Security Permissions Differences: TS Roaming Profiles vs T..

Lisa King · External Since: Sep 02, 2006 Posts: 5

Howdy,

We have a farm of Terminal Servers that use local Group Policy settings to
set TS Roaming Profiles and TS User Home Directory to File Shares on a
FileServer Cluster.

On the File Server I have setup two directories

\\FileServicesCluster\Profiles\
\\FileServicesCluster\UserDirectories\

(Shared and Read + Change permissions to "Everyone" as recommended by MS)

When the users logon to the TS their profile and home directories get
created in the above mentioned shares automatically.

However the directories created for the user's profile have different
permissions from the home directories created for user.

The profiles have the correct permission, but the home directories Don't.
All users can read/write in any user's Home Directory.

This is a happening because the individual directories are inheriting
permissions from the top level directories. This is a very puzzling because
user directories created by SYSTEM SHOULD NOT inherit any permissions from
the parent directories.

Has anyone else seen this issue? How can we remedy the permissions problem?

Note: The profiles directories don't inherit the permissions only the home
directories. However both are created by the SYSTEM.

Lisa King
Arizona State University
http://www.full-disc-encryption.com

Anthony · External Since: Aug 30, 2006 Posts: 7

This is an odd one, because the way the permissions are set for the home
directory is determined by the client used to create the account. It changed
in later versions of the adminpak.
You now need to set the minimum default permissions you want to be inherited
at the root of the home folders.
http://support.microsoft.com/kb/817009/en-us.
1) Profiles are created in the profile folder by the user when they first
log on. The setting in the account determines the path where it will be
created. Therefore the user must have the rights in the root Profiles folder
to create the folder and to set the permissions on it.
2) Home folders are created by the person adding or editing the account. The
setting causes the user logging on to map a drive to it. Therefore the user
does not need the rights to create a folder in the root folder.
3) Redirecting a folder like My Documents will also cause a personal folder
to be created, but by the user when they log on and execute the redirect. If
you have not pre-created the user's Home folder, the user Will need
permissions to create a folder in the root in order to redirect.
Anthony

"Lisa King" wrote in message

> Howdy,
>
> We have a farm of Terminal Servers that use local Group Policy settings to
> set TS Roaming Profiles and TS User Home Directory to File Shares on a
> FileServer Cluster.
>
> On the File Server I have setup two directories
>
> \\FileServicesCluster\Profiles\
> \\FileServicesCluster\UserDirectories\
>
> (Shared and Read + Change permissions to "Everyone" as recommended by MS)
>
> When the users logon to the TS their profile and home directories get
> created in the above mentioned shares automatically.
>
> However the directories created for the user's profile have different
> permissions from the home directories created for user.
>
> The profiles have the correct permission, but the home directories Don't.
> All users can read/write in any user's Home Directory.
>
> This is a happening because the individual directories are inheriting
> permissions from the top level directories. This is a very puzzling
> because user directories created by SYSTEM SHOULD NOT inherit any
> permissions from the parent directories.
>
> Has anyone else seen this issue? How can we remedy the permissions
> problem?
>
> Note: The profiles directories don't inherit the permissions only the home
> directories. However both are created by the SYSTEM.
>
> Lisa King
> Arizona State University
> http://www.full-disc-encryption.com
>

Lisa King · External Since: Sep 02, 2006 Posts: 5

Anthony,

I think you mis-understood the setup. These are NOT regular User's home
directories. These are "Terminal Server" User Home Directories. These DON'T
created upon account, instead they get created upon first logon to the
Terminal services

Lisa King
Arizona State University
http://www.full-disc-encryption.com

"Anthony" wrote in message

> This is an odd one, because the way the permissions are set for the home
> directory is determined by the client used to create the account. It
> changed in later versions of the adminpak.
> You now need to set the minimum default permissions you want to be
> inherited at the root of the home folders.
> http://support.microsoft.com/kb/817009/en-us.
> 1) Profiles are created in the profile folder by the user when they first
> log on. The setting in the account determines the path where it will be
> created. Therefore the user must have the rights in the root Profiles
> folder to create the folder and to set the permissions on it.
> 2) Home folders are created by the person adding or editing the account.
> The setting causes the user logging on to map a drive to it. Therefore the
> user does not need the rights to create a folder in the root folder.
> 3) Redirecting a folder like My Documents will also cause a personal
> folder to be created, but by the user when they log on and execute the
> redirect. If you have not pre-created the user's Home folder, the user
> Will need permissions to create a folder in the root in order to redirect.
> Anthony
>
>
>
> "Lisa King" wrote in message
>
>> Howdy,
>>
>> We have a farm of Terminal Servers that use local Group Policy settings
>> to set TS Roaming Profiles and TS User Home Directory to File Shares on
>> a FileServer Cluster.
>>
>> On the File Server I have setup two directories
>>
>> \\FileServicesCluster\Profiles\
>> \\FileServicesCluster\UserDirectories\
>>
>> (Shared and Read + Change permissions to "Everyone" as recommended by MS)
>>
>> When the users logon to the TS their profile and home directories get
>> created in the above mentioned shares automatically.
>>
>> However the directories created for the user's profile have different
>> permissions from the home directories created for user.
>>
>> The profiles have the correct permission, but the home directories Don't.
>> All users can read/write in any user's Home Directory.
>>
>> This is a happening because the individual directories are inheriting
>> permissions from the top level directories. This is a very puzzling
>> because user directories created by SYSTEM SHOULD NOT inherit any
>> permissions from the parent directories.
>>
>> Has anyone else seen this issue? How can we remedy the permissions
>> problem?
>>
>> Note: The profiles directories don't inherit the permissions only the
>> home directories. However both are created by the SYSTEM.
>>
>> Lisa King
>> Arizona State University
>> http://www.full-disc-encryption.com
>>
>
>

