Sign in with
Sign up | Sign in
Your question

Changing default Security on Home Directories

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
February 28, 2005 4:11:02 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I am trying to integrate some macs into our windows 2003 server environment.
The problem I have is with the security on users home directories. I work in
a school, so the group "teachers" is for teachers and the group "students" is
for students.
The way I currently have it set up is as follows:
I have a share set up on the server for students called "StudentDirectory"
and the Active Directory template for making new students puts their home
directories in that share. The way security is set up on this share is that
Administrators and the Teachers group can administer all folders underneath
it using inheritance, which works awesome in a straight windows environment.
The students group doesnt have read access on the share itself, just on their
own directories created underneath it.

Now the problem. The way the macs seem to work is that when they
authenticate into active directory, they mount shares. As I have it only the
parent folder "StudentDirectory" is shared, and if you log into a student
account on the macs you cant mount your home directory unless you have read
access to the share. I cant give them read access to the share as it stands,
because then they would be able to read into all the other students home
diredtories because of inheritance.

I am wondering if their is a way in AD to set up thorugh policy or something
the default set of permissions and to also disable inheritance on a users
home directory when created. This would allow me to give the students group
read access to the "StudentDirecory" share without being able to browse into
other students home folders

If I am using really bad grammar, I'm sorry. I am trying my best to explain
the problem I am having so that you guys will understand.

Thanks
Anonymous
a b 8 Security
March 1, 2005 2:09:15 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"EvanGordey" wrote:
> I am trying to integrate some macs into our windows 2003
> server environment.
> The problem I have is with the security on users home
> directories. I work in
> a school, so the group "teachers" is for teachers and the
> group "students" is
> for students.
> The way I currently have it set up is as follows:
> I have a share set up on the server for students called
> "StudentDirectory"
> and the Active Directory template for making new students puts
> their home
> directories in that share. The way security is set up on this
> share is that
> Administrators and the Teachers group can administer all
> folders underneath
> it using inheritance, which works awesome in a straight
> windows environment.
> The students group doesnt have read access on the share
> itself, just on their
> own directories created underneath it.
>
> Now the problem. The way the macs seem to work is that when
> they
> authenticate into active directory, they mount shares. As I
> have it only the
> parent folder "StudentDirectory" is shared, and if you log
> into a student
> account on the macs you cant mount your home directory unless
> you have read
> access to the share. I cant give them read access to the share
> as it stands,
> because then they would be able to read into all the other
> students home
> diredtories because of inheritance.
>
> I am wondering if their is a way in AD to set up thorugh
> policy or something
> the default set of permissions and to also disable inheritance
> on a users
> home directory when created. This would allow me to give the
> students group
> read access to the "StudentDirecory" share without being able
> to browse into
> other students home folders
>
> If I am using really bad grammar, I'm sorry. I am trying my
> best to explain
> the problem I am having so that you guys will understand.
>
> Thanks

Hi,

The tip is to give them "Read Access" in the Upper Folder
permissions and then go into Advanced and change FROM "This folder,
subfolders and files" TO "This Folder only". This gives them read
access to the upper folder but is NOT inherited to subfolders.
Therefore they can see the list of users folders and the names, but
can’t enter into them.

This is the way the home folders should be setup with Window 2003. As
Windows 2003 sets up users folders with inheritance whereas Windows
2000 didn’t.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-Changing-defa...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=856265
Anonymous
a b 8 Security
March 1, 2005 2:09:48 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"EvanGordey" wrote:
> I am trying to integrate some macs into our windows 2003
> server environment.
> The problem I have is with the security on users home
> directories. I work in
> a school, so the group "teachers" is for teachers and the
> group "students" is
> for students.
> The way I currently have it set up is as follows:
> I have a share set up on the server for students called
> "StudentDirectory"
> and the Active Directory template for making new students puts
> their home
> directories in that share. The way security is set up on this
> share is that
> Administrators and the Teachers group can administer all
> folders underneath
> it using inheritance, which works awesome in a straight
> windows environment.
> The students group doesnt have read access on the share
> itself, just on their
> own directories created underneath it.
>
> Now the problem. The way the macs seem to work is that when
> they
> authenticate into active directory, they mount shares. As I
> have it only the
> parent folder "StudentDirectory" is shared, and if you log
> into a student
> account on the macs you cant mount your home directory unless
> you have read
> access to the share. I cant give them read access to the share
> as it stands,
> because then they would be able to read into all the other
> students home
> diredtories because of inheritance.
>
> I am wondering if their is a way in AD to set up thorugh
> policy or something
> the default set of permissions and to also disable inheritance
> on a users
> home directory when created. This would allow me to give the
> students group
> read access to the "StudentDirecory" share without being able
> to browse into
> other students home folders
>
> If I am using really bad grammar, I'm sorry. I am trying my
> best to explain
> the problem I am having so that you guys will understand.
>
> Thanks

Hi,

The tip is to give them "Read Access" in the Upper Folder
permissions and then go into Advanced and change FROM "This folder,
subfolders and files" TO "This Folder only". This gives them read
access to the upper folder but is NOT inherited to subfolders.
Therefore they can see the list of users folders and the names, but
can’t enter into them.

This is the way the home folders should be setup with Window 2003. As
Windows 2003 sets up users folders with inheritance whereas Windows
2000 didn’t.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-Changing-defa...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=856265
!