Shared resources and NTFS permissions

[Wavey_Dave_76]

This might be difficult to explain so if I start with what we have currently and end up where we want to be…

At my workplace we are currently running NT4 Terminal server with Citrix Metframe 1.8. All our users are logging on to a published desktop with a logon script to map several data drives dependant on where they are working. Typically each user has 3 separate drives, R, S and T (One for the whole organization, and two based on their location and department) but this can be different depending on the person or their role within the organization. Unfortunately this means every time someone wants something different it means a new logon script. These are getting unmanageable. Also, from a user point of view, the fact that somebody’s S drive and be somebody else’s T drive tends to confuse them on a daily basis.

We are in the process of moving over to Windows2k3 with Citrix Presentation Server 3. Unfortunatly, due to the fact that the current hardware is long past the need to be replaced, we are staying with an NT4 domain while we get everyone on to the new hardware. Then when we have some breathing space we will look at AD.

What we would ideally like to do is to consolidate the different drives into one network drive and have folders within it for what are currently the individual drives. We would want this controlled by group permissions so that each user only sees the folders he or she is assigned but it never quite worked like that under NT4. The data drive would contain all the folders for every user which is every bit as confusing as having separate drives. I Have had a look at the way NTFS has changed since NT4 and got almost what I wanted with the ‘List folder contents’ option but as it doesn’t quite cut it as it doesn’t hide itself, just its contents.

Am I hoping for too much from NTFS or is this something that can be configured successfully. If this needs some third party management software can anyone recommend something (reliable and preferably free, public sector organizations don’t like spending anything lightly)

Thanks for any help and sorry if this was a bit long winded.

Dave

[Wavey_Dave_76]

Nobody got any thoughts?

[Martin Zugec]

Hmmm, quite strange solution - I am using M as home directory for users - every user account is automatically created by ADSI script, which also create this directory (and permissions for this directory) - later user got this folder by mapping net use M: \\server\%username%$

[Marsden]

You NEED Windows 2003 to do what you want...

[Wavey_Dave_76]

@ Soulin

We use pretty much the same methods for home directorys although the directories themselves are not shared but are subfolders to a share so \\server\users$\%USERNAME% becomes the system drive. The problem is more based on departmental folders that several people can use which are currently explicitly mapped in as R: for service wide shared data, S: for loaction based data and T: for departmental based data. If someone works for two departments or maybe from two locations they need different logon scripts creating with additional mapped drives. After the past 5 years of creating "special cases" you can see it can start to get unmanageable. What would be ideal would be just an R: drive with subfolders for their specific location and dept managed by groups.

@ Marsden

You mean we need to wait until fully implementing AD rather than using the NT domain to authenticate. If its just the 2003 NTFS permissions that need setting up properly then I can manage that now. We have just got a Win2K3 enterprise cluster with SAN where all the data will be moved to. If its just 2003 that is needed then you will have to give me some pointers as I have had a crack at it but not managed to figure it out.

Thanks

Dave

[Marsden]

You should be sharing resources and assigning permissions by Groups.

One drive with folders for all your departments. Assign access by group or groups.

Group A can access their specific folders. Group B has access to their folder/s. UserA in Group A needs access to the folder that is in Group B's folder. So you add UserA to the the Group B group.

No need for multiple login scripts to map specific drives.

[Wavey_Dave_76]

Yea that is what I am trying to do (we use groups for the permissions now but map to the folders individually), however, the problem I have with the way this seems to be working on one common mapped drive is that all users can see all the folders for everyone. The permissions work as far as only allowing the right users to gain access to the folders and to deny access to all other folders. But there are upwards of 150 different departmental folders which is too many for people to hunt through for theirs. What I need is some way of hiding the folders that each person does not have access to. The "list folder contents" NTFS permission would be perfect if it worked for the folder itself, as well as its contents.

[Wavey_Dave_76]

Still trying to find a solution to this (although it isnt the highest of priorities as you may have guessed). I have had a thought to use the "My Network Places" to put shortcuts to the shares in and it appears at first glance to work OK but there are a few things that need tightening up first.

1 - I need to make sure that clicking 'up' after selecting the shortcut goes back to my network places rather than up one level on the file server. Even if the users dont have access to other folders and printers I dont want them seeing them all...

2 - I would prefer some automated way of putting the shortcuts in the persons profile by adding them into the group or, again, some way of hiding the shortcuts for the folders the person cannot access.

Any help on these matters would be greatly appreciated.

Dave

[Wavey_Dave_76]

Actually, ignore the second question. I got round this by holding all the shorcuts centrally but with the same permissions as the target folder has and in the logon script I copied everything from this folder to the users nethood folder in their profile. The net result is that it only copies the shortcuts that person has access to. Now I just need to figure the first part out, how to make the 'up' button to navigate back to the 'my network places' folder

[Wavey_Dave_76]

Scheesh, come on guys, I'm feeling very lonely in this thread...

I think there has already been a solution to this in SP1 for 2003 with access based enumeration which I am hoping will do the trick nicely. Unfortunately I can't try it yet as we havent got round to putting SP1 on yet due to a problem with our imaging processes (long story)

Im surprised nobody mentioned this, I thought there were some pretty smart guys in here. I thought someone would have picked up on it considering how often I have been bumping this talking to myself.

Ahhh well, at least there is a solution (hopefully)