Anthony · External Since: Aug 30, 2006 Posts: 7

When you next create a new account with a TS profile, have a quick look and
see if a home folder has been created.
Anthony

"Lisa King" wrote in message

> Anthony,
>
> I think you mis-understood the setup. These are NOT regular User's home
> directories. These are "Terminal Server" User Home Directories. These
> DON'T created upon account, instead they get created upon first logon to
> the Terminal services
>
> Lisa King
> Arizona State University
> http://www.full-disc-encryption.com
>
>
> "Anthony" wrote in message
>
>> This is an odd one, because the way the permissions are set for the home
>> directory is determined by the client used to create the account. It
>> changed in later versions of the adminpak.
>> You now need to set the minimum default permissions you want to be
>> inherited at the root of the home folders.
>> http://support.microsoft.com/kb/817009/en-us.
>> 1) Profiles are created in the profile folder by the user when they first
>> log on. The setting in the account determines the path where it will be
>> created. Therefore the user must have the rights in the root Profiles
>> folder to create the folder and to set the permissions on it.
>> 2) Home folders are created by the person adding or editing the account.
>> The setting causes the user logging on to map a drive to it. Therefore
>> the user does not need the rights to create a folder in the root folder.
>> 3) Redirecting a folder like My Documents will also cause a personal
>> folder to be created, but by the user when they log on and execute the
>> redirect. If you have not pre-created the user's Home folder, the user
>> Will need permissions to create a folder in the root in order to
>> redirect.
>> Anthony
>>
>>
>>
>> "Lisa King" wrote in message
>>
>>> Howdy,
>>>
>>> We have a farm of Terminal Servers that use local Group Policy settings
>>> to set TS Roaming Profiles and TS User Home Directory to File Shares on
>>> a FileServer Cluster.
>>>
>>> On the File Server I have setup two directories
>>>
>>> \\FileServicesCluster\Profiles\
>>> \\FileServicesCluster\UserDirectories\
>>>
>>> (Shared and Read + Change permissions to "Everyone" as recommended by
>>> MS)
>>>
>>> When the users logon to the TS their profile and home directories get
>>> created in the above mentioned shares automatically.
>>>
>>> However the directories created for the user's profile have different
>>> permissions from the home directories created for user.
>>>
>>> The profiles have the correct permission, but the home directories
>>> Don't. All users can read/write in any user's Home Directory.
>>>
>>> This is a happening because the individual directories are inheriting
>>> permissions from the top level directories. This is a very puzzling
>>> because user directories created by SYSTEM SHOULD NOT inherit any
>>> permissions from the parent directories.
>>>
>>> Has anyone else seen this issue? How can we remedy the permissions
>>> problem?
>>>
>>> Note: The profiles directories don't inherit the permissions only the
>>> home directories. However both are created by the SYSTEM.
>>>
>>> Lisa King
>>> Arizona State University
>>> http://www.full-disc-encryption.com
>>>
>>
>>
>
>

Anthony · External Since: Aug 30, 2006 Posts: 7

I was aware you are talking about TS Profiles and TS Home directories. I
missed that you are talking about making the settings through Group Policy
rather than directly in the user's account under the Terminal Services
settings.
However the difference in inheritance between Profiles and Home folders is
normal in W2K3, so I am not sure the Group Policy aspect changes what you
are seeing,
Anthony

