NetApp Community Update
This site will enter Read Only mode on July 23 as we prepare to move to a new platform. You will still be able to view content, but posting and replying will be temporarily disabled.
We're excited to launch our new Community experience on July 30 and more information will follow soon.
Stay connected during the transition - Join our Discord community today.

Network and Storage Protocols

CIFS Home directory full permission "Everyone"

TonyWu
8,351 Views

Hi,

 

How to avoid the full permission of "Everyone" inherit to all home directory folder after creation?

 

Thanks in advance

 

Best Regards,

Tony

1 ACCEPTED SOLUTION

mbeattie
8,326 Views

Hi,

 

As the "Everyone" security principal is inheriting full control permissions to all subfolders in the volume (user home directories) this implies that you have not modifed the default permissions that are applied when an NTFS volume is created. I'd recommend you fix this by either creating a Active Directory group for Data administrators and applying full control permissions to that group at volume root.

 

For example when creating a new volume (before presenting it to users) you should set the permissions and remove everyone:

 

icacls.exe "\\vserver1\volume1$" /Grant "BUILTIN\Administrators":(CI)(OI)F
icacls.exe "\\vserver1\volume1$" /Grant "TESTLAB\NetAppDataAdmins":(CI)(OI)F
icacls.exe "\\vserver1\volume1$" /remove Everyone

 

Also when you create user home directories you will need to explicitly set permissions to grant the user access.

 

For example:

 

icacls.exe "\\vserver1\users$\user1" /Grant "TESTLAB\user1":(CI)(OI)M

 

In your case as the volume is in use with the default permissions you will need to run the commands in a specific order to prevent an outage. first add permissions to your administrators groups (wait for that to finish). Once complete set explicit permissions on any qtree's and users home directories (wait for that to complete). Finally remove the permissions to everyone from the root of the volume.

 

Hope that helps.

 

/matt

 

Note: if you'd prefer to automate it and not use a command line then you can use .NET class "System.Security.AccessControl.FileSystemAccessRule"

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

3 REPLIES 3

mbeattie
8,327 Views

Hi,

 

As the "Everyone" security principal is inheriting full control permissions to all subfolders in the volume (user home directories) this implies that you have not modifed the default permissions that are applied when an NTFS volume is created. I'd recommend you fix this by either creating a Active Directory group for Data administrators and applying full control permissions to that group at volume root.

 

For example when creating a new volume (before presenting it to users) you should set the permissions and remove everyone:

 

icacls.exe "\\vserver1\volume1$" /Grant "BUILTIN\Administrators":(CI)(OI)F
icacls.exe "\\vserver1\volume1$" /Grant "TESTLAB\NetAppDataAdmins":(CI)(OI)F
icacls.exe "\\vserver1\volume1$" /remove Everyone

 

Also when you create user home directories you will need to explicitly set permissions to grant the user access.

 

For example:

 

icacls.exe "\\vserver1\users$\user1" /Grant "TESTLAB\user1":(CI)(OI)M

 

In your case as the volume is in use with the default permissions you will need to run the commands in a specific order to prevent an outage. first add permissions to your administrators groups (wait for that to finish). Once complete set explicit permissions on any qtree's and users home directories (wait for that to complete). Finally remove the permissions to everyone from the root of the volume.

 

Hope that helps.

 

/matt

 

Note: if you'd prefer to automate it and not use a command line then you can use .NET class "System.Security.AccessControl.FileSystemAccessRule"

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

TonyWu
8,301 Views
Hi Matt,

Thanks

I just did something wrong and lost the everyone permission to the user folder

Please advise how to reset it

Besides, the AD policy required auto user folder creation. Is that means ther full permission of everyone is required

Many thanks

Tony

mbeattie
8,281 Views

Hi,

 

It's sounds like you've removed "Everyone" from the permissions? Do you have permissions to view the ACL? If not then you will need to take ownership of the data before you can modify the ACL

 

https://technet.microsoft.com/en-us/library/cc753659.aspx

 

/matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Public