File access and permission help

[Guest UselessUser]

Hi,

 

I have walked into a new scenario which is odd for me!

 

Basically I have a server which has this structure

 

E:\HomeDirectory\%username%

 

The folder HomeDirectory is shared, with share permissions set as Everyone

Full Access. NTFS permissions have only administrators, creater owner, and

system as full control.

 

If we create a new user in AD with their H drive set to:

 

\\server\HomeDirectory\%username%

 

This creates the folder correctly and it is perfectly usable...

 

Now we have a few users who are right clicking their H and selecting make

available offline, and this is working fine. However I could not do this

myself (I do not run as domain admin etc).. and consequently began to look

into this, (Before a user asks me about it!)

 

Basically I found on the Microsoft docs that offline files checks the parent

of the folder you are trying to make offline for permissions and as I had

none I was getting access denied. The way to fix this is to have the

HomeDirectory share to have read access for everyone etc.

 

Now here is the question, how are people doing this at the moment! And no

they are not admins, and no there are not permissions on the share etc...

 

What I discovered was that if I give myself read access to the share, then

setup the offline files and synchronize it works fine. If I then remove my

read access and reboot the client, it still seems to work? If this is the

case why is there a need to check the parent permissions, and is there a

client registry fix I can use to get around this??

 

Also

 

Imagine the scenario, you are browsing your AD and you find a group with a

strange name, with a few members in it...

 

You then decide to attempt to either delete it or rename it to what it

actually does, but because of the strange name, you have absolutely no idea

what it is for?

 

Is there a tool which can scan folders and list all the ACL's so I can find

out what exactly it gives permission to?

[Guest Meinolf Weber]

Re: File access and permission help

 

Hello UselessUser,

 

Check out this one:

http://technet2.microsoft.com/windowsserver/en/library/f0fe0826-aade-46cc-9323-22657ebb7c511033.mspx?mfr=true

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Hi,

>

> I have walked into a new scenario which is odd for me!

>

> Basically I have a server which has this structure

>

> E:\HomeDirectory\%username%

>

> The folder HomeDirectory is shared, with share permissions set as

> Everyone Full Access. NTFS permissions have only administrators,

> creater owner, and system as full control.

>

> If we create a new user in AD with their H drive set to:

>

> \\server\HomeDirectory\%username%

>

> This creates the folder correctly and it is perfectly usable...

>

> Now we have a few users who are right clicking their H and selecting

> make available offline, and this is working fine. However I could not

> do this myself (I do not run as domain admin etc).. and consequently

> began to look into this, (Before a user asks me about it!)

>

> Basically I found on the Microsoft docs that offline files checks the

> parent of the folder you are trying to make offline for permissions

> and as I had none I was getting access denied. The way to fix this is

> to have the HomeDirectory share to have read access for everyone etc.

>

> Now here is the question, how are people doing this at the moment! And

> no they are not admins, and no there are not permissions on the share

> etc...

>

> What I discovered was that if I give myself read access to the share,

> then setup the offline files and synchronize it works fine. If I then

> remove my read access and reboot the client, it still seems to work?

> If this is the case why is there a need to check the parent

> permissions, and is there a client registry fix I can use to get

> around this??

>

> Also

>

> Imagine the scenario, you are browsing your AD and you find a group

> with a strange name, with a few members in it...

>

> You then decide to attempt to either delete it or rename it to what it

> actually does, but because of the strange name, you have absolutely no

> idea what it is for?

>

> Is there a tool which can scan folders and list all the ACL's so I can

> find out what exactly it gives permission to?

>