How Prevent Users Can Access Profile-Share

[driezzz]

Hi,

I have made a share (name: UserProfiles) for the roaming profiles for the users.

However, the users can access the share (if they type \\server\UserProfiles) and there they can make folders. Can you prevent that the users can access of make folders there?

Thanks!

 

[ICTCity]

Hi,

I have made a share (name: UserProfiles) for the roaming profiles for the users.

However, the users can access the share (if they type \\server\UserProfiles) and there they can make folders. Can you prevent that the users can access of make folders there?

Thanks!

Right click on UserProfile folder, under SECURITY select ADVANCED and then CHANGE PERMISSIONS.

Here you could delete every user BUT NOT Administrator and/or SYSTEM (if exists). Once you're finished click ADD.

I think your users are in a DOMAIN, if so type DOMAIN USERS, or if you prefer type the name of the group containing allowed users. Then click OK.

Now you should see a list of permission (starting with full control), here are my suggestions:

ALLOW: LIST FOLDER / read data
DENY: everything else

*** DO NOT CHECK >>> DENY > FULL CONTROL ***

Now for each subfolder you should assign a "full control" to the owner. But this is up to you


I hope this can help you

Let me know!

 

[driezzz]

The users are indeed in a domain. I tried your suggestion, but it didn't work, because if a new user logs on, he can't make a folder automatically. The UserProfiles folder is the profile path for the roaming profiles of the users. So the folder must have the permissions to make a folder if a users logs on for the first time.

Now i gave the domainusers the following rights: list folder/read data and create folders/append data (this folder only rights).

Everyrhing works fine that way, except that users can access the server by typing \\server. Then they can access the UserProfiles folder. The only thing they van do there is make folders (nothing else). Because it is a school, I want te prevent that.

I think it is not possible because the users must have create folders rights to make a folder on first logon...

Right click on UserProfile folder, under SECURITY select ADVANCED and then CHANGE PERMISSIONS.

Here you could delete every user BUT NOT Administrator and/or SYSTEM (if exists). Once you're finished click ADD.

I think your users are in a DOMAIN, if so type DOMAIN USERS, or if you prefer type the name of the group containing allowed users. Then click OK.

Now you should see a list of permission (starting with full control), here are my suggestions:

ALLOW: LIST FOLDER / read data
DENY: everything else

*** DO NOT CHECK >>> DENY > FULL CONTROL ***

Now for each subfolder you should assign a "full control" to the owner. But this is up to you


I hope this can help you

Let me know!

 

[ICTCity]

The users are indeed in a domain. I tried your suggestion, but it didn't work, because if a new user logs on, he can't make a folder automatically. The UserProfiles folder is the profile path for the roaming profiles of the users. So the folder must have the permissions to make a folder if a users logs on for the first time.

Now i gave the domainusers the following rights: list folder/read data and create folders/append data (this folder only rights).

Everyrhing works fine that way, except that users can access the server by typing \\server. Then they can access the UserProfiles folder. The only thing they van do there is make folders (nothing else). Because it is a school, I want te prevent that.

I think it is not possible because the users must have create folders rights to make a folder on first logon...

Well... this is not exactly true... you have two choices:
1) You can MANUALLY create each profile folder (bad idea...)
2) Map a network script that runs with admin right to create the folder

Where I work I did that