Inherited a network and am trying to make some minor improvements in the short term...
I am having a problem with restricting staff members access to students home directories. It is currently setup in the following way:
Home directories (shared - everyone - full control)
2006 > users home directories
2007 > users home directories
2008 > users home directories
2009 > users home directories
2010 > users home directories
Teachers > users home directories
I want to allow staff members to only read data in the 200# directories but be able to read & write in the users home directories. The trouble is the home directories share currently has students and teachers together so I can't change the permissions at that level. Currently each 200# directory has a staff security group with modify permissions. I changed this to a special permission (subfolders and files only) but this stopped staff from being able to access the 200# directories.
I hope I have made this clear. Thanks for any help.
For starters - Everyone should not have FULL CONTROL over any directory, at most it should be R/W/M.
Do you have groups split as 'Teachers' and 'Students' ?
You can apply the permission read only for the student folder view to This folder only (im guessing you would have to do this at each year group level) and it will not propagate through the sub directories. Combined with the security permission you have already described (subfolders and files only) should give you the result you are looking for.
It should also be said that this assumes that the share permissions on the drive are set up so that everyone has full control (share permissions are much less finely grained so allowing full control here doesn't affect the finer control of NTFS).
Giving people full control over their home directories basically lets them 'take ownership' of files inside those directories. Are there any security risks for this? As they will almost always be owners of 95% of the files in their directories anyway?
TheMinster: I agree about the everyone group fully.I would always use a custom security group or authenticated users however I am still figuring out this network so do not want to change too much. Ultimately I think the file server needs to be changed from what I have seen so far - its a mess with questionable permissions and file duplication. Also yes security groups are setup for students and teachers.
Jamo: That sounds great but would I be able to do this with the same security group or would there have to be 2 different ones as I would be setting different permissions at the same level e.g. each year group.
Thanks for both your replies.