Guest Radovan Vojtek Posted April 30, 2008 Posted April 30, 2008 Hi all, is there any recomended ACL setting for user homedirs? I'de like to do following: - users are owners of their homedirs (we use owner-based quotas) - users cannot change permissions of their homedirs Is that possible? However, ownership seems to override even "deny change permissions" ACL. Is there any other way to deny access for the user to the other homedirs? Thanks, -- R.V. Quote
Guest Roger Abell [MVP] Posted May 1, 2008 Posted May 1, 2008 "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in message news:2BF26AAB-6C5A-4EC9-86B5-8E27F13A5B72@microsoft.com...<span style="color:blue"> > Hi all, > > is there any recomended ACL setting for user homedirs? ></span> I believe it is a grant of Full Control for the account, optionally also a grant to Administrators, and nothing else. <span style="color:blue"> > I'de like to do following: > > - users are owners of their homedirs (we use owner-based quotas) > - users cannot change permissions of their homedirs > > Is that possible? ></span> No, not directly on any Windows client OS released to date. There is one work around that may sometimes be of use. Since share level permissions set the upper bound on what may be used of the NTFS permissions when access is via a share, if an account has Full at NTFS level but the share level permissions are only Change, then it is not possible to use the ability to change permissions when the access is via the share. <span style="color:blue"> > However, ownership seems to override even "deny change permissions" ACL.</span> That is correct, it does do so. <span style="color:blue"> > Is there any other way to deny access for the user to the other homedirs? ></span> Not sure what this asks, "other homedirs"? Just do not give the account any grant on the other homedirs, only on their own. Quote
Guest S. Pidgorny Posted May 1, 2008 Posted May 1, 2008 Ownership is very descriptive name. Owner is the one who can reset any ACL. -- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- http://sl.mvps.org http://msmvps.com/blogs/sp "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in message news:2BF26AAB-6C5A-4EC9-86B5-8E27F13A5B72@microsoft.com...<span style="color:blue"> > Hi all, > > is there any recomended ACL setting for user homedirs? > > I'de like to do following: > > - users are owners of their homedirs (we use owner-based quotas) > - users cannot change permissions of their homedirs > > Is that possible? > > However, ownership seems to override even "deny change permissions" ACL. > Is > there any other way to deny access for the user to the other homedirs? > > Thanks, > -- > R.V. </span> Quote
Guest Radovan Vojtek Posted May 1, 2008 Posted May 1, 2008 Hello Svyatoslav, Thank you for your reply! Dou you thing thare is any way to block users to access "foreign" homedirs? Thanks, -- R.V. "S. Pidgorny <MVP>" wrote: <span style="color:blue"> > Ownership is very descriptive name. Owner is the one who can reset any ACL. > > -- > Svyatoslav Pidgorny, MS MVP - Security, MCSE > -= F1 is the key =- > > http://sl.mvps.org http://msmvps.com/blogs/sp > > "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in message > news:2BF26AAB-6C5A-4EC9-86B5-8E27F13A5B72@microsoft.com...<span style="color:green"> > > Hi all, > > > > is there any recomended ACL setting for user homedirs? > > > > I'de like to do following: > > > > - users are owners of their homedirs (we use owner-based quotas) > > - users cannot change permissions of their homedirs > > > > Is that possible? > > > > However, ownership seems to override even "deny change permissions" ACL. > > Is > > there any other way to deny access for the user to the other homedirs? > > > > Thanks, > > -- > > R.V. </span> > > > </span> Quote
Guest S. Pidgorny Posted May 2, 2008 Posted May 2, 2008 Not under your model, no... "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in message news:A1A99F6A-3361-4A9B-9EA7-438504BF3994@microsoft.com...<span style="color:blue"> > Hello Svyatoslav, > > Thank you for your reply! > Dou you thing thare is any way to block users to access "foreign" > homedirs? > > Thanks, > -- > R.V. > > > "S. Pidgorny <MVP>" wrote: ><span style="color:green"> >> Ownership is very descriptive name. Owner is the one who can reset any >> ACL. >> >> -- >> Svyatoslav Pidgorny, MS MVP - Security, MCSE >> -= F1 is the key =- >> >> http://sl.mvps.org http://msmvps.com/blogs/sp >> >> "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in >> message >> news:2BF26AAB-6C5A-4EC9-86B5-8E27F13A5B72@microsoft.com...<span style="color:darkred"> >> > Hi all, >> > >> > is there any recomended ACL setting for user homedirs? >> > >> > I'de like to do following: >> > >> > - users are owners of their homedirs (we use owner-based quotas) >> > - users cannot change permissions of their homedirs >> > >> > Is that possible? >> > >> > However, ownership seems to override even "deny change permissions" >> > ACL. >> > Is >> > there any other way to deny access for the user to the other homedirs? >> > >> > Thanks, >> > -- >> > R.V.</span> >> >> >> </span></span> Quote
