Announcement

Collapse
No announcement yet.

homefolders, profiles and user rights

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • homefolders, profiles and user rights

    Hmm so i got some problems with user rights.

    I want my users to use a roaming profile and a home folder located on a fileserver.
    Firstly i'm just starting out with win2003.

    Plan of action
    - create 2 folders on the server (homes and profiles)
    - share these folders
    - share permissions for these folders set to: change
    - NTFS permission: nothing changed
    - do the needed changes in the profile tab of the users profile, this all works.

    The testing
    I logon with a user f.e. named IT1.
    all goes well, a roaming profile it automaticaly created in profiles and a homefolder in homes.

    The problem
    Now when i look on the server.
    First i want to check what IT1 has in his profile folder, so he doesn't have things that are not allowed. So i click on IT1 in profiles. Access Denied. So i get this error however i do have Full control NTFS permission on the profiles folder. The only way i can see the content is by taking ownership, but then IT1 can't logon anymore because i took the ownership. So that is problem1.

    Problem2 is something with the home folders.
    When there are more users IT1, IT2, IT3...there seems to be a security problem.
    The problem is that IT2 can map the network home folder of IT1 and can read/write stuff in there. This is probably an NTFS permission, right ?

    I hope someone can help solving my problem.

    Regards

  • #2
    Re: homefolders, profiles and user rights

    Check ntfs security requirements and recommendations from ms:


    http://technet2.microsoft.com/Window....mspx?mfr=true


    regards,

    ariel

    Comment


    • #3
      Re: homefolders, profiles and user rights

      Originally posted by spoofer View Post
      The problem
      Now when i look on the server.
      First i want to check what IT1 has in his profile folder, so he doesn't have things that are not allowed. So i click on IT1 in profiles. Access Denied. So i get this error however i do have Full control NTFS permission on the profiles folder. The only way i can see the content is by taking ownership, but then IT1 can't logon anymore because i took the ownership. So that is problem1.
      The problem is that the child folder that is created doesn't give permissions to the admin group. There's a gpo setting that will give the admin group permissions to the profile. (see pic)

      This is probably an NTFS permission, right ?
      Yes. Check the NTFS permissions and set accordingly.
      Attached Files
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: homefolders, profiles and user rights

        Thanx Jeremy, you helped me quite a lot.
        The problem that i'm facing now is that the policy seems to be applying only to new roaming profiles. So I still get access denied on the ones that were already in the profiles folder.

        I already did gpupdate /force on the server, workstaion..nothing.
        Is this fixable ?

        Regarding the home folders.
        Do i have to delete the users group on every individual home folder or.. ?

        Thanx in advance

        Comment


        • #5
          Re: homefolders, profiles and user rights

          If you look in the pic I posted you'll notice that I circled some text...
          Note: If the setting is enable after the profile is created, the setting has no effect.
          You'll have to recreate their profiles.
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: homefolders, profiles and user rights

            oh sorry, i overlooked that.

            Any idea regarding the homefolder restriction ?

            ps: if i don't want users to see the systemdrive, is this configurable with GPO? Where do i need to look for that ?

            Comment


            • #7
              Re: homefolders, profiles and user rights

              Did you check the NTFS permission on the homefolders?

              Regarding the systemdrive restriction:
              You can hide the My Computer icon from user but this won't stop savvy computer users. But if the users use the browsing technique only then it may be an effective means.

              The problem is that the users need access to the system drive. There's no way, that I know of, around that.

              BTW - Unless you have a legacy application that uses homefolders, I don't think there's any reason to use them.

              If you're looking to have the users always save their files to a file server then I suggest you look into Folder Redirection and have them save things in the My Documents folder (seeing as how this is the default for most programs)
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #8
                Re: homefolders, profiles and user rights

                Regarding the home folder permission
                I deleted the users group on the home folder.
                Now it seems to work, so users can't map other user's homefolders.
                Is this the correct way to do this ?

                I don't want users to browse in c:\ dir, deleting system files etc..
                only view their home folder

                thanx

                Comment


                • #9
                  Re: homefolders, profiles and user rights

                  Originally posted by spoofer View Post
                  Regarding the home folder permission
                  I deleted the users group on the home folder.
                  Now it seems to work, so users can't map other user's homefolders.
                  Is this the correct way to do this ?
                  IIRC, yes. But I could be wrong on this because I don't use homefolders.

                  I don't want users to browse in c:\ dir, deleting system files etc..
                  only view their home folder
                  If they just have user level accounts then you should have no worries about them deleting and accessing stuff they shouldn't.
                  If these are admins then you should probably look into the concept of Least Privileges

                  Here's some links:
                  Least Privilege
                  Delegation of Control
                  Regards,
                  Jeremy

                  Network Consultant/Engineer
                  Baltimore - Washington area and beyond
                  www.gma-cpa.com

                  Comment

                  Working...
                  X