share&directory permissions question

Archived from groups: microsoft.public.win2000.file_system (More info?)

On Thu, 29 Jul 2004 10:49:01 -0400, "Eddie Walker" <ewalker3@prodigy.net> wrote:

>
>From: "Eddie Walker" <ewalker3@prodigy.net>
>Subject: help file share and director permission
>Date: Wednesday, July 28, 2004 11:52 PM
>
>Hey guys,
>Haveing a total mind block here.
>
>Moved to a new sever, and attempted to recreate the share and directory
>permissions for the user home directory share. which ends up as the users K
>drive
>(each user has folder based on their login name). I want to prevent users
>from being able to write to K:\, but not to their own user folder K:\SmithJ
>for example.
>
>I have a share called userdata with Modify permissions for the users,
>directory permissions is set to READ/LIST/
>i noticed that users appear to be able to write to the K:\ portion of the
>directory.
>
>how can i prevent that?
>
>If i set the share permission for the users to READ, they are unable to save
>to their folder on the userdata directory. even though the effective
>permissions for the directory say read/write etc.
>
>what am I missing?
>
>Ed
>
>
>
Share Permission: Authenticated Users - Full Control

NTFS Permission on userdata, with inheritance on the sub-folders of userdata
enabled:

Authenticated Users - Read/List
Administrators - Full Control
Creator Owner - RWXD

After you do the above,, set the user as the owner of their folder.

To script it
Download subInACL from tip 6705 in the 'Tips & Tricks' at http://www.jsiinc.com
Using GetUsers.bat from tip 7964, run the following on
the userdata server:

@echo off
setlocal
for /f "Tokens=*" %%u in ('getusers') do (
subinacl /subdirectories "C:\userdate\%%u\*.*" /setowner="%USERDOMAIN%\%%u"
)
endlocal



Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com