+ Post New Thread
Results 1 to 11 of 11
Windows Thread, Office madness!! in Technical; Right, so I am now re-setting up our network after having a little bit of a chatastrophic failure. I took ...
  1. #1

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,650
    Thank Post
    516
    Thanked 2,443 Times in 1,891 Posts
    Blog Entries
    24
    Rep Power
    831

    Office madness!!

    Right, so I am now re-setting up our network after having a little bit of a chatastrophic failure. I took the opportunity to make a change so that we don't have to have a share for every single pupil in the school as it is a long winded process.

    Instead, I now have a DFS root with a link to a share on a nas box eg:

    \\root\domain\files

    and then under that link I have folders for each year and then a folder for each pupil.

    In the Active Directory I have mapped the home drive to W: which points directly at that person's folder (ie \\root\domain\files\03\pupilname).

    I have a variety of options enabled in the group policy which disables the display of anything in My Network Places (and this itself is not displayed to the pupil on the desktop or in my computer).

    Now, the problem arises in Office. When a user goes to open a file, their home folder is listed under the network path in the drop down box at the top, rather than the W: drive. This means that they can select the folder on each level above their own, and are able to navigate to any share...

    Is there any way of getting rid of that box? or at least making it not show My Network Places?

    Cheers
    Tony

  2. #2

    Join Date
    Jan 2007
    Location
    Hampshire
    Posts
    71
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Office madness!!

    If anyone is able to browse to anyones home diretory; however they do it; that is your problem.

    Any changes you make to network browsing, drive browsing etc via Group Policy are purely cosmetic. There's nothing to stop anyone from just browsing the network via a UNC path from the common open dialog for example, group policy isnt designed to provide security - just interface restrictions.

    You need to make sure that however you structure the physical directory layout for home directories, each user only has security permissions to view their own directory. It's easy enough to incorporate this into your user creation process (as is creating individual shares for that matter, if that's what you had before).

    Re: Office default save path, are your 'My Documents' directories pointing at a UNC path rather then a mapped drive? Either way, as long as users lack the permissions to browse places they shouldn't be, it makes little difference where things point.

    Giles.

  3. #3
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,958
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46

    Re: Office madness!!

    In the office .adms Tony there's an option to set the documents folder - this changes the default to the drive letter like you want.

  4. #4

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,930
    Thank Post
    1,337
    Thanked 1,781 Times in 1,105 Posts
    Blog Entries
    19
    Rep Power
    594

    Re: Office madness!!

    You can always make the share hidden by calling them <sharename>$ ... this stops network browsing to them but then you have share permissions and NTFS permissions to prevent access.

  5. #5

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,658
    Thank Post
    858
    Thanked 646 Times in 429 Posts
    Rep Power
    498

    Re: Office madness!!

    I have a similar problem with Office 2003 (and an RM tech who came to install SuckAss Maker knows about it)

    Kiddie loads, eg, Word, Clicks on "Insert File.." and gets \\servername\homeshare$\yearxx\username\ as the path and NOT H:
    Kiddie is then able to browse anywhere within the UNC!! and has the rights to create files in other folders despite NTFS permissions saying he cant!

    My Solution: hidden all the users Home Folders (not the subfolders/files) so they cannot see them!

  6. #6

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,650
    Thank Post
    516
    Thanked 2,443 Times in 1,891 Posts
    Blog Entries
    24
    Rep Power
    831

    Re: Office madness!!

    Hmm... I will have to look into setting up individual shares efficiently on our snap server then. Sigh, I knew getting a generic NAS box wasn't going to be as good as it sounded... :P

    Also, to Mark - I've searched the office .adm's high and low and can't find it!

  7. #7

    Join Date
    Jan 2007
    Location
    Hampshire
    Posts
    71
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Office madness!!

    Quote Originally Posted by Gatt
    IKiddie loads, eg, Word, Clicks on "Insert File.." and gets \\servername\homeshare$\yearxx\username\ as the path and NOT H:
    Kiddie is then able to browse anywhere within the UNC!! and has the rights to create files in other folders despite NTFS permissions saying he cant!
    NTFS perms clearly don't say he doesn't have rights if the user can create objects. If it's not immediately obvious, there's probably some kind of rights inheritance going on. Effective Permissions must still be that the user DOES have rights though even if it's not set directly.

    Quote Originally Posted by localzuk
    Hmm... I will have to look into setting up individual shares efficiently on our snap server then. Sigh, I knew getting a generic NAS box wasn't going to be as good as it sounded...
    You don't NEED to set up individual shares. Lots of people still do it that way, but since W2k onwards can map root to a full share path and not just the root of a share, there's no actual need to do it anymore. You just need to make sure your NTFS permissions ARE set per-user and that there's no inheritance of 'Everyone' (or equivalent) from a parent directory. It makes little different whether the users see a complete UNC path as their home dir or just a drive as long as they can't browse more of the share than their own little directory.

  8. #8

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,658
    Thank Post
    858
    Thanked 646 Times in 429 Posts
    Rep Power
    498

    Re: Office madness!!

    @GeeDee .. will double check, but theonly one that i can think of is SYSTEM.. cos they cannot create objects via any other application - they cant even get the UNC (which is a good thing)

    Only account i can think of off the top of my head is "SYSTEM"

  9. #9

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,650
    Thank Post
    516
    Thanked 2,443 Times in 1,891 Posts
    Blog Entries
    24
    Rep Power
    831

    Re: Office madness!!

    Quote Originally Posted by GeeDee
    You don't NEED to set up individual shares. Lots of people still do it that way, but since W2k onwards can map root to a full share path and not just the root of a share, there's no actual need to do it anymore. You just need to make sure your NTFS permissions ARE set per-user and that there's no inheritance of 'Everyone' (or equivalent) from a parent directory. It makes little different whether the users see a complete UNC path as their home dir or just a drive as long as they can't browse more of the share than their own little directory.
    The issue comes down to the shares being on a Snap server rather than a windows box. This means the shares are not on NTFS drives so don't have NTFS permissions - but only the share security permissions. I think...

  10. #10

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,930
    Thank Post
    1,337
    Thanked 1,781 Times in 1,105 Posts
    Blog Entries
    19
    Rep Power
    594

    Re: Office madness!!

    In that case individual shares, use $ to stop them from being visible (but remember that they are still easy to guess) and ensure Share permissions are set up right.

  11. #11

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,650
    Thank Post
    516
    Thanked 2,443 Times in 1,891 Posts
    Blog Entries
    24
    Rep Power
    831

    Re: Office madness!!

    I have now figured out how to use iSCSI and can use NTFS permissions properly. I will be able to work it out from here.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 4
    Last Post: 14th August 2009, 01:58 AM
  2. Running Office 2003 and Office 2007
    By mrforgetful in forum Office Software
    Replies: 17
    Last Post: 12th June 2008, 01:11 PM
  3. Open Office compatability with MS Office
    By alan-d in forum Educational Software
    Replies: 10
    Last Post: 4th May 2006, 01:50 PM
  4. Office 2000 or Office XP?
    By ChrisH in forum Office Software
    Replies: 29
    Last Post: 11th November 2005, 02:56 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •