Guest Rickard Posted October 24, 2007 Posted October 24, 2007 I've been searching for the correct permissions to put on a shared folder that contains user home directories in our server2003/xp environment. We also do folder redirection of Application Data into the home directory via a domain level group policy. http://technet2.microsoft.com/windowsserver/en/library/a1b7ce04-708b-4145-830a-cadfc003acd31033.mspx?mfr=true The above article contains a table under "NTFS permissions required for the root folder" that lists suggested permissions for the root folder into which you do folder redirection, but that's not quite what we have. We have a folder containing home directories and then Application Data is redirected into the home directory. In other words, home directories are located in \\srvxxx\home and Application Data is redirected into \\srvxxx\home\%username%\Application Data. We're curious about which permissions to set on the root folder in which we store home directories. Currently, we have the following permissions set on \\srvxxx\home: Share permissions - Everyone - Full control Creator/owner - Full Control - This folder, subfolders, and files Administrators - Full Control - This folder, subfolders, and files System - Full Control - This folder, subfolders, and files Authenticated Users - List Folder/Read Data, Create Folders/Append Data - This folder only This almost works the way we want it. The home directory is created automatically and virtually all interaction with the home directory as well as the redirected application data folder (inside the home dir) works. The directory is also mapped to H: according to what we specify in the user properties in Active Directory. However, whenever we try to launch Office on a client, we get an error (1324) stating that "Application Data" contains an illegal character. After many hours of trial and error, I have been able to determine that in order for Office to start up properly, we need to add the "Read Attributes" permission to the root home directory (\\srvxxx\home). If we do, then Office works like a charm. However, with "Read Attributes" enabled, users are able to list the folder contents of \\srvxxx\home and we definitely don't want that. Remove "Read Attributes" and they get a permission error (good), but then Office breaks. Can anyone point me in the right direction regarding this permission soup? Everywhere I look, people recommend different settings. This is driving me crazy! Cheers, Rickard
Guest Anthony Posted October 24, 2007 Posted October 24, 2007 Re: Home directory permission soup Hi Rickard, I _think_ it will work to change the "Read Attributes" to "Traverse" but it is a while since I tested it. You can also use Home$ to deter casual browsing. Finally, Windows up to R2 is relaxed about users being able to see folders they don't have access to, but R2 provides ABE if you want to explicity prevent it, Hope that helps. Anthony, http://www.airdesk.co.uk "Rickard" <rickard.andersson@gmail.com> wrote in message news:1193239185.423893.290430@e9g2000prf.googlegroups.com... > I've been searching for the correct permissions to put on a shared > folder that contains user home directories in our server2003/xp > environment. We also do folder redirection of Application Data into > the home directory via a domain level group policy. > > http://technet2.microsoft.com/windowsserver/en/library/a1b7ce04-708b-4145-830a-cadfc003acd31033.mspx?mfr=true > > The above article contains a table under "NTFS permissions required > for the root folder" that lists suggested permissions for the root > folder into which you do folder redirection, but that's not quite what > we have. We have a folder containing home directories and then > Application Data is redirected into the home directory. In other > words, home directories are located in \\srvxxx\home and Application > Data is redirected into \\srvxxx\home\%username%\Application Data. > We're curious about which permissions to set on the root folder in > which we store home directories. Currently, we have the following > permissions set on \\srvxxx\home: > > Share permissions - Everyone - Full control > > Creator/owner - Full Control - This folder, subfolders, and files > Administrators - Full Control - This folder, subfolders, and files > System - Full Control - This folder, subfolders, and files > Authenticated Users - List Folder/Read Data, Create Folders/Append > Data - This folder only > > This almost works the way we want it. The home directory is created > automatically and virtually all interaction with the home directory as > well as the redirected application data folder (inside the home dir) > works. The directory is also mapped to H: according to what we specify > in the user properties in Active Directory. However, whenever we try > to launch Office on a client, we get an error (1324) stating that > "Application Data" contains an illegal character. After many hours of > trial and error, I have been able to determine that in order for > Office to start up properly, we need to add the "Read Attributes" > permission to the root home directory (\\srvxxx\home). If we do, then > Office works like a charm. However, with "Read Attributes" enabled, > users are able to list the folder contents of \\srvxxx\home and we > definitely don't want that. Remove "Read Attributes" and they get a > permission error (good), but then Office breaks. > > Can anyone point me in the right direction regarding this permission > soup? Everywhere I look, people recommend different settings. This is > driving me crazy! > > Cheers, > Rickard >
Recommended Posts