NTFS Permissions

[Firebird78]

Hello.

I hope this is the right forum.

I have a problem, and I would like to ask your help with it.

I'll try my best to explain the situation. Feel free to ask if you need me to elaborate on something.

The situation is, that all the users have their own personal folders on a server. There is a folder, called "home", which contains all the personal folders, and is shared as home$. In the logon script, all the users get their own folder mapped to a drive-letter, using the syntax: \\server\home$\<username>

Now, of course, on the folder for each user, it is set so that only the specific user, the service account for the backup system, and the domain administrator account has access to the folder.

By default, the user has modify rights to their own folder - goes without saying. But we also want to prevent users from messing with the NTFS Permissions on their personal folder, so we have set a deny entry for the user on "Change Permissions" and "Take Ownerhsip". Which works fine... until the user creates a new folder, because logically the user will be owner of the folders they create themselves, thus having "Full control" of these folders. This have in the past caused problems when users for some reason have decided that svc_backup shouldn't have read access to their files!

Does anyone have any ideas of how to get around this problem?

Thanks in advance.

Edit:

Oh, and by the way, said server is running Windows Server 2008 Standard

Edited June 10, 2010 by Firebird78

[iamtheky]

you can get rid of the security tab through gpo, and deny access to cacls/xcacls

[allen2]

If users only have modify they shouldn't be able to change permission as you need full control for this. As rights are inherited from parent the new created folders will also get the right rights unless you didn't removed the account "CREATOR OWNER" from the accounts with full control.

[Firebird78]

If users only have modify they shouldn't be able to change permission as you need full control for this. As rights are inherited from parent the new created folders will also get the right rights unless you didn't removed the account "CREATOR OWNER" from the accounts with full control.

Can you be so kind as to elaborate a bit on this, please?

I tried to make a test-share, on which I set a Deny on "CREATOR OWNER", denying Change Permissions and Take Ownership, and set these to enherit down. However, I then connected to the share using a testuser, and then created a new folder. What then puzzles me, is that the test user had the ability to "Change Permission" on the folder they just created.

What am I doing wrong here?

Thanks for your patience.

[allen2]

The special account "creator owner" appeared with XP if i remmber correctly. If it has rights on folder (the default) any folder you create will get the rights and this will change the real rights because "creator owner" will be replaced by the creator owner the file or folder. So the right thing to do on your users homedir folder is to cut inherited rights remove all defaults security except administrators, system, your backup account (sometime not needed as it might be already in administrators). Those ones must have full control. Then add the user on this folder with the only the "change" rights. Apply this to all the subfolders once. Then every new folder created by the user will inherit the change right and won't get anymore so he won't be able to change rights.

[Firebird78]

The special account "creator owner" appeared with XP if i remmber correctly. If it has rights on folder (the default) any folder you create will get the rights and this will change the real rights because "creator owner" will be replaced by the creator owner the file or folder. So the right thing to do on your users homedir folder is to cut inherited rights remove all defaults security except administrators, system, your backup account (sometime not needed as it might be already in administrators). Those ones must have full control. Then add the user on this folder with the only the "change" rights. Apply this to all the subfolders once. Then every new folder created by the user will inherit the change right and won't get anymore so he won't be able to change rights.

Thanks for that advice. I'll try it out.