"Anthony" wrote in message

> When you next create a new account with a TS profile, have a quick look
> and see if a home folder has been created.
> Anthony
>
> "Lisa King" wrote in message
>
>> Anthony,
>>
>> I think you mis-understood the setup. These are NOT regular User's home
>> directories. These are "Terminal Server" User Home Directories. These
>> DON'T created upon account, instead they get created upon first logon to
>> the Terminal services
>>
>> Lisa King
>> Arizona State University
>> http://www.full-disc-encryption.com
>>
>>
>> "Anthony" wrote in message
>>
>>> This is an odd one, because the way the permissions are set for the home
>>> directory is determined by the client used to create the account. It
>>> changed in later versions of the adminpak.
>>> You now need to set the minimum default permissions you want to be
>>> inherited at the root of the home folders.
>>> http://support.microsoft.com/kb/817009/en-us.
>>> 1) Profiles are created in the profile folder by the user when they
>>> first log on. The setting in the account determines the path where it
>>> will be created. Therefore the user must have the rights in the root
>>> Profiles folder to create the folder and to set the permissions on it.
>>> 2) Home folders are created by the person adding or editing the account.
>>> The setting causes the user logging on to map a drive to it. Therefore
>>> the user does not need the rights to create a folder in the root folder.
>>> 3) Redirecting a folder like My Documents will also cause a personal
>>> folder to be created, but by the user when they log on and execute the
>>> redirect. If you have not pre-created the user's Home folder, the user
>>> Will need permissions to create a folder in the root in order to
>>> redirect.
>>> Anthony
>>>
>>>
>>>
>>> "Lisa King" wrote in message
>>>
>>>> Howdy,
>>>>
>>>> We have a farm of Terminal Servers that use local Group Policy settings
>>>> to set TS Roaming Profiles and TS User Home Directory to File Shares
>>>> on a FileServer Cluster.
>>>>
>>>> On the File Server I have setup two directories
>>>>
>>>> \\FileServicesCluster\Profiles\
>>>> \\FileServicesCluster\UserDirectories\
>>>>
>>>> (Shared and Read + Change permissions to "Everyone" as recommended by
>>>> MS)
>>>>
>>>> When the users logon to the TS their profile and home directories get
>>>> created in the above mentioned shares automatically.
>>>>
>>>> However the directories created for the user's profile have different
>>>> permissions from the home directories created for user.
>>>>
>>>> The profiles have the correct permission, but the home directories
>>>> Don't. All users can read/write in any user's Home Directory.
>>>>
>>>> This is a happening because the individual directories are inheriting
>>>> permissions from the top level directories. This is a very puzzling
>>>> because user directories created by SYSTEM SHOULD NOT inherit any
>>>> permissions from the parent directories.
>>>>
>>>> Has anyone else seen this issue? How can we remedy the permissions
>>>> problem?
>>>>
>>>> Note: The profiles directories don't inherit the permissions only the
>>>> home directories. However both are created by the SYSTEM.
>>>>
>>>> Lisa King
>>>> Arizona State University
>>>> http://www.full-disc-encryption.com
>>>>
>>>
>>>
>>
>>
>
>

Lisa King · External Since: Sep 02, 2006 Posts: 5

> However the difference in inheritance between Profiles and Home folders is
> normal in W2K3, so I am not sure the Group Policy aspect changes what you
> are seeing,
> Anthony

I understand about the differences. But the problem remains. How can I make
sure that permissions are not inherited. The inheritence causes the users
home directories to become readable/writable by all users. Sad

Lisa King
Arizona State University
http://www.full-disc-encryption.com

Anthony · External Since: Aug 30, 2006 Posts: 7

It is in the link I gave you: http://support.microsoft.com/kb/817009/en-us.
Either don't give users permissions at the root folder (which they don't
need) or turn off inheritance.
Anthony

"Lisa King" wrote in message

>> However the difference in inheritance between Profiles and Home folders
>> is normal in W2K3, so I am not sure the Group Policy aspect changes what
>> you are seeing,
>> Anthony
>
> I understand about the differences. But the problem remains. How can I
> make sure that permissions are not inherited. The inheritence causes the
> users home directories to become readable/writable by all users. Sad

>
> Lisa King
> Arizona State University
> http://www.full-disc-encryption.com
>
>

Lisa King · External Since: Sep 02, 2006 Posts: 5

> It is in the link I gave you:
> http://support.microsoft.com/kb/817009/en-us.
> Either don't give users permissions at the root folder (which they don't
> need) or turn off inheritance.

Actually the user's DO need permissions that the root level if the folders
are to be created automatically using local GPO.

Inheritance is already turn-off . But it doesn't seem to make any
difference. Sad

Lisa King
Arizona State University
http://www.full-disc-encryption.com

Anthony · External Since: Aug 30, 2006 Posts: 7

So the problem is that you have turned inheritance off on the root folder
but the subfolders are still inheriting? I don't have any suggestions on
that. Maybe someone else will.
Anthony

"Lisa King" wrote in message

>> It is in the link I gave you:
>> http://support.microsoft.com/kb/817009/en-us.
>> Either don't give users permissions at the root folder (which they don't
>> need) or turn off inheritance.
>
> Actually the user's DO need permissions that the root level if the folders
> are to be created automatically using local GPO.
>
> Inheritance is already turn-off . But it doesn't seem to make any
> difference. Sad

>
>
> Lisa King
> Arizona State University
> http://www.full-disc-encryption.com
>
>

Lisa King · External Since: Sep 02, 2006 Posts: 5

"Anthony" wrote in message

> So the problem is that you have turned inheritance off on the root folder
> but the subfolders are still inheriting? I don't have any suggestions on
> that. Maybe someone else will.

Can anyone try this scenario out in their environment and see if they can
reproduce the problem?

Lisa King
Arizona State University
http://www.full-disc-encryption.com