Network and Storage Protocols

CIFS Home directory full permission "Everyone"

TonyWu
6,484 Views

Hi,

 

How to avoid the full permission of "Everyone" inherit to all home directory folder after creation?

 

Thanks in advance

 

Best Regards,

Tony

1 ACCEPTED SOLUTION

mbeattie
6,460 Views

Hi,

 

As the "Everyone" security principal is inheriting full control permissions to all subfolders in the volume (user home directories) this implies that you have not modifed the default permissions that are applied when an NTFS volume is created. I'd recommend you fix this by either creating a Active Directory group for Data administrators and applying full control permissions to that group at volume root.

 

For example when creating a new volume (before presenting it to users) you should set the permissions and remove everyone:

 

icacls.exe "\\vserver1\volume1$" /Grant "BUILTIN\Administrators":(CI)(OI)F
icacls.exe "\\vserver1\volume1$" /Grant "TESTLAB\NetAppDataAdmins":(CI)(OI)F
icacls.exe "\\vserver1\volume1$" /remove Everyone

 

Also when you create user home directories you will need to explicitly set permissions to grant the user access.

 

For example:

 

icacls.exe "\\vserver1\users$\user1" /Grant "TESTLAB\user1":(CI)(OI)M

 

In your case as the volume is in use with the default permissions you will need to run the commands in a specific order to prevent an outage. first add permissions to your administrators groups (wait for that to finish). Once complete set explicit permissions on any qtree's and users home directories (wait for that to complete). Finally remove the permissions to everyone from the root of the volume.

 

Hope that helps.

 

/matt

 

Note: if you'd prefer to automate it and not use a command line then you can use .NET class "System.Security.AccessControl.FileSystemAccessRule"

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

3 REPLIES 3

mbeattie
6,461 Views

Hi,

 

As the "Everyone" security principal is inheriting full control permissions to all subfolders in the volume (user home directories) this implies that you have not modifed the default permissions that are applied when an NTFS volume is created. I'd recommend you fix this by either creating a Active Directory group for Data administrators and applying full control permissions to that group at volume root.

 

For example when creating a new volume (before presenting it to users) you should set the permissions and remove everyone:

 

icacls.exe "\\vserver1\volume1$" /Grant "BUILTIN\Administrators":(CI)(OI)F
icacls.exe "\\vserver1\volume1$" /Grant "TESTLAB\NetAppDataAdmins":(CI)(OI)F
icacls.exe "\\vserver1\volume1$" /remove Everyone

 

Also when you create user home directories you will need to explicitly set permissions to grant the user access.

 

For example:

 

icacls.exe "\\vserver1\users$\user1" /Grant "TESTLAB\user1":(CI)(OI)M

 

In your case as the volume is in use with the default permissions you will need to run the commands in a specific order to prevent an outage. first add permissions to your administrators groups (wait for that to finish). Once complete set explicit permissions on any qtree's and users home directories (wait for that to complete). Finally remove the permissions to everyone from the root of the volume.

 

Hope that helps.

 

/matt

 

Note: if you'd prefer to automate it and not use a command line then you can use .NET class "System.Security.AccessControl.FileSystemAccessRule"

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

TonyWu
6,435 Views
Hi Matt,

Thanks

I just did something wrong and lost the everyone permission to the user folder

Please advise how to reset it

Besides, the AD policy required auto user folder creation. Is that means ther full permission of everyone is required

Many thanks

Tony

mbeattie
6,415 Views

Hi,

 

It's sounds like you've removed "Everyone" from the permissions? Do you have permissions to view the ACL? If not then you will need to take ownership of the data before you can modify the ACL

 

https://technet.microsoft.com/en-us/library/cc753659.aspx

 

/matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Public