Homedirs - NTFS permissions

  • Thread starter Thread starter Radovan Vojtek
  • Start date Start date
R

Radovan Vojtek

Hi all,

is there any recomended ACL setting for user homedirs?

I'de like to do following:

- users are owners of their homedirs (we use owner-based quotas)
- users cannot change permissions of their homedirs

Is that possible?

However, ownership seems to override even "deny change permissions" ACL. Is
there any other way to deny access for the user to the other homedirs?

Thanks,
--
R.V.
 
"Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in message
news:2BF26AAB-6C5A-4EC9-86B5-8E27F13A5B72@microsoft.com...
> Hi all,
>
> is there any recomended ACL setting for user homedirs?
>

I believe it is a grant of Full Control for the account, optionally
also a grant to Administrators, and nothing else.

> I'de like to do following:
>
> - users are owners of their homedirs (we use owner-based quotas)
> - users cannot change permissions of their homedirs
>
> Is that possible?
>

No, not directly on any Windows client OS released to date.
There is one work around that may sometimes be of use.
Since share level permissions set the upper bound on what may
be used of the NTFS permissions when access is via a share,
if an account has Full at NTFS level but the share level permissions
are only Change, then it is not possible to use the ability to change
permissions when the access is via the share.


> However, ownership seems to override even "deny change permissions" ACL.

That is correct, it does do so.


> Is there any other way to deny access for the user to the other homedirs?
>
Not sure what this asks, "other homedirs"? Just do not give
the account any grant on the other homedirs, only on their own.
 
Ownership is very descriptive name. Owner is the one who can reset any ACL.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in message
news:2BF26AAB-6C5A-4EC9-86B5-8E27F13A5B72@microsoft.com...
> Hi all,
>
> is there any recomended ACL setting for user homedirs?
>
> I'de like to do following:
>
> - users are owners of their homedirs (we use owner-based quotas)
> - users cannot change permissions of their homedirs
>
> Is that possible?
>
> However, ownership seems to override even "deny change permissions" ACL.
> Is
> there any other way to deny access for the user to the other homedirs?
>
> Thanks,
> --
> R.V.
 
Hello Svyatoslav,

Thank you for your reply!
Dou you thing thare is any way to block users to access "foreign" homedirs?

Thanks,
--
R.V.


"S. Pidgorny <MVP>" wrote:

> Ownership is very descriptive name. Owner is the one who can reset any ACL.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in message
> news:2BF26AAB-6C5A-4EC9-86B5-8E27F13A5B72@microsoft.com...
> > Hi all,
> >
> > is there any recomended ACL setting for user homedirs?
> >
> > I'de like to do following:
> >
> > - users are owners of their homedirs (we use owner-based quotas)
> > - users cannot change permissions of their homedirs
> >
> > Is that possible?
> >
> > However, ownership seems to override even "deny change permissions" ACL.
> > Is
> > there any other way to deny access for the user to the other homedirs?
> >
> > Thanks,
> > --
> > R.V.
>
>
>
 
Not under your model, no...

"Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in message
news:A1A99F6A-3361-4A9B-9EA7-438504BF3994@microsoft.com...
> Hello Svyatoslav,
>
> Thank you for your reply!
> Dou you thing thare is any way to block users to access "foreign"
> homedirs?
>
> Thanks,
> --
> R.V.
>
>
> "S. Pidgorny <MVP>" wrote:
>
>> Ownership is very descriptive name. Owner is the one who can reset any
>> ACL.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>> "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in
>> message
>> news:2BF26AAB-6C5A-4EC9-86B5-8E27F13A5B72@microsoft.com...
>> > Hi all,
>> >
>> > is there any recomended ACL setting for user homedirs?
>> >
>> > I'de like to do following:
>> >
>> > - users are owners of their homedirs (we use owner-based quotas)
>> > - users cannot change permissions of their homedirs
>> >
>> > Is that possible?
>> >
>> > However, ownership seems to override even "deny change permissions"
>> > ACL.
>> > Is
>> > there any other way to deny access for the user to the other homedirs?
>> >
>> > Thanks,
>> > --
>> > R.V.
>>
>>
>>
 
What precisely do you mean my "foreign" homedirs ?
Normally an account has access to their own homedir and
no access to another's homedir.

