I'm not sure if it's feasible to prevent a directory owner from fiddling with the DACL (although I'll try a few things tomorrow)... one possible solution to the "oversharing students" could be a containing folder for each user, which the user does *not* own and which other students cannot traverse, and within that, the actual home directory owned by the user. Definitely agree that breaking inheritance is a big management headache, though not sure what dependence on 2008+ you have in mind? AFAIK the creator-owner SID goes back a long ways.
--Steve On Mon, Mar 12, 2012 at 11:30 PM, Brian Desmond <[email protected]> wrote: > Why are you breaking inherited permissions? That is a management nightmare. > > I don't recall what ADUC sets, but, if you're on 2008+ file servers, you > might be able to solve your problem with Owner rights at the top level. That > will depend on not breaking inherited permissions though. > > Thanks, > Brian Desmond > [email protected] > > w - 312.625.1438 | c - 312.731.3132 > > -----Original Message----- > From: Matthew W. Ross [mailto:[email protected]] > Sent: Friday, March 09, 2012 1:39 PM > To: NT System Admin Issues > Subject: RE: (homedrive) > > We find that the default permissions created by Windows when you populate the > Profile Tab to be... less than optimal in our case. > > We have students who get "Full Control" of their folders. Thus, they will > grant permissions to other students read and/or write access, so they can > copy their work. It's a 21's century version "looking at somebody else's > answers on the test". > > To fix this, I have created a script that sets the permissions for the > folders. It breaks inherent permissions, and applies the permissions I want. > The users end up with Read, Write, Execute. > > I will on occasion repeat something when issues with permissions arise: > "Permissions are Evil. But they are a necessary Evil." This is especially > true in [Linux|unix]. > > > --Matt Ross > Ephrata School District > > > ----- Original Message ----- > From: David Lum > [mailto:[email protected]] > To: NT System Admin Issues > [mailto:[email protected]] > Sent: Fri, 09 Mar 2012 > 11:24:45 -0800 > Subject: RE: (homedrive) > > >> That explains things, I never knew it would auto-create the folder and >> perms! So glad I asked...one more thing I just got more efficient at. >> >> Dave >> >> From: Heaton, Joseph@DFG [mailto:[email protected]] >> Sent: Friday, March 09, 2012 10:07 AM >> To: NT System Admin Issues >> Subject: RE: (homedrive) >> >> We simply populate the Profile Tab, and allow Windows to create the >> actual folder w/ appropriate rights. >> >> Joe Heaton >> ITB - Windows Server Support >> >> From: David Lum >> [mailto:[email protected]]<mailto:[mailto:[email protected]]> >> Sent: Friday, March 09, 2012 9:18 AM >> To: Heaton, Joseph@DFG; NT System Admin Issues >> Subject: H: (homedrive) >> >> Do you guys create individual shares for each user, or do something >> different? >> David Lum >> Systems Engineer // NWEATM >> Office 503.548.5229 // Cell (voice/text) 503.267.9764 >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to >> [email protected]<mailto:[email protected] >> software.com> >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to >> [email protected]<mailto:[email protected] >> software.com> >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
