Subscribe
Accepted Solution

CIFS Home directory full permission "Everyone"

[ Edited ]

Hi,

 

How to avoid the full permission of "Everyone" inherit to all home directory folder after creation?

 

Thanks in advance

 

Best Regards,

Tony

Re: CIFS Home directory full permission "Everyone"

Hi,

 

As the "Everyone" security principal is inheriting full control permissions to all subfolders in the volume (user home directories) this implies that you have not modifed the default permissions that are applied when an NTFS volume is created. I'd recommend you fix this by either creating a Active Directory group for Data administrators and applying full control permissions to that group at volume root.

 

For example when creating a new volume (before presenting it to users) you should set the permissions and remove everyone:

 

icacls.exe "\\vserver1\volume1$" /Grant "BUILTIN\Administrators"Smiley SadCI)(OI)F
icacls.exe "\\vserver1\volume1$" /Grant "TESTLAB\NetAppDataAdmins"Smiley SadCI)(OI)F
icacls.exe "\\vserver1\volume1$" /remove Everyone

 

Also when you create user home directories you will need to explicitly set permissions to grant the user access.

 

For example:

 

icacls.exe "\\vserver1\users$\user1" /Grant "TESTLAB\user1"Smiley SadCI)(OI)M

 

In your case as the volume is in use with the default permissions you will need to run the commands in a specific order to prevent an outage. first add permissions to your administrators groups (wait for that to finish). Once complete set explicit permissions on any qtree's and users home directories (wait for that to complete). Finally remove the permissions to everyone from the root of the volume.

 

Hope that helps.

 

/matt

 

Note: if you'd prefer to automate it and not use a command line then you can use .NET class "System.Security.AccessControl.FileSystemAccessRule"

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: CIFS Home directory full permission "Everyone"

Hi Matt,

Thanks

I just did something wrong and lost the everyone permission to the user folder

Please advise how to reset it

Besides, the AD policy required auto user folder creation. Is that means ther full permission of everyone is required

Many thanks

Tony

Re: CIFS Home directory full permission "Everyone"

Hi,

 

It's sounds like you've removed "Everyone" from the permissions? Do you have permissions to view the ACL? If not then you will need to take ownership of the data before you can modify the ACL

 

https://technet.microsoft.com/en-us/library/cc753659.aspx

 

/matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.