none
Folder Redirection - Prevent users from changing permissions on their files

    Question

  • Users can technically change the permissions on their files inside their redirected folder, even if you configure NTFS permissions the way Microsoft recommends. There's nothing stopping a savvy user from changing permissions on their files and removing Admins from having access. Isn't there a way to prevent this?

    I've configured the NTFS permissions on the shared folder like so: 

    1) Local Administrators group with Full Control of - This Folder, Subfolders, and Files.
    3) Domain Admins domain security group with Full Control - This Folder, Subfolders, and Files.
    4) System account with Full Control - This Folder, Subfolders, and Files.
    5) Authenticated Users group with Create Folders/Append Data - This Folder Only rights.

    6) Creator Owner on Subfolders and files with: List Folder/Read Data, Read attributes, read extended attributes, create files/write data, create folders/append data, write attributes, write extended attributes, delete, read permissions. This is basically Modify permission, but assigned through special permissions. Note that Full Control and Change Permissions were NOT given to Create Owner.

    This setup works fine and redirected folders function like normal, but after checking the permissions on the user's redirected folders after they're automatically created when they log in, they are still given the Change Permission to their redirected folder even though I explicitly removed it from Creator Owner, however Full Control remains unchecked like I configured, but they can still change permissions on their files which I don't want. 

    Are there any recommendations for setting it up so that users can't change their permissions? I thought my configuration above would do it but it's obviously not allowing it as it is giving them back the Change Permission.

    Any help would be appreciated.

    Sunday, September 29, 2013 12:39 PM

Answers

  • You need to assign the desired level of permissions applicable to CREATE OWNER to the OwnerRights SID - assuming that your file server is running WS 2008 or newer.

    More at http://technet.microsoft.com/en-us/library/cc749445%28v=ws.10%29.aspx

    hth
    Marcin

    • Proposed as answer by Ace Fekay [MCT]MVP Monday, September 30, 2013 4:16 AM
    • Marked as answer by CB79LD Monday, September 30, 2013 2:34 PM
    Sunday, September 29, 2013 1:58 PM
  • So I got around to testing adding Owner Rights instead of Creator Owner and it works perfectly. Users can no longer change permissions on their files. Thanks a lot for suggesting that.

    I tested it with removing Creator Owner completely and only having Owner Rights with Modify special permissions and it works great. I also tested the other way with both Owner Rights and Creator Owner both with Modify special permissions and it also works. I didn't notice any real difference so I removed Creator Owner completely and left Owner Rights with Modify special permissions on the share.

    So this is how I configured it:

    Share Settings:

    • Create the share and make it hidden by adding $ to the end, this way users can't find it by searching. For example: \\server\UserDir$
    • For Share permissions, configure Authenticated Users to have Full Control.

    NTFS Settings:

    • Configure the folder not to inherit permissions and remove all existing permissions.
    • Add Domain Admins with Full Control - This Folder, Subfolders, and files.
    • Add Enterprise Admins with Full Control - This Folder, Subfolders, and Files.
    • Add System account with Full Control - This Folder, Subfolders, and Files.
    • Add Authenticated Users with Create Folders/Append Data - This Folder only. Ticking ONLY Create Folders/Append Data still allows user accounts to auto-create their redirected folder in the root of the share, but DOESN'T allow them to go in the root of the share and see everyone else's user folders.
    • Add Owner Rights account with Modify special permissions - Subfolders and Files only. Modify special permissions are basically everything EXCEPT for Full Control, Delete Subfolders and files, Change Permissions, and Take Ownership. Make sure you untick those. Doing this will still allow users to create and delete their own files/folders but WILL NOT allow them to change the permissions on their files/folders.

    By setting it up this way, you can have it secured and locked down as much as possible so only Admins can explore the root of the share and see all the individual user folders and most importantly prevents users from changing permissions on their files/folders.

    This seems to me the most secure way to set this up and I don't get why Microsoft wouldn't recommend setting it up this way in the first place. Hope others find this useful.

    • Marked as answer by CB79LD Monday, September 30, 2013 2:33 PM
    Monday, September 30, 2013 9:03 AM

All replies

  • You need to assign the desired level of permissions applicable to CREATE OWNER to the OwnerRights SID - assuming that your file server is running WS 2008 or newer.

