Office madness!!

[localzuk]

Right, so I am now re-setting up our network after having a little bit of a chatastrophic failure. I took the opportunity to make a change so that we don't have to have a share for every single pupil in the school as it is a long winded process.

Instead, I now have a DFS root with a link to a share on a nas box eg:

\\root\domain\files

and then under that link I have folders for each year and then a folder for each pupil.

In the Active Directory I have mapped the home drive to W: which points directly at that person's folder (ie \\root\domain\files\03\pupilname).

I have a variety of options enabled in the group policy which disables the display of anything in My Network Places (and this itself is not displayed to the pupil on the desktop or in my computer).

Now, the problem arises in Office. When a user goes to open a file, their home folder is listed under the network path in the drop down box at the top, rather than the W: drive. This means that they can select the folder on each level above their own, and are able to navigate to any share...

Is there any way of getting rid of that box? or at least making it not show My Network Places?

Cheers
Tony

[GeeDee]

If anyone is able to browse to anyones home diretory; however they do it; that is your problem.

Any changes you make to network browsing, drive browsing etc via Group Policy are purely cosmetic. There's nothing to stop anyone from just browsing the network via a UNC path from the common open dialog for example, group policy isnt designed to provide security - just interface restrictions.

You need to make sure that however you structure the physical directory layout for home directories, each user only has security permissions to view their own directory. It's easy enough to incorporate this into your user creation process (as is creating individual shares for that matter, if that's what you had before).

Re: Office default save path, are your 'My Documents' directories pointing at a UNC path rather then a mapped drive? Either way, as long as users lack the permissions to browse places they shouldn't be, it makes little difference where things point.

Giles.

[mark]

In the office .adms Tony there's an option to set the documents folder - this changes the default to the drive letter like you want.

[GrumbleDook]

You can always make the share hidden by calling them <sharename>$ ... this stops network browsing to them but then you have share permissions and NTFS permissions to prevent access.

[Gatt]

I have a similar problem with Office 2003 (and an RM tech who came to install SuckAss Maker knows about it)

Kiddie loads, eg, Word, Clicks on "Insert File.." and gets \\servername\homeshare$\yearxx\username\ as the path and NOT H:
Kiddie is then able to browse anywhere within the UNC!! and has the rights to create files in other folders despite NTFS permissions saying he cant!

My Solution: hidden all the users Home Folders (not the subfolders/files) so they cannot see them!

[localzuk]

Hmm... I will have to look into setting up individual shares efficiently on our snap server then. Sigh, I knew getting a generic NAS box wasn't going to be as good as it sounded... :P

Also, to Mark - I've searched the office .adm's high and low and can't find it!

[GeeDee]

IKiddie loads, eg, Word, Clicks on "Insert File.." and gets \\servername\homeshare$\yearxx\username\ as the path and NOT H:
Kiddie is then able to browse anywhere within the UNC!! and has the rights to create files in other folders despite NTFS permissions saying he cant!

NTFS perms clearly don't say he doesn't have rights if the user can create objects. If it's not immediately obvious, there's probably some kind of rights inheritance going on. Effective Permissions must still be that the user DOES have rights though even if it's not set directly.

Hmm... I will have to look into setting up individual shares efficiently on our snap server then. Sigh, I knew getting a generic NAS box wasn't going to be as good as it sounded...

You don't NEED to set up individual shares. Lots of people still do it that way, but since W2k onwards can map root to a full share path and not just the root of a share, there's no actual need to do it anymore. You just need to make sure your NTFS permissions ARE set per-user and that there's no inheritance of 'Everyone' (or equivalent) from a parent directory. It makes little different whether the users see a complete UNC path as their home dir or just a drive as long as they can't browse more of the share than their own little directory.

[Gatt]

@GeeDee .. will double check, but theonly one that i can think of is SYSTEM.. cos they cannot create objects via any other application - they cant even get the UNC (which is a good thing)

Only account i can think of off the top of my head is "SYSTEM"

[localzuk]

You don't NEED to set up individual shares. Lots of people still do it that way, but since W2k onwards can map root to a full share path and not just the root of a share, there's no actual need to do it anymore. You just need to make sure your NTFS permissions ARE set per-user and that there's no inheritance of 'Everyone' (or equivalent) from a parent directory. It makes little different whether the users see a complete UNC path as their home dir or just a drive as long as they can't browse more of the share than their own little directory.

The issue comes down to the shares being on a Snap server rather than a windows box. This means the shares are not on NTFS drives so don't have NTFS permissions - but only the share security permissions. I think...

[GrumbleDook]

In that case individual shares, use $ to stop them from being visible (but remember that they are still easy to guess) and ensure Share permissions are set up right.

[localzuk]

I have now figured out how to use iSCSI and can use NTFS permissions properly. I will be able to work it out from here.