|
Posted by Anthony on October 24, 2007, 12:12 pm
Please log in for more thread options
Hi Rickard,
I _think_ it will work to change the "Read Attributes" to "Traverse" but it
is a while since I tested it.
You can also use Home$ to deter casual browsing.
Finally, Windows up to R2 is relaxed about users being able to see folders
they don't have access to, but R2 provides ABE if you want to explicity
prevent it,
Hope that helps.
Anthony, http://www.airdesk.co.uk
> I've been searching for the correct permissions to put on a shared
> folder that contains user home directories in our server2003/xp
> environment. We also do folder redirection of Application Data into
> the home directory via a domain level group policy.
>
>
http://technet2.microsoft.com/windowsserver/en/library/a1b7ce04-708b-4145-830a-cadfc003acd31033.mspx?mfr=true
>
> The above article contains a table under "NTFS permissions required
> for the root folder" that lists suggested permissions for the root
> folder into which you do folder redirection, but that's not quite what
> we have. We have a folder containing home directories and then
> Application Data is redirected into the home directory. In other
> words, home directories are located in \srvxxx\home and Application
> Data is redirected into \srvxxx\home\%username%\Application Data.
> We're curious about which permissions to set on the root folder in
> which we store home directories. Currently, we have the following
> permissions set on \srvxxx\home:
>
> Share permissions - Everyone - Full control
>
> Creator/owner - Full Control - This folder, subfolders, and files
> Administrators - Full Control - This folder, subfolders, and files
> System - Full Control - This folder, subfolders, and files
> Authenticated Users - List Folder/Read Data, Create Folders/Append
> Data - This folder only
>
> This almost works the way we want it. The home directory is created
> automatically and virtually all interaction with the home directory as
> well as the redirected application data folder (inside the home dir)
> works. The directory is also mapped to H: according to what we specify
> in the user properties in Active Directory. However, whenever we try
> to launch Office on a client, we get an error (1324) stating that
> "Application Data" contains an illegal character. After many hours of
> trial and error, I have been able to determine that in order for
> Office to start up properly, we need to add the "Read Attributes"
> permission to the root home directory (\srvxxx\home). If we do, then
> Office works like a charm. However, with "Read Attributes" enabled,
> users are able to list the folder contents of \srvxxx\home and we
> definitely don't want that. Remove "Read Attributes" and they get a
> permission error (good), but then Office breaks.
>
> Can anyone point me in the right direction regarding this permission
> soup? Everywhere I look, people recommend different settings. This is
> driving me crazy!
>
> Cheers,
> Rickard
>
| 
XML Sitemap