+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
Windows Server 2008 R2 Thread, Folder Permissions in Technical; Since migrating from windows server 2007 to 2008 R2, the home folders for students and staff have gone bonkers. At ...
  1. #1

    Join Date
    Sep 2011
    Posts
    25
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Folder Permissions

    Since migrating from windows server 2007 to 2008 R2, the home folders for students and staff have gone bonkers. At the moment I found out last night that if a student finds his way to the home folders he can access any folder in there. What I want is the stage it used to be where when a student or staff member logged in he could only have access to his folder, even if he browsed to the home folders directory. In the past if you were logged in as xyz and tried to access abc it would say you do not have permission to do this I have tried various ways I have now reached a stage where they can still see the folders go into the folders create in the folders but can't delete. Any help please.

  2. #2

    Join Date
    Sep 2011
    Posts
    25
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Help this is getting serious.....

  3. #3
    bio
    bio is offline
    bio's Avatar
    Join Date
    Apr 2008
    Location
    netherlands
    Posts
    520
    Thank Post
    16
    Thanked 130 Times in 102 Posts
    Rep Power
    37
    How does your folder structure look like ? which permissions should be there ?

    bio..

  4. #4
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,477
    Thank Post
    515
    Thanked 287 Times in 263 Posts
    Rep Power
    81
    On the actual folder where the homes are kept don't give the Users viewing capabilities in the permissions, but make sure on there actual folder they can read & write.

  5. #5

    Join Date
    Oct 2008
    Posts
    94
    Thank Post
    8
    Thanked 16 Times in 10 Posts
    Rep Power
    26
    cpjitservices: "don't give the Users viewing capabilities in the permissions" can you be more verbose please? Under the group security permissions for the parent folder we have

    Read
    Read & Execute
    List folder contents

    Disabling all of which would seem to fit the description of 'disabling viewing permissions'.

    We would benefit greatly from a no BS guide to fixing permissions on server 2008 network shares - as per usual its nigh on impossible to find any MS docs that aren't misleading, confusing, incorrect, out-of-date or all of the above.

    Todays searching uncovered this potential lifesaver of a powershell script:

    Fix NTFS Permissions on Home Drives with PowerShell | Flaming Keys

    Has anyone tried this script or used anything similar successfully? I try it tomorrow if no-one replies with any negative feedback or a better solution.

    Thanks!

  6. #6
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,002
    Thank Post
    120
    Thanked 282 Times in 260 Posts
    Rep Power
    108
    There is NTFSFIX from wisesoft but I have never used it on 2008 R2

  7. #7
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,477
    Thank Post
    515
    Thanked 287 Times in 263 Posts
    Rep Power
    81
    give them read to the parent folder, and disable listing folder contents but on there home folder they need read & write and list.

  8. #8
    chrisbrown's Avatar
    Join Date
    Aug 2010
    Location
    Melbourne, Australia
    Posts
    103
    Thank Post
    2
    Thanked 16 Times in 14 Posts
    Rep Power
    17
    Quote Originally Posted by danboid View Post
    Todays searching uncovered this potential lifesaver of a powershell script:

    Fix NTFS Permissions on Home Drives with PowerShell | Flaming Keys

    Has anyone tried this script or used anything similar successfully? I try it tomorrow if no-one replies with any negative feedback or a better solution.
    Hi danboid,

    I see you found my blog! If you have any issues with the script, please let me know. Also note what one commenter pointed out. You may need to change a couple of lines dependent on your requirements:
    (88) $inheritanceFlags = "ContainerInherit, ObjectInherit"
    (90) $propagationFlags = "None"

    Please do let me know how you go, hopefully my post can be helpful!

  9. Thanks to chrisbrown from:

    danboid (27th September 2011)

  10. #9

    Join Date
    Oct 2008
    Posts
    94
    Thank Post
    8
    Thanked 16 Times in 10 Posts
    Rep Power
    26
    Hi Chris!

    Great to see you're on these forums too!

    I tried your script today and with a little bit of tweaking I'm sure we'll get it it to work although users can still view other users files as it stands.


    Following cpjit's advice above, before running your script I adjusted the parent folder's permissions so that the 'Student' group can only read and nothing else- that is the only group with permission to access the folder except for the domain and group administrators. The first time I ran the script I ran it 'as is', only changing the path to the user areas and the domain name. This didn't work as although the user (owner of the folder) got added to the permissions they didn't have any rights to do anything at all so I ran the script again but with the suggested alternate inheritance and propagation flags and now users can read and write to their own folders again but they can still view other users files. Its worth pointing out that the parent dir isn't a hidden folder although as far as I'm aware it shouldn't really need to be to get this working properly - right?

    So, what other flags could I pass via the inheritance and propagation variables, what will they do and how do I discern exactly which ones to use?

    Thanks for your help and the great script!

