Re: Profile permissions

Hello f825_633,

As said before create a test share and see what's going on. Of course settings
permissions on higher level will be inherit from deeper level fodlers if
inheritance is enabled.

In your situation i would start with the share permisssions only and set
them to everyone FC, because Authenticated users read, creator owner full
control, everyone read will win, doesn;t matter whats configured as NTFS
permissions.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Meinolf Weber [MVP-DS] wrote:
>
>> To f825_633,
>> Create a new share for testing the following permissions:
>> Share permissions, everyone, Full control.
>>
> Doesn't this negate all other permissions ?
>

"f825_633" <f825_633}NOSPAM{@ntlworld.com> wrote in message
news:274Xm.44503$(E-Mail Removed)2...
> Meinolf Weber [MVP-DS] wrote:
>> Hello f825_633,
>>
>> As said before create a test share and see what's going on. Of course
>> settings permissions on higher level will be inherit from deeper level
>> fodlers if inheritance is enabled.
>>
>> In your situation i would start with the share permisssions only and set
>> them to everyone FC, because Authenticated users read, creator owner full
>> control, everyone read will win, doesn;t matter whats configured as NTFS
>> permissions.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> Meinolf Weber [MVP-DS] wrote:
>>>
>>>> To f825_633,
>>>> Create a new share for testing the following permissions:
>>>> Share permissions, everyone, Full control.
>>>>
>>> Doesn't this negate all other permissions ?
>>>
>>
>>
> OK, Have done that and I have two machines behind me logged in as non
> administrative users whom can both see the new share, create a folder and
> save a file, they can as expected see each others folders and save files
> in each others folders and delete each others files.
>

There are a couple of ways to do this. If this is for Roaming Profiles
(which I suggest to get away from and use Folder Redirection), you can set
it up as follows, which only allows the user and the domain admin FC into
the folder, no one else.

Keep in ind, the user MUST have Full Control on both the Share and the
Security (NTFS) permissions. Otherwise, Roaming Profiles will not work. This
is also required for Folder Redirection.

Roaming Profiles Folder Permissions:

Method 1:
Each individual folder is shared out with a hidden share name specifically
for each user, and the Profiles path is set to this folder in the user's AD
account properties.

1. Create a root folder called Profiles. Share it out as Profiles$, and set
the Share permissions to the following so only the domain admin can see the
parent share.:
If it exists, Remove the Everyone Group
Domain Admins=FC
System=FC

2. Create child folders, one for each user. The Share permissions for the
user must be set to Full Control, or it won't work. For example, for a user
named Bill, create a folder called "Bill", then share it out as Bill$, and
set the share permissions to:
If it exists, Remove the Everyone Group
If it exists, Remove Domain Users group
Domain Admins=FC
System=FC
Bill=FC

3. Set the Profile path in the user's account properties to
\\servername\%username%$


Method 2:
The parent folder is shared out with a hidden share name, however the users'
folders are not. But you still have to set the permissions correctly for
each individual user so only that user has Full Control access to their
folder, and no one else.

1. Create a root folder called Profiles. Share it out as Profiles$, and set
the Share permissions to the following so only the domain admin can see the
parent share.:
Domain Admins=FC
System=FC
Authenticated Users = FC
If it exists, Remove the Everyone Group

2. Create child folders, one for each user. The Share permissions for the
user must be set to Full Control, or it won't work. In this scenario, you
set the user to Full Control, and remove anything referencing other users
(other than the domain admin). Instead of the above method where the system
accesses the folder directly with a hidden share, this method accesses the
folder through the parent share to the user's subfolder. For example, for a
user named Bill, create a folder called "Bill", do not share it, but set the
share permissions to:
If it exists, Remove Everyone
If it exists, Remove Domain Users
Domain Admins=FC
System=FC
Bill=FC.

3. Set the Profile path in the user's account properties to
\\servername\profiles$\%username%


If you want to go to Folder Redirection, which works nicely and actually
more efficient, since the GPO has the option to set 'Offline Files' (which
caches it locally and minimizes LAN and WAN traffic), please read my blog on
it in the following link:

Folder Redirection
http://msmvps.com/blogs/acefekay/arc...direction.aspx


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.


..

