2015-03-03 06:50 AM - last edited on 2015-03-03 07:44 AM by alissa
How to avoid the full permission of "Everyone" inherit to all home directory folder after creation?
Thanks in advance
Solved! SEE THE SOLUTION
2015-03-04 08:08 PM
As the "Everyone" security principal is inheriting full control permissions to all subfolders in the volume (user home directories) this implies that you have not modifed the default permissions that are applied when an NTFS volume is created. I'd recommend you fix this by either creating a Active Directory group for Data administrators and applying full control permissions to that group at volume root.
For example when creating a new volume (before presenting it to users) you should set the permissions and remove everyone:
icacls.exe "\\vserver1\volume1$" /Grant "BUILTIN\Administrators"CI)(OI)F
icacls.exe "\\vserver1\volume1$" /Grant "TESTLAB\NetAppDataAdmins"CI)(OI)F
icacls.exe "\\vserver1\volume1$" /remove Everyone
Also when you create user home directories you will need to explicitly set permissions to grant the user access.
icacls.exe "\\vserver1\users$\user1" /Grant "TESTLAB\user1"CI)(OI)M
In your case as the volume is in use with the default permissions you will need to run the commands in a specific order to prevent an outage. first add permissions to your administrators groups (wait for that to finish). Once complete set explicit permissions on any qtree's and users home directories (wait for that to complete). Finally remove the permissions to everyone from the root of the volume.
Hope that helps.
Note: if you'd prefer to automate it and not use a command line then you can use .NET class "System.Security.AccessControl.FileSystemAccessRule"
2015-03-06 02:38 AM
2015-03-08 06:05 PM
It's sounds like you've removed "Everyone" from the permissions? Do you have permissions to view the ACL? If not then you will need to take ownership of the data before you can modify the ACL