This is correct. It appears to have changed since NT. I found this out by checking permissions when I was troubleshooting a problem with home directories. You go to the security tab then choose advanced then highlight the account and choose edit. It will detail the permissions in effect. The effective permissions tab is very good too, because it allows you to see the impact of all group memberships and the impact on permissions.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dryden, Karen Sent: Tuesday, May 31, 2005 6:47 PM To: [email protected] Subject: RE: [ActiveDir] Home Directories Modify rights doesn't give them the ability to delete files/folders. You have to go to the Advanced tab on permissions and edit their rights and check the box to enable them to delete their own home drive files/folders -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Tuesday, May 31, 2005 5:10 AM To: [email protected] Subject: RE: [ActiveDir] Home Directories The trouble is that Microsoft's idea of "locked down" and my idea of "locked down" don't match... I work in a college (and I think Debbie works in a similar environment) and there's no way I'd give users full control over even their own folders - the most they get is "modify" on everything in their user area. (Giving full allows them to change permissions - most will do this accidentally and manage to remove themselves from the list or they will give access to other users. In a work environment this may be a good thing - it allows users to share work on an ad-hoc basis. For students, it's typically a way to move "pirate" material around...) There's also a problem in that if users can create folders in the root share then they will - again, some will do this accidentally and lose work in that way; others will do it maliciously. Whichever, when you have 14,000 folders to worry about you don't want odd ones sneaking in :-) The downside of this is that you can't then have the folder created by the redirection process as the user logs on; no big deal - we script the user creation so we also create the home folder with the permissions we want (admins, system - full; user - modify) On a regular basis we also force the permissions and ownership back to what they should be - I've found setacl (http://setacl.sourceforge.net) to be easier to use for this than subinacl. Steve > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme > Sent: 27 May 2005 16:14 > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > The best practice permissions for the ROOT SHARE (for home > directories, roaming profiles & folder redirection) are > listed below. There is a lot of confusion about these perms, > b/c there are inconsistencies in MS doc. > I've tested these to make sure they work and (as you'll see) > they're pretty well locked down. > > The root share > ============== > ACL > Users*:Allow:List Folder & Create Folders > > Inheritance: This folder only (**** THIS IS TRICKY AND > IS NOT THE DEFAULT **** Set "Apply onto" to "THIS FOLDER ONLY") > > *Or another group that includes users who will have > folders under this root > > Creator Owner:Allow:Full > Inheritance: Subfolders & files only > > System:Allow:Full > Inheritance: This folder, subfolders & files > > Administrators: <depends> > Set based on Enterprise information security policy > > Share > Hidden share name (sharename$) > Share permissions: Everyone:Allow:Full > > ** Do not create individual user folders ** How folders are > created ======================= Home folders: created & > perm'd automatically > > Redirected folders: created, perm'd, user owner > > SUBINACL on Res Kit to change ownership if you must > create folder in advance. (Be sure to download newest patched > version of SubInACL from MS web site) > > Profiles: created & perm'd automatically > > > Hope this helps > > Dan > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, May 27, 2005 8:00 AM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > Yes, make sure that the top level home folder that your share > is pointing to does not have rights for those users to make > changes. They should only have rights at their individual folder. > > For instance: > > Share Level Perms > \\server\home1 is your home folder share which has the > following perms: > Administrators - FC > Domain Users - C > > NTFS Perms > That folder maps to h:\home1 on your server. Home1 should have the > following: > Administrators - FC > > There's a user folder under home1 that exists under home1 > that maps to JohnDoe such as h:\home1\johndoe. > > At the johndoe folder, you want to make sure the following > permissions are set: > Administrators - FC > JohnDoe - Modify > > > So now you can map the user's H: drive or whatever to > \\server\home1\johndoe. > > Hope that helps... > > :m:dsm:cci:mvp > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie > Sent: Friday, May 27, 2005 10:50 AM > To: '[email protected]' > Subject: RE: [ActiveDir] Home Directories > > But it also allows then to create new folders under the top > level Home share. Is there a way around that? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, May 27, 2005 10:40 AM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > Now that your share-level permissions are correct, you need > to add the individual user to their respective home folder > and grant modify permissions (ntfs). That should give them > change access to their files. > > :m:dsm:cci:mvp > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie > Sent: Friday, May 27, 2005 9:04 AM > To: '[email protected]' > Subject: RE: [ActiveDir] Home Directories > > > I appreciate all the feedback. I had to end up giving domain > users change access on the top level Home share folder. (On > both file and share) I removed domain users from the > individual home directory/folders. The problem I have with > the solution is that won't users be able to create folders in > the Home Folder? Is there a solution to this? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, May 27, 2005 8:30 AM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > Sorry. Please don't perceive my earlier post as > disrespecting your opinion. Simply typing in brevity. :) > > At any rate, I read it as a user end permission error, not as > a copy process failure. > > :m:dsm:cci:mvp > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Medeiros, Jose > Sent: Thursday, May 26, 2005 6:34 PM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > No problem in disagreeing, as long as we can respect each > others opinions. > > Granted Debbie did not give a us lot of details, but based > on what Debbie wrote, it sounds like she is having trouble > copying the files from the server, and if her users had full > control enabled on the original NT 4 home directory, then in > the middle of the move process she would probably have an > access denied even though she is the admin. > > By taking ownership of the files prior to her move this issue > would be resolved. She also stated that the permissions are > change ( Change for end users is better then Full control in > my option) and Debbie stated that she has moved some of the > files and that leads me to believe that the permissions on > the target server have at least write access at the Share and > NTFS permission level. > > I am also sure that Debbie was at least smart enough to > verify the share level and file permissions on the new target > server prior to posting on this list, however I doubt if she > went through all the files on the source server to verify > that none of them had full control as a ACL for the user > account in question. > > The other issue that she me be experiencing is that if the > files are currently in use the they will be locked also > stopping the move process from occurring. > > Well that's my two cents, > > Jose > > ------------------------------------------------------ > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, May 26, 2005 3:05 PM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > > I disagree. Taking ownership isn't going to fix the > permissions issues for the user at the opposite end. I'm > leaning towards a share-level permission problem, since 2003 > by default sets shares at Everyone:Read while NT was > Everyone:Full Control. > > :m:dsm:cci:mvp > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Medeiros, Jose > Sent: Thursday, May 26, 2005 4:00 PM > To: [email protected] > Subject: RE: [ActiveDir] Home Directories > > Hi Debbie, > > This sounds like you need to take ownership of all the files > in each home directory before moving the data. > > Jose > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Ellis, Debbie > Sent: Thursday, May 26, 2005 12:45 PM > To: '[email protected]' > Subject: [ActiveDir] Home Directories > We are in the process of moving our user's home directories > from NT server to 2003 server. We have moved some and have > ran into a problem. > The user's are unable to delete or add but the effective > permissions is change access. Has anyone ran into this issue? > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