Guest Roger Abell [MVP] Posted May 3, 2008 Posted May 3, 2008 What precisely do you mean my "foreign" homedirs ? Normally an account has access to their own homedir and no access to another's homedir. Roger "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in message news:A1A99F6A-3361-4A9B-9EA7-438504BF3994@microsoft.com...<span style="color:blue"> > Hello Svyatoslav, > > Thank you for your reply! > Dou you thing thare is any way to block users to access "foreign" > homedirs? > > Thanks, > -- > R.V. > > > "S. Pidgorny <MVP>" wrote: ><span style="color:green"> >> Ownership is very descriptive name. Owner is the one who can reset any >> ACL. >> >> -- >> Svyatoslav Pidgorny, MS MVP - Security, MCSE >> -= F1 is the key =- >> >> http://sl.mvps.org http://msmvps.com/blogs/sp >> >> "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in >> message >> news:2BF26AAB-6C5A-4EC9-86B5-8E27F13A5B72@microsoft.com...<span style="color:darkred"> >> > Hi all, >> > >> > is there any recomended ACL setting for user homedirs? >> > >> > I'de like to do following: >> > >> > - users are owners of their homedirs (we use owner-based quotas) >> > - users cannot change permissions of their homedirs >> > >> > Is that possible? >> > >> > However, ownership seems to override even "deny change permissions" >> > ACL. >> > Is >> > there any other way to deny access for the user to the other homedirs? >> > >> > Thanks, >> > -- >> > R.V.</span> >> >> >> </span></span> Quote
Guest S. Pidgorny Posted May 4, 2008 Posted May 4, 2008 I think the users have ownership over other users' home directories. At least this is how I read the last question. -- Svyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- http://sl.mvps.org http://msmvps.com/blogs/sp "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:OczQ$URrIHA.3940@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > What precisely do you mean my "foreign" homedirs ? > Normally an account has access to their own homedir and > no access to another's homedir. > > Roger > > "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in > message news:A1A99F6A-3361-4A9B-9EA7-438504BF3994@microsoft.com...<span style="color:green"> >> Hello Svyatoslav, >> >> Thank you for your reply! >> Dou you thing thare is any way to block users to access "foreign" >> homedirs? >> >> Thanks, >> -- >> R.V. >> >> >> "S. Pidgorny <MVP>" wrote: >><span style="color:darkred"> >>> Ownership is very descriptive name. Owner is the one who can reset any >>> ACL. >>> >>> -- >>> Svyatoslav Pidgorny, MS MVP - Security, MCSE >>> -= F1 is the key =- >>> >>> http://sl.mvps.org http://msmvps.com/blogs/sp >>> >>> "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in >>> message >>> news:2BF26AAB-6C5A-4EC9-86B5-8E27F13A5B72@microsoft.com... >>> > Hi all, >>> > >>> > is there any recomended ACL setting for user homedirs? >>> > >>> > I'de like to do following: >>> > >>> > - users are owners of their homedirs (we use owner-based quotas) >>> > - users cannot change permissions of their homedirs >>> > >>> > Is that possible? >>> > >>> > However, ownership seems to override even "deny change permissions" >>> > ACL. >>> > Is >>> > there any other way to deny access for the user to the other homedirs? >>> > >>> > Thanks, >>> > -- >>> > R.V. >>> >>> >>></span></span> > > </span> Quote
Guest Roger Abell [MVP] Posted May 4, 2008 Posted May 4, 2008 Hi Slav, While that might be, it would of course be highly unusual. I just cannot answer poster until I do know what the issue actually is, i.e. this access to foreign thing. Roger "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message news:uSS9KcYrIHA.1952@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> >I think the users have ownership over other users' home directories. At >least this is how I read the last question. > > -- > Svyatoslav Pidgorny, MS MVP - Security, MCSE > -= F1 is the key =- > > http://sl.mvps.org http://msmvps.com/blogs/sp > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > news:OczQ$URrIHA.3940@TK2MSFTNGP03.phx.gbl...<span style="color:green"> >> What precisely do you mean my "foreign" homedirs ? >> Normally an account has access to their own homedir and >> no access to another's homedir. >> >> Roger >> >> "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in >> message news:A1A99F6A-3361-4A9B-9EA7-438504BF3994@microsoft.com...<span style="color:darkred"> >>> Hello Svyatoslav, >>> >>> Thank you for your reply! >>> Dou you thing thare is any way to block users to access "foreign" >>> homedirs? >>> >>> Thanks, >>> -- >>> R.V. >>> >>> >>> "S. Pidgorny <MVP>" wrote: >>> >>>> Ownership is very descriptive name. Owner is the one who can reset any >>>> ACL. >>>> >>>> -- >>>> Svyatoslav Pidgorny, MS MVP - Security, MCSE >>>> -= F1 is the key =- >>>> >>>> http://sl.mvps.org http://msmvps.com/blogs/sp >>>> >>>> "Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in >>>> message >>>> news:2BF26AAB-6C5A-4EC9-86B5-8E27F13A5B72@microsoft.com... >>>> > Hi all, >>>> > >>>> > is there any recomended ACL setting for user homedirs? >>>> > >>>> > I'de like to do following: >>>> > >>>> > - users are owners of their homedirs (we use owner-based quotas) >>>> > - users cannot change permissions of their homedirs >>>> > >>>> > Is that possible? >>>> > >>>> > However, ownership seems to override even "deny change permissions" >>>> > ACL. >>>> > Is >>>> > there any other way to deny access for the user to the other >>>> > homedirs? >>>> > >>>> > Thanks, >>>> > -- >>>> > R.V. >>>> >>>> >>>></span> >> >></span> > > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.