windows server 2003 and folders

TheMSsForum.com: The Microsoft Software Forum

I have the following shared folders created:

\\<server>\FB Share
\\<server>\Users\<username>

What permissions should the above folders have in this domain environment?
Top

Re: windows server 2003 and folders by Steven

Steven
Tue Dec 27 23:09:37 CST 2005

It depends. You want to follow the principle of least privilege and it
depends on if you want administrators to also have full control access to a
users folder or not. The two links serve as guideline for redirected or home
folders and the assumption is that you don't want users to access each
others folders. Group Policy can also be configured to give administrators
full control to a user's roaming profile and redirected folders and you
would want to implement such before you start configuring the users
olders. --- Steve

http://support.microsoft.com/kb/274443
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/a1b7ce04-708b-4145-830a-cadfc003acd3.mspx

"shawn" <shawn@discussions.microsoft.com> wrote in message
news:16393F79-DF3E-4468-9DBA-5E978BEBE281@microsoft.com...
>I have the following shared folders created:
>
> \\<server>\FB Share
> \\<server>\Users\<username>
>
> What permissions should the above folders have in this domain environment?


Top

Re: windows server 2003 and folders by Ian

Ian
Wed Dec 28 02:51:02 CST 2005


My observations:

In contrast to Microsoft's notes I would advise you to add the server's
local Administrator (or whatever account is used for server console-logon)
the home-folder permissions. If you don't do so there may be difficulty in
backing-up the content, and difficulty in removing a home-folder after the
user has left.


Top

Re: windows server 2003 and folders by Roger

Roger
Thu Dec 29 08:38:11 CST 2005

A backup application that use the backup/restore APIs
should have no issues if Administrators have no permission.
After a user has left it is simple to take ownership granting
permissions and then remove the left over storage.

Not granting Administrators permissions is one means of
establishing (at least a semblance of) privacy for users'
storage, but it must be combined with other settings and
event monitoring.

"Ian" <Ian@discussions.microsoft.com> wrote in message
news:725FC6CA-B5A6-46B1-B929-934C37055A19@microsoft.com...
>
> My observations:
>
> In contrast to Microsoft's notes I would advise you to add the server's
> local Administrator (or whatever account is used for server console-logon)
> the home-folder permissions. If you don't do so there may be difficulty in
> backing-up the content, and difficulty in removing a home-folder after the
> user has left.
>
>


Top

Re: windows server 2003 and folders by Roger

Roger
Thu Dec 29 08:42:18 CST 2005

As was said, it depends on the intended usage.
I tend to advocate, as a general practice, not granting
Administrators higher than read (if that much). This is
in environment where control of Administrators members
is less than strong, where use of those accounts is excessive,
and possibly on more than a few well-tended machines.
In such an environment the potential for an account to be
used in presence of infection/malware dramatically increases,
so not granting network write access to published shares is
one means to limit accidental or malware driven change to
content of network share content.

"shawn" <shawn@discussions.microsoft.com> wrote in message
news:16393F79-DF3E-4468-9DBA-5E978BEBE281@microsoft.com...
>I have the following shared folders created:
>
> \\<server>\FB Share
> \\<server>\Users\<username>
>
> What permissions should the above folders have in this domain environment?


Top