"f825_633" <f825_633}NOSPAM{@ntlworld.com> wrote in message
news:5Y8Xm.46066$(E-Mail Removed)2...
> We've had finger trouble; Our administrator left the company a short while
> ago and someone has since been on the server and altered the permissions
> on the profile directories such that every user now logging off gets the
> 'ACCESS DENIED' message upon log off. GRrrr..
>
> The question is , what should they be put back to?
>
> Ace Fekay [MCT] wrote:
>
>>
>> Method 2:
>> The parent folder is shared out with a hidden share name, however the
>> users' folders are not. But you still have to set the permissions
>> correctly for each individual user so only that user has Full Control
>> access to their folder, and no one else.
>>
>> 1. Create a root folder called Profiles. Share it out as Profiles$, and
>> set the Share permissions to the following so only the domain admin can
>> see the parent share.:
>> Domain Admins=FC
>> System=FC
>> Authenticated Users = FC
>> If it exists, Remove the Everyone Group
>>
>> 2. Create child folders, one for each user. The Share permissions for the
>> user must be set to Full Control, or it won't work. In this scenario, you
>> set the user to Full Control, and remove anything referencing other users
>> (other than the domain admin). Instead of the above method where the
>> system accesses the folder directly with a hidden share, this method
>> accesses the folder through the parent share to the user's subfolder. For
>> example, for a user named Bill, create a folder called "Bill", do not
>> share it, but set the share permissions to:
>> If it exists, Remove Everyone
>> If it exists, Remove Domain Users
>> Domain Admins=FC
>> System=FC
>> Bill=FC.
>>
>> 3. Set the Profile path in the user's account properties to
>> \\servername\profiles$\%username%
>>
>
> I think this is the method that was employed, but I've discovered this
> afternoon that there is another server on the system at the other end of
> the site and it seems that the profiles are somehow using DFS
>
> the two servers are called alpha and beta (how original )
>
> the domain is called lightning
>
> in active directory in the profile section for each user there is an entry
> that says \\lightning\profile$\$username%
>
> if I browse to \\alpha\profile$ or \\beta\profile$ I can see what looks
> like a duplicate set of folders one for each user, I checked the owner
> permission and it lists -
> administrator, file folder, 19/12/2009 16:43, LIGHTNING\Administrator
>
> the format with variances for date are the same for every user, both
> \\alpha\profile$ & \\beta\profile$ look identical at this point.
>
> looking at \\lightning\profile$ which I assume is the distributed share
> name? this looks the same with regard to the owner of each directory, but
> if I browse too my own directory 'mike' in my case from the machine I'm
> logged into I see all my sub directory's and files etc, but I am unable to
> create a folder or open a file, seems I don't have permission to write to
> this directory...(The user mike is not an administrator) however....
> if I enter via \\alpha\profile$\mike or \\beta\profile$\mike I can create
> a folder, edit/save a file what ever, I think I've worked out there must
> be different permissions set on the entry point via
> \\lightning\profile$\mike than there is via either of the other routes. ?
> Possible? or am I missing the point.



Being setup as Method 2, as you've indicated, it appears that someone went
to the parent folder and altered the permissions and set it to propogate to
all child folders. So the way I see it at this point, to fix it, you have to
go to each individual folder and reset them. If you reset them based on my
suggestions in Method 2, you should be ok. Find out who changed it and ask
why. If you don't know who it is, I can recommend to setup auditing on that
folder parent.

Ace

It is hard to follow where you guys are going with this,...but are you aware
that you can reset the NTFS permissions on both the filesystem and the
registry using the "Security Configuration and Analysis" MMC?

1. Open a new blank MMC
2. Add the "Security Configuration and Analysis" to the MMC
3. Right-Click on the root and choose "Open Database"
4. Just make up a new name,...like "Temp"
5. Import the Template "setup security.inf" which should be a template for
normal original install or maybe "securews.inf" which should be a
Workstation template.
6. Right-Click on the root again and choose "Configure Computer now...."

I have fixed "profile issues" many times with this.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> It is hard to follow where you guys are going with this,...but are you
> aware that you can reset the NTFS permissions on both the filesystem and
> the registry using the "Security Configuration and Analysis" MMC?
>
> 1. Open a new blank MMC
> 2. Add the "Security Configuration and Analysis" to the MMC
> 3. Right-Click on the root and choose "Open Database"
> 4. Just make up a new name,...like "Temp"
> 5. Import the Template "setup security.inf" which should be a template for
> normal original install or maybe "securews.inf" which should be a
> Workstation template.
> 6. Right-Click on the root again and choose "Configure Computer now...."
>
> I have fixed "profile issues" many times with this.
>
> --
> Phillip Windell
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>


Good point about the Sec & Analysis template to fix it. :-)

Ace