I would want to confirm that because I'm not sure that's accurate. Thanks, Brian Desmond [email protected]
w - 312.625.1438 | c - 312.731.3132 -----Original Message----- From: Steve Kradel [mailto:[email protected]] Sent: Tuesday, March 13, 2012 8:52 AM To: NT System Admin Issues Subject: Re: (homedrive) Brian, I understand what you mean, but if you own a file, you can do to it what you like, DACL-wise -- I don't believe the deny-write-DACL ACE is even checked for the owner. Enclosing each home folder in one where the user is not the ACL O:wner seems like the way to go for preventing owner-facilitated traversal... --Steve On Tue, Mar 13, 2012 at 2:33 AM, Brian Desmond <[email protected]> wrote: > With Owner Rights, you fork the Owner from Creator, so you could put a Deny > Write DAC to the Owner. > > Thanks, > Brian Desmond > [email protected] > > w - 312.625.1438 | c - 312.731.3132 > > -----Original Message----- > From: Steve Kradel [mailto:[email protected]] > Sent: Monday, March 12, 2012 10:11 PM > To: NT System Admin Issues > Subject: Re: (homedrive) > > I'm not sure if it's feasible to prevent a directory owner from fiddling with > the DACL (although I'll try a few things tomorrow)... > one possible solution to the "oversharing students" could be a containing > folder for each user, which the user does *not* own and which other students > cannot traverse, and within that, the actual home directory owned by the > user. Definitely agree that breaking inheritance is a big management > headache, though not sure what dependence on 2008+ you have in mind? AFAIK > the creator-owner SID goes back a long ways. > > --Steve > > On Mon, Mar 12, 2012 at 11:30 PM, Brian Desmond <[email protected]> > wrote: >> Why are you breaking inherited permissions? That is a management nightmare. >> >> I don't recall what ADUC sets, but, if you're on 2008+ file servers, you >> might be able to solve your problem with Owner rights at the top level. That >> will depend on not breaking inherited permissions though. >> >> Thanks, >> Brian Desmond >> [email protected] >> >> w - 312.625.1438 | c - 312.731.3132 >> >> -----Original Message----- >> From: Matthew W. Ross [mailto:[email protected]] >> Sent: Friday, March 09, 2012 1:39 PM >> To: NT System Admin Issues >> Subject: RE: (homedrive) >> >> We find that the default permissions created by Windows when you populate >> the Profile Tab to be... less than optimal in our case. >> >> We have students who get "Full Control" of their folders. Thus, they will >> grant permissions to other students read and/or write access, so they can >> copy their work. It's a 21's century version "looking at somebody else's >> answers on the test". >> >> To fix this, I have created a script that sets the permissions for the >> folders. It breaks inherent permissions, and applies the permissions I want. >> The users end up with Read, Write, Execute. >> >> I will on occasion repeat something when issues with permissions arise: >> "Permissions are Evil. But they are a necessary Evil." This is especially >> true in [Linux|unix]. >> >> >> --Matt Ross >> Ephrata School District >> >> >> ----- Original Message ----- >> From: David Lum >> [mailto:[email protected]] >> To: NT System Admin Issues >> [mailto:[email protected]] >> Sent: Fri, 09 Mar 2012 >> 11:24:45 -0800 >> Subject: RE: (homedrive) >> >> >>> That explains things, I never knew it would auto-create the folder >>> and perms! So glad I asked...one more thing I just got more efficient at. >>> >>> Dave >>> >>> From: Heaton, Joseph@DFG [mailto:[email protected]] >>> Sent: Friday, March 09, 2012 10:07 AM >>> To: NT System Admin Issues >>> Subject: RE: (homedrive) >>> >>> We simply populate the Profile Tab, and allow Windows to create the >>> actual folder w/ appropriate rights. >>> >>> Joe Heaton >>> ITB - Windows Server Support >>> >>> From: David Lum >>> [mailto:[email protected]]<mailto:[mailto:[email protected]]> >>> Sent: Friday, March 09, 2012 9:18 AM >>> To: Heaton, Joseph@DFG; NT System Admin Issues >>> Subject: H: (homedrive) >>> >>> Do you guys create individual shares for each user, or do something >>> different? >>> David Lum >>> Systems Engineer // NWEATM >>> Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
