickard

Guest Rickard

Posted
Posted

I've been searching for the correct permissions to put on a shared

folder that contains user home directories in our server2003/xp

environment. We also do folder redirection of Application Data into

the home directory via a domain level group policy.

 

http://technet2.microsoft.com/windowsserver/en/library/a1b7ce04-708b-4145-830a-cadfc003acd31033.mspx?mfr=true

 

The above article contains a table under "NTFS permissions required

for the root folder" that lists suggested permissions for the root

folder into which you do folder redirection, but that's not quite what

we have. We have a folder containing home directories and then

Application Data is redirected into the home directory. In other

words, home directories are located in \\srvxxx\home and Application

Data is redirected into \\srvxxx\home\%username%\Application Data.

We're curious about which permissions to set on the root folder in

which we store home directories. Currently, we have the following

permissions set on \\srvxxx\home:

 

Share permissions - Everyone - Full control

 

Creator/owner - Full Control - This folder, subfolders, and files

Administrators - Full Control - This folder, subfolders, and files

System - Full Control - This folder, subfolders, and files

Authenticated Users - List Folder/Read Data, Create Folders/Append

Data - This folder only

 

This almost works the way we want it. The home directory is created

automatically and virtually all interaction with the home directory as

well as the redirected application data folder (inside the home dir)

works. The directory is also mapped to H: according to what we specify

in the user properties in Active Directory. However, whenever we try

to launch Office on a client, we get an error (1324) stating that

"Application Data" contains an illegal character. After many hours of

trial and error, I have been able to determine that in order for

Office to start up properly, we need to add the "Read Attributes"

permission to the root home directory (\\srvxxx\home). If we do, then

Office works like a charm. However, with "Read Attributes" enabled,

users are able to list the folder contents of \\srvxxx\home and we

definitely don't want that. Remove "Read Attributes" and they get a

permission error (good), but then Office breaks.

 

Can anyone point me in the right direction regarding this permission

soup? Everywhere I look, people recommend different settings. This is

driving me crazy!

 

Cheers,

Rickard

  • Replies 1
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Anthony

Guest Anthony

Posted
Posted

Re: Home directory permission soup

 

Hi Rickard,

I _think_ it will work to change the "Read Attributes" to "Traverse" but it

is a while since I tested it.

You can also use Home$ to deter casual browsing.

Finally, Windows up to R2 is relaxed about users being able to see folders

they don't have access to, but R2 provides ABE if you want to explicity

prevent it,

Hope that helps.

Anthony, http://www.airdesk.co.uk

 

 

"Rickard" <rickard.andersson@gmail.com> wrote in message

news:1193239185.423893.290430@e9g2000prf.googlegroups.com...

> I've been searching for the correct permissions to put on a shared

> folder that contains user home directories in our server2003/xp

> environment. We also do folder redirection of Application Data into

> the home directory via a domain level group policy.

>

> http://technet2.microsoft.com/windowsserver/en/library/a1b7ce04-708b-4145-830a-cadfc003acd31033.mspx?mfr=true

>

> The above article contains a table under "NTFS permissions required

> for the root folder" that lists suggested permissions for the root

> folder into which you do folder redirection, but that's not quite what

> we have. We have a folder containing home directories and then

> Application Data is redirected into the home directory. In other

> words, home directories are located in \\srvxxx\home and Application

> Data is redirected into \\srvxxx\home\%username%\Application Data.

> We're curious about which permissions to set on the root folder in

> which we store home directories. Currently, we have the following

> permissions set on \\srvxxx\home:

>

> Share permissions - Everyone - Full control

>

> Creator/owner - Full Control - This folder, subfolders, and files

> Administrators - Full Control - This folder, subfolders, and files

> System - Full Control - This folder, subfolders, and files

> Authenticated Users - List Folder/Read Data, Create Folders/Append

> Data - This folder only

>

> This almost works the way we want it. The home directory is created

> automatically and virtually all interaction with the home directory as

> well as the redirected application data folder (inside the home dir)

> works. The directory is also mapped to H: according to what we specify

> in the user properties in Active Directory. However, whenever we try

> to launch Office on a client, we get an error (1324) stating that

> "Application Data" contains an illegal character. After many hours of

> trial and error, I have been able to determine that in order for

> Office to start up properly, we need to add the "Read Attributes"

> permission to the root home directory (\\srvxxx\home). If we do, then

> Office works like a charm. However, with "Read Attributes" enabled,

> users are able to list the folder contents of \\srvxxx\home and we

> definitely don't want that. Remove "Read Attributes" and they get a

> permission error (good), but then Office breaks.

>

> Can anyone point me in the right direction regarding this permission

> soup? Everywhere I look, people recommend different settings. This is

> driving me crazy!

>

> Cheers,

> Rickard

>

 Share
Go to topic listing
×
×
  • Create New...