Modify permission on an NTFS ACL *does* include DELETE. Anyway, what Steve suggests is simply not possible to achieve without workarounds such as 'resetting the acl' regularly. Here's why, and a suggestion.
1) The CREATOR/OWNER of a file or folder ALWAYS can change permission on that file or folder. There's no way to prevent that. In other words, if you let a user save a file, they CAN change permission. 2) The only workaround I've heard for this (and I've not tested it myself but it is on good authority) is to set a SHARE permission of MODIFY (not Full Control). The lack of full control on a share apparently prohibits anyone (including the owner) from changing an ACL... cool assuming it's true, though managing share permissions is a whole other can of worms, and PLEASE don't go there with this thread. It's a solution, not a perfect one (and there isn't a perfect solution given Steve's requirements). 3) You can *always* "provision" anything in windows. Go bananas with a script or process that creates the folder for the user with the right permissions on that user's folder, and then of course you can restrict the root more. The permissions I listed are the minimum required permissions for out-of-box Windows functionality. Hope this helps. D -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 31, 2005 4:35 PM To: [email protected] Subject: RE: [ActiveDir] Home Directories Are you sure about that? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dryden, Karen Sent: Tuesday, May 31, 2005 6:47 PM To: [email protected] Subject: RE: [ActiveDir] Home Directories Modify rights doesn't give them the ability to delete files/folders. You have to go to the Advanced tab on permissions and edit their rights and check the box to enable them to delete their own home drive files/folders -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Tuesday, May 31, 2005 5:10 AM To: [email protected] Subject: RE: [ActiveDir] Home Directories The trouble is that Microsoft's idea of "locked down" and my idea of "locked down" don't match... I work in a college (and I think Debbie works in a similar environment) and there's no way I'd give users full control over even their own folders - the most they get is "modify" on everything in their user area. (Giving full allows them to change permissions - most will do this accidentally and manage to remove themselves from the list or they will give access to other users. In a work environment this may be a good thing - it allows users to share work on an ad-hoc basis. For students, it's typically a way to move "pirate" material around...) There's also a problem in that if users can create folders in the root share then they will - again, some will do this accidentally and lose work in that way; others will do it maliciously. Whichever, when you have 14,000 folders to worry about you don't want odd ones sneaking in :-) The downside of this is that you can't then have the folder created by the redirection process as the user logs on; no big deal - we script the user creation so we also create the home folder with the permissions we want (admins, system - full; user - modify) On a regular basis we also force the permissions and ownership back to what they should be - I've found setacl (http://setacl.sourceforge.net) to be easier to use for this than subinacl. Steve > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme > Sent: 27 May 2005 16:14 > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > The best practice permissions for the ROOT SHARE (for home > directories, roaming profiles & folder redirection) are listed below. > There is a lot of confusion about these perms, b/c there are > inconsistencies in MS doc. > I've tested these to make sure they work and (as you'll see) they're > pretty well locked down. > > The root share > ============== > ACL > Users*:Allow:List Folder & Create Folders > > Inheritance: This folder only (**** THIS IS TRICKY AND IS NOT THE > DEFAULT **** Set "Apply onto" to "THIS FOLDER ONLY") > > *Or another group that includes users who will have folders under > this root > > Creator Owner:Allow:Full > Inheritance: Subfolders & files only > > System:Allow:Full > Inheritance: This folder, subfolders & files > > Administrators: <depends> > Set based on Enterprise information security policy > > Share > Hidden share name (sharename$) > Share permissions: Everyone:Allow:Full > > ** Do not create individual user folders ** How folders are created > ======================= Home folders: created & perm'd automatically > > Redirected folders: created, perm'd, user owner > > SUBINACL on Res Kit to change ownership if you must create folder in > advance. (Be sure to download newest patched version of SubInACL from > MS web site) > > Profiles: created & perm'd automatically > > > Hope this helps > > Dan > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, May 27, 2005 8:00 AM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > Yes, make sure that the top level home folder that your share is > pointing to does not have rights for those users to make changes. > They should only have rights at their individual folder. > > For instance: > > Share Level Perms > \\server\home1 is your home folder share which has the following > perms: > Administrators - FC > Domain Users - C > > NTFS Perms > That folder maps to h:\home1 on your server. Home1 should have the > following: > Administrators - FC > > There's a user folder under home1 that exists under home1 that maps to > JohnDoe such as h:\home1\johndoe. > > At the johndoe folder, you want to make sure the following permissions > are set: > Administrators - FC > JohnDoe - Modify > > > So now you can map the user's H: drive or whatever to > \\server\home1\johndoe. > > Hope that helps... > > :m:dsm:cci:mvp > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie > Sent: Friday, May 27, 2005 10:50 AM > To: '[email protected]' > Subject: RE: [ActiveDir] Home Directories > > But it also allows then to create new folders under the top level Home > share. Is there a way around that? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, May 27, 2005 10:40 AM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > Now that your share-level permissions are correct, you need to add the > individual user to their respective home folder and grant modify > permissions (ntfs). That should give them change access to their > files. > > :m:dsm:cci:mvp > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie > Sent: Friday, May 27, 2005 9:04 AM > To: '[email protected]' > Subject: RE: [ActiveDir] Home Directories > > > I appreciate all the feedback. I had to end up giving domain users > change access on the top level Home share folder. (On both file and > share) I removed domain users from the individual home > directory/folders. The problem I have with the solution is that won't > users be able to create folders in the Home Folder? Is there a > solution to this? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, May 27, 2005 8:30 AM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > Sorry. Please don't perceive my earlier post as disrespecting your > opinion. Simply typing in brevity. :) > > At any rate, I read it as a user end permission error, not as a copy > process failure. > > :m:dsm:cci:mvp > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, > Jose > Sent: Thursday, May 26, 2005 6:34 PM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > No problem in disagreeing, as long as we can respect each others > opinions. > > Granted Debbie did not give a us lot of details, but based on what > Debbie wrote, it sounds like she is having trouble copying the files > from the server, and if her users had full control enabled on the > original NT 4 home directory, then in the middle of the move process > she would probably have an access denied even though she is the admin. > > By taking ownership of the files prior to her move this issue would be > resolved. She also stated that the permissions are change ( Change for > end users is better then Full control in my option) and Debbie stated > that she has moved some of the files and that leads me to believe that > the permissions on the target server have at least write access at the > Share and NTFS permission level. > > I am also sure that Debbie was at least smart enough to verify the > share level and file permissions on the new target server prior to > posting on this list, however I doubt if she went through all the > files on the source server to verify that none of them had full > control as a ACL for the user account in question. > > The other issue that she me be experiencing is that if the files are > currently in use the they will be locked also stopping the move > process from occurring. > > Well that's my two cents, > > Jose > > ------------------------------------------------------ > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, May 26, 2005 3:05 PM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > > I disagree. Taking ownership isn't going to fix the permissions > issues for the user at the opposite end. I'm leaning towards a > share-level permission problem, since 2003 by default sets shares at > Everyone:Read while NT was Everyone:Full Control. > > :m:dsm:cci:mvp > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, > Jose > Sent: Thursday, May 26, 2005 4:00 PM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > Hi Debbie, > > This sounds like you need to take ownership of all the files in each > home directory before moving the data. > > Jose > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Ellis, Debbie > Sent: Thursday, May 26, 2005 12:45 PM > To: '[email protected]' > Subject: [ActiveDir] Home Directories > We are in the process of moving our user's home directories from NT > server to 2003 server. We have moved some and have ran into a > problem. > The user's are unable to delete or add but the effective permissions > is change access. Has anyone ran into this issue? > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