    More at http://technet.microsoft.com/en-us/library/cc749445%28v=ws.10%29.aspx

    hth
    Marcin

    • Proposed as answer by Ace Fekay [MCT]MVP Monday, September 30, 2013 4:16 AM
    • Marked as answer by CB79LD Monday, September 30, 2013 2:34 PM
    Sunday, September 29, 2013 1:58 PM
  • So basically I just need to remove Creator Owner and add Owner Rights with the modify special permissions instead? The file server is running WS 2008 R2.
    Sunday, September 29, 2013 3:02 PM
  • You need to add OwnerRights with the permissions that you want to be granted to CreatorOwner

    hth
    Marcin

    Sunday, September 29, 2013 6:59 PM
  • Just to be clear, once I add OwnerRights with the permissions I want, I have to remove Creator Owner right?
    Monday, September 30, 2013 2:03 AM
  • I don't believe this actually would matter - but it should be quite easy for you to test this...

    hth
    Marcin

    Monday, September 30, 2013 2:13 AM
  • After you do that, insure that redirection still works, since there are minimal permissions required to make it work.

    Folder Redirection
    Published by Ace Fekay, MCT, MVP DS on Sep 8, 2009 at 12:16 PM  3640  2
    http://msmvps.com/blogs/acefekay/archive/2009/09/08/folder-redirection.aspx

    -

    The following provides tables listing specific permissions to make folder redirection work. If you make any changes as suggested and you see redirection errors, consult with the following to insure you have the minimals set.

    Security Considerations when Configuring Folder Redirection
    http://technet.microsoft.com/nl-nl/library/cc775853(v=ws.10).aspx


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, September 30, 2013 4:08 AM
  • So I got around to testing adding Owner Rights instead of Creator Owner and it works perfectly. Users can no longer change permissions on their files. Thanks a lot for suggesting that.

    I tested it with removing Creator Owner completely and only having Owner Rights with Modify special permissions and it works great. I also tested the other way with both Owner Rights and Creator Owner both with Modify special permissions and it also works. I didn't notice any real difference so I removed Creator Owner completely and left Owner Rights with Modify special permissions on the share.

    So this is how I configured it:

    Share Settings:

    • Create the share and make it hidden by adding $ to the end, this way users can't find it by searching. For example: \\server\UserDir$
    • For Share permissions, configure Authenticated Users to have Full Control.

    NTFS Settings:

    • Configure the folder not to inherit permissions and remove all existing permissions.
    • Add Domain Admins with Full Control - This Folder, Subfolders, and files.
    • Add Enterprise Admins with Full Control - This Folder, Subfolders, and Files.
    • Add System account with Full Control - This Folder, Subfolders, and Files.
    • Add Authenticated Users with Create Folders/Append Data - This Folder only. Ticking ONLY Create Folders/Append Data still allows user accounts to auto-create their redirected folder in the root of the share, but DOESN'T allow them to go in the root of the share and see everyone else's user folders.
    • Add Owner Rights account with Modify special permissions - Subfolders and Files only. Modify special permissions are basically everything EXCEPT for Full Control, Delete Subfolders and files, Change Permissions, and Take Ownership. Make sure you untick those. Doing this will still allow users to create and delete their own files/folders but WILL NOT allow them to change the permissions on their files/folders.

    By setting it up this way, you can have it secured and locked down as much as possible so only Admins can explore the root of the share and see all the individual user folders and most importantly prevents users from changing permissions on their files/folders.

    This seems to me the most secure way to set this up and I don't get why Microsoft wouldn't recommend setting it up this way in the first place. Hope others find this useful.

    • Marked as answer by CB79LD Monday, September 30, 2013 2:33 PM
    Monday, September 30, 2013 9:03 AM
  • One possible reason is that there are environments where Admins are supposed to be prevented from accessing user data

    hth
    Marcin

    Monday, September 30, 2013 11:22 AM
  • Besides, the recommendations you are referring to were likely created prior to introduction of OwnerRights SID

    hth
    Marcin

    Monday, September 30, 2013 11:26 AM