JSI Tip 0400 - How do I set permission to give users control of their own directory but No Access to anyone elses?
January 22, 1998
I receive this query so many times that I have decided to post 2 solutions. These solutions work for the C:Users directory and any others that you want to set up.
For these examples, we will set permissions on Local Groups on the assumptions that you have users in Global Groups and Global Groups in Local Groups:
Jerry
Domain Administrators
Administrators
Jennifer
Domain Users
Users
The one share for Everyone approach.
1. Share the directory with Change for Everyone.
2. Set NTFS permissions on the directory as:
Administrators | Special | (RWXD) |
---|---|---|
System | Full Control | (All)(All) |
Check the Replace Permissions on Subdirectories box. Then set: | ||
Everyone | List | (RX)(Not Specified) |
and do not check the Replace Permissions on Subdirectories box. |
3. Set NTFS Permissions on each users subdirectory as:
4. In a login script, map a drive letter to the share.
The Good:
1. Easy to setup either manually or in an automated script.
2. Users will not be able to see or read the contents of another users directory.
The Bad:
1. Users will see that other directories exist.
2. Users must navigate to their directory (unless they use Windows NT where you can map a drive letter below a share).
The one hidden share for each user approach.
1. Do not share the parent directory.
2. Set NTFS permissions as in step 2 and 3 of The one share for Everyone approach..
3. Create a hidden share for each user as UserName$ (See A better way later in this tip).
4. In a login script, map a drive letter to the share.
The Good:
1. Users will not see the existance of other directories.
2. Users will not be able to see or read the contents of another users directory.
3. Users will not have to navigate to their directory.
The Bad:
1. A little harder to set up.
2. You need a little more memory on the server to manage the shares.
3. Won't work well if you have 25k+ users (I have heard of success with more users and fast muli-processors).
Mapping a drive.
net use /delete
net use \ServerShare /persistent:yes
note: /persistent:no is better if you turn off Autodisconnect and don't manually disconnect users.
A better way
Even with a hidden share, a knowledgeable hacker may still find those sensitive documents when flubadub writes his/hers password on a post-it and attaches it to the monitor.
Try this in conjunction with The one hidden share for each user approach:
1. If you have W95 users, use WINSET, with or without Kixtart (see tip 120), and SET (or SETL for Kix) to set environment variables, but specifically set UserName.
2. Create a hidden share for the parent directory that only trusted administrators know. Grant Read permissions to Everyone on the share. Do not map a drive letter to it.
3. When creating the hidden share, use a different meaningless string such as z1q34uz$ for each user.
4. Create files in the parent directory called UserName.bat (Jerry.bat) which contains the drive mapping and grant the specific user read (RX) permission to it: (If you use Kix, then use a .scr extention)
net use x: /delete
net use x: \Serverz1q34uz$ /persistent:yes
5. Call this file to perform the mapping:
if exist \ServerParentHiddenShare$%UserName%.bat
call \ServerParentHiddenShare$%UserName%.bat
With this modification, a hacker would have to have an administrators name and password to get to a users files (or the user would have to leave thier machine unlocked and My Computer open for the hacker to see the hidden share name and they would still need the users password. If you don't map the drive but just modify the command prompt shortcut for each user (see tip 121) and configure each user in your Office Suite to point to the UNC name, you are even safer.
About the Author
You May Also Like