×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Can't write to folder even though Active Directory effective permissions shows full control

Can't write to folder even though Active Directory effective permissions shows full control

Can't write to folder even though Active Directory effective permissions shows full control

(OP)
Running Windows Server 2008 with about 50 users. I'm trying to move a few user "personal folders" to a different physical disk. The folder structure in both drives is the same:
<top level>\...\Users\<userID>.
In the current drive (D:) the Users folder has these explicit permissions: Traverse folder, List Folder, Read attributes, Read extended attributes. That allows users to open documents in other users' folders. Not good.
In the new drive (F:) I set up the Users folder to have explicit permissions of Traverse Folder only. In both cases, the individual's folder has inherited permissions, plus explicit "full control" for their own <userID> folder.

My desire is that if a user maps the parent "Users" folder, they not see anything, or even get "Access denied". But when I map their personal folder directly using UNC, they have full control and can create and delete files and folders in their <userID> folder.

Even though Active Directory effective permissions shows full control for a user in their personal folder, they can't create or save a file, and can't open their Outlook archive.pst.

If I have to, I'll give the Read Data permission to the parent "Users" folder but I'd rather not. So how do I configure Active Directory permissions to allow a user full control in their own <UserID> folder and at the same time no permissions at all in the "Users" folder or at least other users' <UserID> folder?

Also, I should add that the Users folder is referenced using an NT share called "Users$" which has permissions of "Full Control" for the Active Directory group that includes all users.

Thanks for any help.




Mike Krausnick
Dublin, California

RE: Can't write to folder even though Active Directory effective permissions shows full control

(OP)
I discovered the solution to my issue, in case anyone else has the same problem. I had set the NT permissions in the new USERS$ share on F: to "Read Only" whereas the USERS$ share on D: had "full control" permission. So once I the gave USERS$ share on F: full control permission, individual users are able to create and modify files in their <UserID> folders.

Regarding the concern about users being able to read other users' documents, I set the AD permissions on the new USERS folder to be the same as the original USERS folder, and set the security for the new USERS folder to "Apply to this folder only", rather than "This folder, subfolder and files". Now my users can't map or view the contents of other users' folders. Unfortunately, they can still map to the USERS parent folder and see the list of folders in it, which I would prefer them not to, but at least there's no data security issue.

Mike Krausnick
Dublin, California

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close