I receive this query so many times that I have decided to post 2 solutions. These solutions work for the C:\Users directory and any others that you want to set up.
For these examples, we will set permissions on Local Groups on the assumptions that you have users in Global Groups and Global Groups in Local Groups:
Jerry
Jennifer
1. Share the directory with Change for Everyone.
3. Set NTFS Permissions on each users subdirectory as:
4. In a login script, map a drive letter to the share.
1. Easy to setup either manually or in an automated script.
The Bad:
1. Users will see that other directories exist.
The one hidden share for each user approach.
1. Do not share the parent directory.
1. Users will not see the existance of other directories.
The Bad:
1. A little harder to set up.
net use <drive:> /delete
note: /persistent:no is better if you turn off Autodisconnect and don't manually disconnect users.
Even with a hidden share, a knowledgeable hacker may still find those sensitive documents when flubadub writes his/hers password on a post-it and attaches it to the monitor.
Try this in conjunction with The one hidden share for each user approach:
1. If you have W95 users, use WINSET, with or without Kixtart (see tip 120), and SET (or SETL for Kix) to set environment variables, but specifically set UserName.
2. Create a hidden share for the parent directory that only trusted administrators know. Grant Read permissions to Everyone on the share. Do not map a drive letter to it.
3. When creating the hidden share, use a different meaningless string such as z1q34uz$ for each user.
4. Create files in the parent directory called UserName.bat (Jerry.bat) which contains the drive mapping and grant the specific user read (RX) permission to it: (If you use Kix, then use a .scr extention)
net use x: /delete
5. Call this file to perform the mapping:
if exist \\Server\ParentHiddenShare$\%UserName%.bat
With this modification, a hacker would have to have an administrators name and password to get to a users files (or the user would have to leave thier machine unlocked and My Computer open for the hacker to see the hidden share name and they would still need the users password. If you don't map the drive but just modify the command prompt shortcut for each user
(see tip 121) and configure each user in your Office Suite to point to the UNC name, you are even safer.
Domain Administrators
Administrators
Domain Users
Users
The one share for Everyone approach.
2. Set NTFS permissions on the directory as:
Administrators
Special
(RWXD)
System
Full Control
(All)(All)
Check the Replace Permissions on Subdirectories box. Then set:
Everyone
List
(RX)(Not Specified)
and do not check the Replace Permissions on Subdirectories box.
Domain/UserName
Note: Remove any other extraneous users and groups.
Add & Read, Special File Access
(RWX)(ALL)
The Good:
2. Users will not be able to see or read the contents of another users directory.
2. Users must navigate to their directory (unless they use Windows NT where you can map a drive letter below a share).
2. Set NTFS permissions as in step 2 and 3 of The one share for Everyone approach..
3. Create a hidden share for each user as UserName$ (See A better way later in this tip).
4. In a login script, map a drive letter to the share.
The Good:
2. Users will not be able to see or read the contents of another users directory.
3. Users will not have to navigate to their directory.
2. You need a little more memory on the server to manage the shares.
3. Won't work well if you have 25k+ users (I have heard of success with more users and fast muli-processors).
Mapping a drive.
net use <drive:> \\Server\Share /persistent:yes
A better way
net use x: \\Server\z1q34uz$ /persistent:yes
call \\Server\ParentHiddenShare$\%UserName%.bat
JSI Tip 0400 - How do I set permission to give users control of their own directory but No Access to anyone elses?
0 comments
Hide comments
