Since migrating from windows server 2007 to 2008 R2, the home folders for students and staff have gone bonkers. At the moment I found out last night that if a student finds his way to the home folders he can access any folder in there. What I want is the stage it used to be where when a student or staff member logged in he could only have access to his folder, even if he browsed to the home folders directory. In the past if you were logged in as xyz and tried to access abc it would say you do not have permission to do this I have tried various ways I have now reached a stage where they can still see the folders go into the folders create in the folders but can't delete. Any help please.
Help this is getting serious.....
How does your folder structure look like ? which permissions should be there ?
On the actual folder where the homes are kept don't give the Users viewing capabilities in the permissions, but make sure on there actual folder they can read & write.
cpjitservices: "don't give the Users viewing capabilities in the permissions" can you be more verbose please? Under the group security permissions for the parent folder we have
Read & Execute
List folder contents
Disabling all of which would seem to fit the description of 'disabling viewing permissions'.
We would benefit greatly from a no BS guide to fixing permissions on server 2008 network shares - as per usual its nigh on impossible to find any MS docs that aren't misleading, confusing, incorrect, out-of-date or all of the above.
Todays searching uncovered this potential lifesaver of a powershell script:
Fix NTFS Permissions on Home Drives with PowerShell | Flaming Keys
Has anyone tried this script or used anything similar successfully? I try it tomorrow if no-one replies with any negative feedback or a better solution.
There is NTFSFIX from wisesoft but I have never used it on 2008 R2
give them read to the parent folder, and disable listing folder contents but on there home folder they need read & write and list.
Originally Posted by danboid
I see you found my blog! If you have any issues with the script, please let me know. Also note what one commenter pointed out. You may need to change a couple of lines dependent on your requirements:
(88) $inheritanceFlags = "ContainerInherit, ObjectInherit"
(90) $propagationFlags = "None"
Please do let me know how you go, hopefully my post can be helpful!
Great to see you're on these forums too!
I tried your script today and with a little bit of tweaking I'm sure we'll get it it to work although users can still view other users files as it stands.
Following cpjit's advice above, before running your script I adjusted the parent folder's permissions so that the 'Student' group can only read and nothing else- that is the only group with permission to access the folder except for the domain and group administrators. The first time I ran the script I ran it 'as is', only changing the path to the user areas and the domain name. This didn't work as although the user (owner of the folder) got added to the permissions they didn't have any rights to do anything at all so I ran the script again but with the suggested alternate inheritance and propagation flags and now users can read and write to their own folders again but they can still view other users files. Its worth pointing out that the parent dir isn't a hidden folder although as far as I'm aware it shouldn't really need to be to get this working properly - right?
So, what other flags could I pass via the inheritance and propagation variables, what will they do and how do I discern exactly which ones to use?
Thanks for your help and the great script!
Mine is set up like this, and the script (with those two line modifications, which I'll write into my blog post shortly) works as required:
(Creator Owner: CO, System: S, Domain Admins: DA, Administrators: LA)
- CO: Full Control (Subfolders and files only)
- LA,DA,S: Full Control (This folder, subfolders and files)
- Inherited as above
- Students Group: Traverse folder/execute file, Read Attributes, Read Extended Attributes (This folder only)
- Inherited as above
- ajsmith: Full Control (This folder, subfolders and files)
Thanks so much for laying out the expected/correct structure of the permissions for us Chris! Why oh why can't MS, with all their billions, get some decent online docs together? I think we know the answer to that one though- is it time to update my MS certifications again? ;) I've already noticed a few flaws with our permissions after briefly comparing to yours so working on fixing it now.
As for your script- surely something like it should come as standard with Windows Server? I had probs trying to install powershell 2 but it seems to work fine under PS 1 - it adjusts the first 20 or so folders very quickly and after that it slows down to one every coulple of seconds on this xeon although I realise this is probably something you can't fix- maybe it doesn't happen under PS2? I'm also bitterly disappointed that even 'power'shell can't go full-screen, something that has always irked me with the standard windows command tool.
Microsoft's online doco is good, but there are a few gaps here and there, which is why there's such a thriving MSITPro community ;-)
I'm intrigued by your comparison of PowerShell v1 versus v2...how are you switching between versions? It's not something you can just switch between on one box. I only use PowerShell v2 (and as of today, v3 CTP! -- excited!) and have not had any problems with the script.
Note that PowerShell is still wrapped within the cmd.exe window, and for this reason you're limited to displaying your console in the same fashion as cmd.exe. Personally, I rarely run the shell itself, I usually have it nested within PowerGUI or the PowerShell ISE. I'd suggest you look into these for versatility and flexibility when it comes to PowerShell visuals.
I'm not switching between versions - v2 wouldn't install for me so I'm stuck at v1. I know this was posted under server 2008 r2 forum but this problem is actually on a regular Server 2008 32-bit install (with SP2). Its just that out server is 8 core with 14GB of RAM and some whizzy drives so I'm appalled it should take so long to change permissions on a few hundred folders :/
After ridding of a problematic folder, I seem to be having trouble giving CO full control over the D: drive (yes, it just so happens to be our drive holder users shares too). I try setting it to full control then click 'Apply' and Windows seems to be apply the change without error but after supposedly modifying the permissions of the files all the permissions boxes for CO are still empty ie CO has no permissions for D: still. Have you encountered this problem? Maybe I need to set permissions via icacls or powershell instead?
Is "special permissions" ticked on the simple security display?
Ensure your permissions on the root look like this:
Thanks very much for all your help Chris! The folders are setup correctly now and students can only view and access their own as intended- phew!
As for my previous prob with CO seemingly not having full control, I just wasn't digging deep enough it seems. When I got 5 or so levels deep into the NTFS permissions labyrinthe then I saw that it was setup as desired.
There's something odd with those png's you posted though- I can view them fine under Chromium (better if opened in a new tab) but they don't show under FF or most image viewing apps.