  11. #10
    chrisbrown's Avatar
    Join Date
    Aug 2010
    Location
    Melbourne, Australia
    Posts
    103
    Thank Post
    2
    Thanked 16 Times in 14 Posts
    Rep Power
    17
    Mine is set up like this, and the script (with those two line modifications, which I'll write into my blog post shortly) works as required:

    (Creator Owner: CO, System: S, Domain Admins: DA, Administrators: LA)

    D:\
    - CO: Full Control (Subfolders and files only)
    - LA,DA,S: Full Control (This folder, subfolders and files)

    D:\Students\
    - Inherited as above
    - Students Group: Traverse folder/execute file, Read Attributes, Read Extended Attributes (This folder only)

    D:\Students\ajsmith
    - Inherited as above
    - ajsmith: Full Control (This folder, subfolders and files)

  12. 2 Thanks to chrisbrown:

    danboid (28th September 2011), mickeyh080 (26th February 2014)

  13. #11

    Join Date
    Oct 2008
    Posts
    94
    Thank Post
    8
    Thanked 16 Times in 10 Posts
    Rep Power
    26
    Thanks so much for laying out the expected/correct structure of the permissions for us Chris! Why oh why can't MS, with all their billions, get some decent online docs together? I think we know the answer to that one though- is it time to update my MS certifications again? I've already noticed a few flaws with our permissions after briefly comparing to yours so working on fixing it now.

    As for your script- surely something like it should come as standard with Windows Server? I had probs trying to install powershell 2 but it seems to work fine under PS 1 - it adjusts the first 20 or so folders very quickly and after that it slows down to one every coulple of seconds on this xeon although I realise this is probably something you can't fix- maybe it doesn't happen under PS2? I'm also bitterly disappointed that even 'power'shell can't go full-screen, something that has always irked me with the standard windows command tool.

  14. #12
    chrisbrown's Avatar
    Join Date
    Aug 2010
    Location
    Melbourne, Australia
    Posts
    103
    Thank Post
    2
    Thanked 16 Times in 14 Posts
    Rep Power
    17
    Microsoft's online doco is good, but there are a few gaps here and there, which is why there's such a thriving MSITPro community ;-)

    I'm intrigued by your comparison of PowerShell v1 versus v2...how are you switching between versions? It's not something you can just switch between on one box. I only use PowerShell v2 (and as of today, v3 CTP! -- excited!) and have not had any problems with the script.

    Note that PowerShell is still wrapped within the cmd.exe window, and for this reason you're limited to displaying your console in the same fashion as cmd.exe. Personally, I rarely run the shell itself, I usually have it nested within PowerGUI or the PowerShell ISE. I'd suggest you look into these for versatility and flexibility when it comes to PowerShell visuals.

    HTH

  15. #13

    Join Date
    Oct 2008
    Posts
    94
    Thank Post
    8
    Thanked 16 Times in 10 Posts
    Rep Power
    26
    Hi Chris!

    I'm not switching between versions - v2 wouldn't install for me so I'm stuck at v1. I know this was posted under server 2008 r2 forum but this problem is actually on a regular Server 2008 32-bit install (with SP2). Its just that out server is 8 core with 14GB of RAM and some whizzy drives so I'm appalled it should take so long to change permissions on a few hundred folders :/

    After ridding of a problematic folder, I seem to be having trouble giving CO full control over the D: drive (yes, it just so happens to be our drive holder users shares too). I try setting it to full control then click 'Apply' and Windows seems to be apply the change without error but after supposedly modifying the permissions of the files all the permissions boxes for CO are still empty ie CO has no permissions for D: still. Have you encountered this problem? Maybe I need to set permissions via icacls or powershell instead?

  16. #14
    chrisbrown's Avatar
    Join Date
    Aug 2010
    Location
    Melbourne, Australia
    Posts
    103
    Thank Post
    2
    Thanked 16 Times in 14 Posts
    Rep Power
    17
    Is "special permissions" ticked on the simple security display?
    edugeek1.PNG
    Ensure your permissions on the root look like this:

    edugeek2.PNG

  17. 2 Thanks to chrisbrown:

    danboid (29th September 2011), mickeyh080 (26th February 2014)

  18. #15

    Join Date
    Oct 2008
    Posts
    94
    Thank Post
    8
    Thanked 16 Times in 10 Posts
    Rep Power
    26
    Thanks very much for all your help Chris! The folders are setup correctly now and students can only view and access their own as intended- phew!

    As for my previous prob with CO seemingly not having full control, I just wasn't digging deep enough it seems. When I got 5 or so levels deep into the NTFS permissions labyrinthe then I saw that it was setup as desired.

    There's something odd with those png's you posted though- I can view them fine under Chromium (better if opened in a new tab) but they don't show under FF or most image viewing apps.
    Last edited by danboid; 29th September 2011 at 01:40 PM.

  19. Thanks to danboid from:

    chrisbrown (30th September 2011)

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Student drop box (homework folder) permissions
    By ashdon in forum How do you do....it?
    Replies: 21
    Last Post: 8th October 2012, 04:42 PM
  2. Replies: 12
    Last Post: 4th July 2007, 08:33 AM
  3. Replies: 5
    Last Post: 12th January 2007, 09:26 PM
  4. Folder Permissions
    By wesleyw in forum Windows
    Replies: 6
    Last Post: 9th January 2007, 08:25 PM
  5. DPS Folder Permissions
    By ajbritton in forum ICT KS3 SATS Tests
    Replies: 2
    Last Post: 18th December 2006, 11:09 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •