+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 28
Windows Thread, Question about permissions on pupils home directories. in Technical; I have been in a school today and noticed the permissions on the user areas for the pupils. On the ...
  1. #1
    Kyle's Avatar
    Join Date
    Jan 2006
    Posts
    974
    Thank Post
    91
    Thanked 14 Times in 13 Posts
    Rep Power
    21

    Question about permissions on pupils home directories.

    I have been in a school today and noticed the permissions on the user areas for the pupils. On the individual pupils folders the y are 'Domain Admins' Full Control' and the 'user Full Control' I always thought that thee should be other NTFS permissions in here as well.

    Its one of those things when you start to question yourself and wonder which is the correct set up of permissions.

    Does anyone know what it should be or what Microsoft recommend?

  2. #2
    Quackers's Avatar
    Join Date
    Jan 2006
    Posts
    1,319
    Thank Post
    40
    Thanked 142 Times in 117 Posts
    Rep Power
    53

    Re: Question about permissions on pupils home directories.

    I think its what ever you need. I have

    System - Full Control
    User - Full Control
    Domain Admins Full Control
    Staff - Full Control (Not a personal favorite, but it was a requested feature when we changed network 3 years ago, i'm here to serve, not dictate)

  3. #3

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,593
    Thank Post
    109
    Thanked 764 Times in 595 Posts
    Rep Power
    181

    Re: Question about permissions on pupils home directories.

    i limit staff to read only so that 'accidents' are minimised and no accusations of cheating can be made.

  4. Thanks to Ric_ from:

    john (23rd August 2009)

  5. #4
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,002
    Thank Post
    120
    Thanked 282 Times in 260 Posts
    Rep Power
    108

    Re: Question about permissions on pupils home directories.

    I give users modify permission.

  6. #5
    tosca925's Avatar
    Join Date
    Aug 2005
    Location
    Midlands
    Posts
    1,547
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    22

    Re: Question about permissions on pupils home directories.

    I give users modify permission

    Any reason this instead of full control?

  7. #6
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,002
    Thank Post
    120
    Thanked 282 Times in 260 Posts
    Rep Power
    108

    Re: Question about permissions on pupils home directories.

    They dont need full permission for their folders to save work and such. It just tightens up the security slightly but not much. There is other stuff you can do with speacial permisions but I have never dabbled and probably never will with regards to home directories.

  8. #7
    tosca925's Avatar
    Join Date
    Aug 2005
    Location
    Midlands
    Posts
    1,547
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    22

    Re: Question about permissions on pupils home directories.

    Jut out of interest, do you use roaming profiles for staff? If you do what permissons do you set on those?

  9. #8
    Quackers's Avatar
    Join Date
    Jan 2006
    Posts
    1,319
    Thank Post
    40
    Thanked 142 Times in 117 Posts
    Rep Power
    53

    Re: Question about permissions on pupils home directories.

    Quote Originally Posted by tosca925
    I give users modify permission

    Any reason this instead of full control?
    Windows Server gives the user full control when you set the homedirectory path in Active Directory.

  10. #9
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,002
    Thank Post
    120
    Thanked 282 Times in 260 Posts
    Rep Power
    108

    Re: Question about permissions on pupils home directories.

    Quote Originally Posted by Quackers
    Quote Originally Posted by tosca925
    I give users modify permission

    Any reason this instead of full control?
    Windows Server gives the user full control when you set the homedirectory path in Active Directory.
    My user directory permissions get changed when the user is created at the beginning of the year by my script.

  11. #10
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Question about permissions on pupils home directories.

    The difference between 'modify' and 'full control' is as follows;

    modify = create, read, write, delete
    full control = (all of modify) and change permissions on the object

    When a user creates a file/folder they are automatically the owner and they therefore have full control over it anyway.

  12. #11
    tosca925's Avatar
    Join Date
    Aug 2005
    Location
    Midlands
    Posts
    1,547
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    22

    Re: Question about permissions on pupils home directories.

    My user directory permissions get changed when the user is created at the beginning of the year by my script.
    Exactly as we do it as well.

  13. #12

    Join Date
    Jan 2007
    Location
    Birmingham
    Posts
    80
    Thank Post
    1
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Question about permissions on pupils home directories.

    NEVER give students full control over directories - Full Control includes change permission - before you know it friends will be sharing their home directories for games etc and you - the humble admin will be locked out.

    IMHO permissions on users home directories should be:

    Student - Modify (Files and Folders)
    Tech Support - Full Control (Inherited from parent folder)
    Teaching Staff - Modify (Inherited from parent folder)
    Administrator - Full Control (Inherited from parent folder)

    This can be done using a combination of windows scripting and the CACLS command rather than by hand.

  14. #13
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Question about permissions on pupils home directories.

    As I said though. When a student creates a new file, they become the owner of it. This automatically gives them full control on the file, ragardless of the permissions on the folder.

    To my knowledge, the only way to prevent this behaviour is by restricting the permissions on the share. This can cause problems with folder redirection however.

  15. #14

    Join Date
    Jan 2007
    Location
    Birmingham
    Posts
    80
    Thank Post
    1
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Question about permissions on pupils home directories.

    Quote Originally Posted by ajbritton
    As I said though. When a student creates a new file, they become the owner of it. This automatically gives them full control on the file, ragardless of the permissions on the folder.

    To my knowledge, the only way to prevent this behaviour is by restricting the permissions on the share. This can cause problems with folder redirection however.
    Actually - being the owner of the file is not the same as having full control.
    The rule is that the file will inherit the permissions of its parent directory.

    Being the owner means that you are granted change permissions permission (try saying that after 12 pints), but unless the user then makes use of that they will still only effectively have modify permission and unless they remove inheritence or explicitly deny you permission you will still have access.

    A script to audit access denied run overnight is sufficient to pick these up.

  16. #15
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Question about permissions on pupils home directories.

    Quote Originally Posted by adent
    Quote Originally Posted by ajbritton
    As I said though. When a student creates a new file, they become the owner of it. This automatically gives them full control on the file, ragardless of the permissions on the folder.

    To my knowledge, the only way to prevent this behaviour is by restricting the permissions on the share. This can cause problems with folder redirection however.
    Actually - being the owner of the file is not the same as having full control.
    The rule is that the file will inherit the permissions of its parent directory.

    Being the owner means that you are granted change permissions permission (try saying that after 12 pints), but unless the user then makes use of that they will still only effectively have modify permission and unless they remove inheritence or explicitly deny you permission you will still have access.

    A script to audit access denied run overnight is sufficient to pick these up.
    I take your point, but in essence, if you create a file, there is nothing to prevent you from having full control over it. I know of at least one school where this was discovered by students and exploited. It helps to remove the security tab, remove CACLS and use Software Restriction Policies to ensure students cannot execute any code that you have not sanctioned.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. SharePoint Server 2003 Home Directories
    By plock in forum Virtual Learning Platforms
    Replies: 0
    Last Post: 10th December 2007, 09:32 AM
  2. Replies: 2
    Last Post: 6th October 2007, 09:46 AM
  3. Home Directories on Moodle
    By apeo in forum Virtual Learning Platforms
    Replies: 4
    Last Post: 13th June 2007, 11:20 AM
  4. Replies: 2
    Last Post: 27th April 2007, 06:41 AM
  5. Replies: 9
    Last Post: 16th June 2006, 09:28 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •