Tech Help Request
My Goal: Get user’s Home Directories to synchronize using Offline Files Feature. Currently we receive this error: "Offline Files (\\Server03\home on Domain File Share (Server03)): Unable to make 'User Name' available offline on \\Server03\home. Access is denied."
According to some Microsoft tech articles, the problem is that in order to get home directory to sync we need both the Share and NTFS permission alike for the Shared Root Folder called HOME. All users must have at minimum Read Access to the Root Folder HOME (both NTFS and Share) and yet, in our environment anyway, they need Modify rights in the Share Permissions in order to have Modify rights within their home directory. The group being used is called “Authenticated Users” and includes all domain users. This group is updated automatically when new domain accounts are created.
Currently, the Share Permissions for the Root Folder HOME include the group “Authenticated Users” but the NTFS Permissions for the Root Folder HOME does NOT include this group. Our Server is running Windows Server 2003 - Standard Edition - SP2. No GPO
Our Test: When we added Authenticated Users and granted Read Access to Authenticated Users group to the NTFS permissions on the Root Folder HOME, the result was that users could then see/open other users’ Home directories. I believe this was because the restricted Read access in NTFS permissions had filtered down from the Parent (Root: HOME) and over-rode the Share permissions for that group. I think of it like this: If mom says you can’t stay out late but dad says you can then the result is that you can’t stay out late. In other words, the most restricted access is the one which takes precedence.
SOOO….How do we grant Read Access in the NTFS Permissions for the Root Folder HOME for all users without restricting the Share permissions or granting read access to all users to other users’ home directories?
I think it has something to do with inherited permissions - but I’m unclear how to resolve our issue here. GPO is not an option, so please don’t offer suggestions that require or use GPO as a solution. I’m new at all of this, so URL links to tech articles would be helpful as well. Also, if anyone there knows of the URL or tech article which discusses the Best Practices for Home Folders and NTFS Share Permissions, that would rock.
Thanks in advance!
According to some Microsoft tech articles, the problem is that in order to get home directory to sync we need both the Share and NTFS permission alike for the Shared Root Folder called HOME. All users must have at minimum Read Access to the Root Folder HOME (both NTFS and Share) and yet, in our environment anyway, they need Modify rights in the Share Permissions in order to have Modify rights within their home directory. The group being used is called “Authenticated Users” and includes all domain users. This group is updated automatically when new domain accounts are created.
Currently, the Share Permissions for the Root Folder HOME include the group “Authenticated Users” but the NTFS Permissions for the Root Folder HOME does NOT include this group. Our Server is running Windows Server 2003 - Standard Edition - SP2. No GPO
Our Test: When we added Authenticated Users and granted Read Access to Authenticated Users group to the NTFS permissions on the Root Folder HOME, the result was that users could then see/open other users’ Home directories. I believe this was because the restricted Read access in NTFS permissions had filtered down from the Parent (Root: HOME) and over-rode the Share permissions for that group. I think of it like this: If mom says you can’t stay out late but dad says you can then the result is that you can’t stay out late. In other words, the most restricted access is the one which takes precedence.
SOOO….How do we grant Read Access in the NTFS Permissions for the Root Folder HOME for all users without restricting the Share permissions or granting read access to all users to other users’ home directories?
I think it has something to do with inherited permissions - but I’m unclear how to resolve our issue here. GPO is not an option, so please don’t offer suggestions that require or use GPO as a solution. I’m new at all of this, so URL links to tech articles would be helpful as well. Also, if anyone there knows of the URL or tech article which discusses the Best Practices for Home Folders and NTFS Share Permissions, that would rock.
Thanks in advance!