Question about permissions on pupils home directories.

[Kyle]

I have been in a school today and noticed the permissions on the user areas for the pupils. On the individual pupils folders the y are 'Domain Admins' Full Control' and the 'user Full Control' I always thought that thee should be other NTFS permissions in here as well.

Its one of those things when you start to question yourself and wonder which is the correct set up of permissions.

Does anyone know what it should be or what Microsoft recommend?

[Quackers]

I think its what ever you need. I have

System - Full Control
User - Full Control
Domain Admins Full Control
Staff - Full Control (Not a personal favorite, but it was a requested feature when we changed network 3 years ago, i'm here to serve, not dictate)

[Ric_]

i limit staff to read only so that 'accidents' are minimised and no accusations of cheating can be made.

[ChrisH]

I give users modify permission.

[tosca925]

I give users modify permission

Any reason this instead of full control?

[ChrisH]

They dont need full permission for their folders to save work and such. It just tightens up the security slightly but not much. There is other stuff you can do with speacial permisions but I have never dabbled and probably never will with regards to home directories.

[tosca925]

Jut out of interest, do you use roaming profiles for staff? If you do what permissons do you set on those?

[Quackers]

I give users modify permission

Any reason this instead of full control?

Windows Server gives the user full control when you set the homedirectory path in Active Directory.

[ChrisH]

I give users modify permission

Any reason this instead of full control?

Windows Server gives the user full control when you set the homedirectory path in Active Directory.

My user directory permissions get changed when the user is created at the beginning of the year by my script.

[ajbritton]

The difference between 'modify' and 'full control' is as follows;

modify = create, read, write, delete
full control = (all of modify) and change permissions on the object

When a user creates a file/folder they are automatically the owner and they therefore have full control over it anyway.

[tosca925]

My user directory permissions get changed when the user is created at the beginning of the year by my script.

Exactly as we do it as well.

[adent]

NEVER give students full control over directories - Full Control includes change permission - before you know it friends will be sharing their home directories for games etc and you - the humble admin will be locked out.

IMHO permissions on users home directories should be:

Student - Modify (Files and Folders)
Tech Support - Full Control (Inherited from parent folder)
Teaching Staff - Modify (Inherited from parent folder)
Administrator - Full Control (Inherited from parent folder)

This can be done using a combination of windows scripting and the CACLS command rather than by hand.

[ajbritton]

As I said though. When a student creates a new file, they become the owner of it. This automatically gives them full control on the file, ragardless of the permissions on the folder.

To my knowledge, the only way to prevent this behaviour is by restricting the permissions on the share. This can cause problems with folder redirection however.

[adent]

As I said though. When a student creates a new file, they become the owner of it. This automatically gives them full control on the file, ragardless of the permissions on the folder.

To my knowledge, the only way to prevent this behaviour is by restricting the permissions on the share. This can cause problems with folder redirection however.

Actually - being the owner of the file is not the same as having full control.
The rule is that the file will inherit the permissions of its parent directory.

Being the owner means that you are granted change permissions permission (try saying that after 12 pints), but unless the user then makes use of that they will still only effectively have modify permission and unless they remove inheritence or explicitly deny you permission you will still have access.

A script to audit access denied run overnight is sufficient to pick these up.

[ajbritton]

As I said though. When a student creates a new file, they become the owner of it. This automatically gives them full control on the file, ragardless of the permissions on the folder.

To my knowledge, the only way to prevent this behaviour is by restricting the permissions on the share. This can cause problems with folder redirection however.

Actually - being the owner of the file is not the same as having full control.
The rule is that the file will inherit the permissions of its parent directory.

Being the owner means that you are granted change permissions permission (try saying that after 12 pints), but unless the user then makes use of that they will still only effectively have modify permission and unless they remove inheritence or explicitly deny you permission you will still have access.

A script to audit access denied run overnight is sufficient to pick these up.

I take your point, but in essence, if you create a file, there is nothing to prevent you from having full control over it. I know of at least one school where this was discovered by students and exploited. It helps to remove the security tab, remove CACLS and use Software Restriction Policies to ensure students cannot execute any code that you have not sanctioned.