Electronic Punk

At work we currently have many users with roaming profiles and I am generally happy with the way those are configured (ie which folders to ignore etc.), the one thing that worries me is the share permissions.

The folder is shared as profiles$ with Everyone full control on the share.
Permissions on that folder are then set as "Users" full control of that folder, SYSTEM (is this needed?), <localmachine>\Administrators have full control of that folder and subdirectories and files. and CREATOR OWNER has full control of subfolders and files only... is this agood way to go? I know Administrators should generally have full access but do we have too much power?

Same goes for documents, in AD users and computers we map a drive to a network share with similar permissions - there is nothing to stop us checking out directors documents - it doesn't feel right?

But if we stop Administrators being able to check these folders then it makes it hard for us to manage them, it just seems very bad for security even though I am very used to locking my console even if I turn away.

How do you guys have yours setup?

---

madmatt

I don't use roaming profiles. However, I have home directories for each user that is mapped as their My Documents folder at login.

The shares are stored on one of my data stores as Home Directories\username$

I have given the following groups and/or users permissions:

Administrators (Full Control)
Domain Admins (Full Control)
User (Full Control)

I don't have to worry about other admins abusing their access to these private directories because I am the only admin. So this works well for me.

---

kcnychief

Well, although I'm only a Sys Admin in training, I'll add my .02

I have my Machine setup with a Raid+1, as redundancy is more important than performance gain in this particular setup. (I Know this wasn't the question, but I'll get there)

I have my C: with only OS-related features, applications etc. The D: partition is where I have WSUS files, shares, etc.

My profiles are on D:\profiles\%username\

As far as security goes, Domain Admins have Full Control, and the "Everyone" Group has Read only. This is on the Share level.

I have Domain Admins to have Full Control mostly incase we have employee turnover and I want to be able to take ownership if people have encrypted their files, and at the same time I don't want others to have that ability.

On the NTFS level, I have it configured as follows:

Administrators, Full Control
Creator Owner, Special Permissions
Everyone, all boxes checked except for Full Control
SYSTEM, Full Control
Users, Read Only.

This might seem like a "loose" setup, but I am very stingy with group memberships. I don't give anyone Domain Local accounts who doesn't require them. I tend to follow the grouping local to the computer, which works out nicely and it makes it easier for me to control access to files/folders.

As I said, I'm still learning, 2 down out of 7 for my MCSE, so if this is WRONG or doesn't make sense, I apologize

---

Mastershakes

EP: short answer is yes. SYSTEM needs full control of 'everytang' as my irish friend intones to me everyday. SYSTEM is used by Windows, and most of your applications.

http://support.microsoft.com/default...b;en-us;304040

KC - could you clarify this?

"As far as security goes, Domain Admins have Full Control, and the "Everyone" Group has Read only. This is on the Share level."

Not much sharing going on there ... or am I missing something. No one can add / edit / remove files except for the Gods.

I just set quotas on the shares, and back them up at night so when they decide to mess up / corrupt their Office files and such, they get yesterday's copy...

Electronic Punk

Yeah was hoping so as I tend to put SYSTEM in - only thinking that I needed it.

Madmatt: afaik, by default, Domain Admins are always a member of the local administrators group (only gets messy if you need to use a DC as a file server in a small wan subnet from my experience)

Basically the way I have my permissions set the actual user parent folder /users/ has permissions of Administrators, System, Users and this then propogates is permissions to the %username% folders with Administrators, System, %Username%

Works nicely, or it would if everytime you changed this drive and AD users & computers automatically creates this folder, it takes of inheritance, creates its own permissions (without SYSTEM otherwise pretty good) and makes the folder owner Administrators...

Because the folder owner is not the user, it does not allow us to have that unc path redirect as their My Documents. Damn pain really - but fortunatly Windows 2003 lets you change ownership of a folder to anyone else.

---

Electronic Punk

http://www.microsoft.com/technet/pro...24af77655.mspx

Has the same config, though they also have the Everyone group with no permissions, so I guess it may as well not be there at all.

---

Mastershakes

Nice little read that doc EP...

"SMB signing imposes a performance penalty even though it does not consume any more network bandwidth; it does use more CPU cycles on the client and server."

I wonder how big a hit? With the speeds we have now... I'm guessing it's negligable unless we are dealing with a monster file server...

Electronic Punk

Yeah will be negligable I think as it will only check permissions on the object the user is trying to access rather than all of them.

ie you might have access to ope a folder so can do so, but you might not have access to some of the files.

---

kcnychief

Actually, that's not true. Domain Admins have administrative access and rights to a local PC on the domain, but they are not a member of the local administrators group. I ran into a problem with Automatic Updates, and discovered, through MadMatt's Guidance, that I needed to add the users to either the Power Users Group or Local Admins. See the thread...

http://forum.osnn.net/showthread.php?t=78761

---

Electronic Punk

Ours must do it somewhere in group policy then.

---

rushm001

I think our roaming profiles directories are shared as "user_name"$, with full permissions given to that user and domain administrators.

Yeah pain really as a "local admistrator" has been setup on each pc.

---