User's Network Home Folder Permissions

[Chuckster]

I was going through random Users Home Folder NTFS Permissions and noticed that from the primary level down they all have Modify permissions under the Authenticated Users group.

My storage of peoples' home folders are as follows:

From Server
D:\Users\Admin\Username
D:\Users\Pupils\Intake Year\Username
D:\Users\Teaching Staff\Username
D:\Users\Non-teaching Staff\Username
D:\Users\System Administrators\Username

Mapped as:
\\servername\users$\Admin\%username%
\\servername\users$\Yeargroup\Intake Year\%username%
\\servername\users$\Teaching Staff\%username%
\\servername\users$\Non-teaching Staff\%username%
\\servername\users$\System Administrators\%username%

Permissions are set from the Users folder:
Administrators: Full
Backup Operators: Full
Authenticated Users: Modify
System: Full

My problem is, is that someone such as a non-teaching staff member can view other people's user area by using Windows Media Player (Tools --> Rip Music --> Change (location of storage)).

Is there a way I can reset all the permissions so that everybody has either Full or Modify NTFS permissions on their own home folder but no where else?

Effectively meaning that people's home drives get mapped as \\severname\username$ rather than \\servername\users$\non-teachingstaff\username.

Furthermore, the permissions then read on a person's folder like this:

Administrators: Full
Joe Bloggs: Modify
Backup Operators: Full
System: Full


Have I made sense?
Simply put, I want to set up NTFS permissions in the way it's done on an RM CC3 network for its users.

[DrPerceptron]

By the sounds of it... you still need to use the folder paths when mapping drives, but with correct NTFS permissions, it doesn't matter because only the relevant people can go where they should.

Really, on parent folders, you want just a Traverse Folders/Execute Files (I believe that lets people access their subfolder but not present any folders if they browse)

Then once they reach their own folder, as you rightly updated, just their own permission... it's upto you whether you allow staff access to student areas...


If you go to the Advanced section of the Security tabs, you can use effective permissions to see what kind of permissions you would get as xyz user, handy for checking if it's correct.

As for en-masse (?) you can use CACLS, XCACLS or the VB variant (subinacl?) to change the permissions... but you'd want to set your parent folder permissions first, then loop through the rest individually.


NB: make sure you set Traverse permissions on "this folder".

NB2: That's the short of how it's setup here... although we split our staff and students away from eachother so they can't do anything regardless of correct/incorrect NTFS permissions.

[Ric_]

Check out http://www.edugeek.net/wiki/index.ph..._on_homedrives

[Ignatius]

I don't know if MS 274443 might be of interest. I used it in a test lab a while ago and the explicit permissions detailed in it seem to work nicely.

[PiqueABoo]

I don't know if MS 274443 might be of interest.

At a glance it looks the same, so here's a better link for that method with screenshots etc.: MS DS Team blog

I think it works nicely too.