Roger

"Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in message
news:A1A99F6A-3361-4A9B-9EA7-438504BF3994@microsoft.com...
> Hello Svyatoslav,
>
> Thank you for your reply!
> Dou you thing thare is any way to block users to access "foreign"
> homedirs?
>
> Thanks,
> --
> R.V.
>
>
> "S. Pidgorny <MVP>" wrote:
>
>> Ownership is very descriptive name. Owner is the one who can reset any
>> ACL.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>> "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in
>> message
>> news:2BF26AAB-6C5A-4EC9-86B5-8E27F13A5B72@microsoft.com...
>> > Hi all,
>> >
>> > is there any recomended ACL setting for user homedirs?
>> >
>> > I'de like to do following:
>> >
>> > - users are owners of their homedirs (we use owner-based quotas)
>> > - users cannot change permissions of their homedirs
>> >
>> > Is that possible?
>> >
>> > However, ownership seems to override even "deny change permissions"
>> > ACL.
>> > Is
>> > there any other way to deny access for the user to the other homedirs?
>> >
>> > Thanks,
>> > --
>> > R.V.
>>
>>
>>
 
I think the users have ownership over other users' home directories. At
least this is how I read the last question.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OczQ$URrIHA.3940@TK2MSFTNGP03.phx.gbl...
> What precisely do you mean my "foreign" homedirs ?
> Normally an account has access to their own homedir and
> no access to another's homedir.
>
> Roger
>
> "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in
> message news:A1A99F6A-3361-4A9B-9EA7-438504BF3994@microsoft.com...
>> Hello Svyatoslav,
>>
>> Thank you for your reply!
>> Dou you thing thare is any way to block users to access "foreign"
>> homedirs?
>>
>> Thanks,
>> --
>> R.V.
>>
>>
>> "S. Pidgorny <MVP>" wrote:
>>
>>> Ownership is very descriptive name. Owner is the one who can reset any
>>> ACL.
>>>
>>> --
>>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>>> -= F1 is the key =-
>>>
>>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>>
>>> "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in
>>> message
>>> news:2BF26AAB-6C5A-4EC9-86B5-8E27F13A5B72@microsoft.com...
>>> > Hi all,
>>> >
>>> > is there any recomended ACL setting for user homedirs?
>>> >
>>> > I'de like to do following:
>>> >
>>> > - users are owners of their homedirs (we use owner-based quotas)
>>> > - users cannot change permissions of their homedirs
>>> >
>>> > Is that possible?
>>> >
>>> > However, ownership seems to override even "deny change permissions"
>>> > ACL.
>>> > Is
>>> > there any other way to deny access for the user to the other homedirs?
>>> >
>>> > Thanks,
>>> > --
>>> > R.V.
>>>
>>>
>>>
>
>
 
Hi Slav,

While that might be, it would of course be highly unusual.
I just cannot answer poster until I do know what the issue
actually is, i.e. this access to foreign thing.

Roger

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:uSS9KcYrIHA.1952@TK2MSFTNGP05.phx.gbl...
>I think the users have ownership over other users' home directories. At
>least this is how I read the last question.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:OczQ$URrIHA.3940@TK2MSFTNGP03.phx.gbl...
>> What precisely do you mean my "foreign" homedirs ?
>> Normally an account has access to their own homedir and
>> no access to another's homedir.
>>
>> Roger
>>
>> "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in
>> message news:A1A99F6A-3361-4A9B-9EA7-438504BF3994@microsoft.com...
>>> Hello Svyatoslav,
>>>
>>> Thank you for your reply!
>>> Dou you thing thare is any way to block users to access "foreign"
>>> homedirs?
>>>
>>> Thanks,
>>> --
>>> R.V.
>>>
>>>
>>> "S. Pidgorny <MVP>" wrote:
>>>
>>>> Ownership is very descriptive name. Owner is the one who can reset any
>>>> ACL.
>>>>
>>>> --
>>>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>>>> -= F1 is the key =-
>>>>
>>>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>>>
>>>> "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in
>>>> message
>>>> news:2BF26AAB-6C5A-4EC9-86B5-8E27F13A5B72@microsoft.com...
>>>> > Hi all,
>>>> >
>>>> > is there any recomended ACL setting for user homedirs?
>>>> >
>>>> > I'de like to do following:
>>>> >
>>>> > - users are owners of their homedirs (we use owner-based quotas)
>>>> > - users cannot change permissions of their homedirs
>>>> >
>>>> > Is that possible?
>>>> >
>>>> > However, ownership seems to override even "deny change permissions"
>>>> > ACL.
>>>> > Is
>>>> > there any other way to deny access for the user to the other
>>>> > homedirs?
>>>> >
>>>> > Thanks,
>>>> > --
>>>> > R.V.
>>>>
>>>>
>>>>
>>
>>
>
>
 
Back
Top