User Directory NTFS Question

  • Thread starter Thread starter Dennis Procopio
  • Start date Start date
D

Dennis Procopio

Guest
We migrated a file server, manually. Using Folder Redirection with
permissions specified in best practices, we logged each of our users on to
the network and allowed Folder Redirection to create each user directory
under the "Users" share on the new server. We moved the data into each
folder respectively after this process.

The NTFS permissions suggested for the Users share (from MS Knowledge Base)
were that Creator Owner has Full Control on "this folder only." I'm assuming
this was a suggested best practice as MS assumes a new deployment, not a
migration, and that anything created underneath there would be under control
of the owner. Perhaps I'm wrong.

What happens now is that all of the folders list the user with full control
on "this folder only," and after I moved their old data into the folder, they
receive "access is denied" permissions on any given subfolder or file.

I've toyed with changing each user's right on their root folder to "Modify."
When looking at advanced ntfs permissions it then shows "Modify" on "This
folder, subfolders, and files," as well as "Full Control" on "This folder
only."

After applying "Modify" I checked "replace permissions on all child
objects..." and the problem was solved.

Is this a suitable practice? Is there a way that I could allow each user
"modify," respectively, from the root "Users" folder, without going through
the above process on each individual folder?

Also, local administrators group has full control on the root "users"
folder, but it does not seem to be propagating down to its subfolders,
whereas the other permissions on the Users ACL are...

Even a "best practices" permissions set for user folders would be
appreciated. I'd like to be able to get all of my subfolders consistent, as
well as allow consistent permissions on new folders as well.

I also can't tell who is receiving "access is denied" or not because my
users don't always report problems.

Thanks!
 
Re: User Directory NTFS Question

Best practices for Users folders is to grant "Authenticated Users" (or some
prefer EVERYONE) FULL control at the share level which I presume is the
Users folder. For NTFS permissions on the Users folder you should have

Administrators=FULL
System=FULL
Everyone=LISt or READ turn on Inheritance to all child objects.

At the sub level for your users i.e \\Users\UserA you copy the Inherited
permissions, remove Everyone, add the userA=FULL and turn on inheritance to
all child objects.


"Dennis Procopio" <DennisProcopio@discussions.microsoft.com> wrote in
message news:F0BAD4BA-1B9E-4591-9FCF-5FA65ADE41CD@microsoft.com...
> We migrated a file server, manually. Using Folder Redirection with
> permissions specified in best practices, we logged each of our users on to
> the network and allowed Folder Redirection to create each user directory
> under the "Users" share on the new server. We moved the data into each
> folder respectively after this process.
>
> The NTFS permissions suggested for the Users share (from MS Knowledge
> Base)
> were that Creator Owner has Full Control on "this folder only." I'm
> assuming
> this was a suggested best practice as MS assumes a new deployment, not a
> migration, and that anything created underneath there would be under
> control
> of the owner. Perhaps I'm wrong.
>
> What happens now is that all of the folders list the user with full
> control
> on "this folder only," and after I moved their old data into the folder,
> they
> receive "access is denied" permissions on any given subfolder or file.
>
> I've toyed with changing each user's right on their root folder to
> "Modify."
> When looking at advanced ntfs permissions it then shows "Modify" on "This
> folder, subfolders, and files," as well as "Full Control" on "This folder
> only."
>
> After applying "Modify" I checked "replace permissions on all child
> objects..." and the problem was solved.
>
> Is this a suitable practice? Is there a way that I could allow each user
> "modify," respectively, from the root "Users" folder, without going
> through
> the above process on each individual folder?
>
> Also, local administrators group has full control on the root "users"
> folder, but it does not seem to be propagating down to its subfolders,
> whereas the other permissions on the Users ACL are...
>
> Even a "best practices" permissions set for user folders would be
> appreciated. I'd like to be able to get all of my subfolders consistent,
> as
> well as allow consistent permissions on new folders as well.
>
> I also can't tell who is receiving "access is denied" or not because my
> users don't always report problems.
>
> Thanks!
 
