I'm reconfiguring roaming profiles on my network to use proper NTFS security settings according to this article. I have reset the following permissions on the roaming profile parent folder:
- CREATOR OWNER, Full Control, Subfolder and files only
- User group with profiles, List folder, Create folders, This folder only
- System, Full Control, This folder, subfolders, and files
Then I select one of the actual roaming profile folders and follow these steps to fix the NTFS settings:
- Click Security, Advanced
- Uncheck "Allow inheritable permissions..."
- Choose "Remove..."
- Recheck "Allow inheritable permissions..."
- Click "Apply"
After I choose apply, I get the following permissions listed on the roaming profile folder:
- Administrators (MYDOMAIN\Administrators) Full Control, This folder only
- CREATOR OWNER, Full Control, Subfolders and files only
- System, Full Control, This folder, subfolders, and files
Where is the Administrators entry coming from!? There is an entry on the root of the drive for Administrators to have full control, but the Roaming Profile Parent folder is not set to inherit any permissions, and it does not have the administrators permission.
Answer
It appears the problem was coming from my misunderstanding of the "CREATOR OWNER" permission. This "account" does not map to an SID, rather it is a permission that tells the OS "when a new item is created in this folder, grant these permissions to the creator/owner". Because I was creating the account with an administrators user, it caused the permissions to follow.
No comments:
Post a Comment