Re: User Directory NTFS Question

Here's what I did:

Share Permissions on "Users": Everyone - Full Control

NTFS Permissions on "Users:"

Local Admins - FC - This folder, subfolders, & files
CREATOR OWNER - FC - Subfolders and files only
Domain Admins - FC This folder, subfolders, & files
Everyone - Traverse Folder.., List Folder.., Read Attributes.., Create
Folders.. - This Folder Only
SYSTEM - FC - This folder, subfolders, & files

After creating this folder, I configured Group Policy to create a folder for
the user under the Users share when the user logs in. Here's what the ACL
looks like once folder redirection does it's thing (testuser being an example
username):

Local Admins - FC - This folder, subfolders, & files
CREATOR OWNER - FC - Subfolders and files only
Domain Admins - FC This folder, subfolders, & files
testuser - FC - This folder only
SYSTEM - FC - This folder, subfolders, & files

After doing this, I'd copy or move the data to the user's folder. I'd check
the individual's ACL, ensure that they are the owner, propagate ownership
down to child objects, then propagate NTFS permissions down.

The "FC - This folder only" username entry created by Folder Redirection in
combination with CREATOR OWNER on subfolders and files, including propagation
of ownership/ntfs rights, should allow that user to create new folders and
files in their root directory, as well as modify anything existing that was
migrated.

Looking at effective permissions on test names shows full control for the
user. I'm hoping that this resolved the problem for the data I have moved,
helps others along, and allows for reliable and secure folder creation for
new users on the network.

Thanks for the help.

Dennis Procopio



"SBS Rocker" wrote:

> Best practices for Users folders is to grant "Authenticated Users" (or some
> prefer EVERYONE) FULL control at the share level which I presume is the
> Users folder. For NTFS permissions on the Users folder you should have
>
> Administrators=FULL
> System=FULL
> Everyone=LISt or READ turn on Inheritance to all child objects.
>
> At the sub level for your users i.e \\Users\UserA you copy the Inherited
> permissions, remove Everyone, add the userA=FULL and turn on inheritance to
> all child objects.
>
>
> "Dennis Procopio" <DennisProcopio@discussions.microsoft.com> wrote in
> message news:F0BAD4BA-1B9E-4591-9FCF-5FA65ADE41CD@microsoft.com...
> > We migrated a file server, manually. Using Folder Redirection with
> > permissions specified in best practices, we logged each of our users on to
> > the network and allowed Folder Redirection to create each user directory
> > under the "Users" share on the new server. We moved the data into each
> > folder respectively after this process.
> >
> > The NTFS permissions suggested for the Users share (from MS Knowledge
> > Base)
> > were that Creator Owner has Full Control on "this folder only." I'm
> > assuming
> > this was a suggested best practice as MS assumes a new deployment, not a
> > migration, and that anything created underneath there would be under
> > control
> > of the owner. Perhaps I'm wrong.
> >
> > What happens now is that all of the folders list the user with full
> > control
> > on "this folder only," and after I moved their old data into the folder,
> > they
> > receive "access is denied" permissions on any given subfolder or file.
> >
> > I've toyed with changing each user's right on their root folder to
> > "Modify."
> > When looking at advanced ntfs permissions it then shows "Modify" on "This
> > folder, subfolders, and files," as well as "Full Control" on "This folder
> > only."
> >
> > After applying "Modify" I checked "replace permissions on all child
> > objects..." and the problem was solved.
> >
> > Is this a suitable practice? Is there a way that I could allow each user
> > "modify," respectively, from the root "Users" folder, without going
> > through
> > the above process on each individual folder?
> >
> > Also, local administrators group has full control on the root "users"
> > folder, but it does not seem to be propagating down to its subfolders,
> > whereas the other permissions on the Users ACL are...
> >
> > Even a "best practices" permissions set for user folders would be
> > appreciated. I'd like to be able to get all of my subfolders consistent,
> > as
> > well as allow consistent permissions on new folders as well.
> >
> > I also can't tell who is receiving "access is denied" or not because my
> > users don't always report problems.
> >
> > Thanks!
>
>
>
 
Back
Top