Security Permissions Differences: TS Roaming Profiles vs TS User Home Directory

Lisa King · Sep 2, 2006

Howdy,

We have a farm of Terminal Servers that use local Group Policy settings to
set TS Roaming Profiles and TS User Home Directory to File Shares on a
FileServer Cluster.

On the File Server I have setup two directories

\\FileServicesCluster\Profiles\
\\FileServicesCluster\UserDirectories\

(Shared and Read + Change permissions to "Everyone" as recommended by MS)

When the users logon to the TS their profile and home directories get
created in the above mentioned shares automatically.

However the directories created for the user's profile have different
permissions from the home directories created for user.

The profiles have the correct permission, but the home directories Don't.
All users can read/write in any user's Home Directory.

This is a happening because the individual directories are inheriting
permissions from the top level directories. This is a very puzzling because
user directories created by SYSTEM SHOULD NOT inherit any permissions from
the parent directories.

Has anyone else seen this issue? How can we remedy the permissions problem?

Note: The profiles directories don't inherit the permissions only the home
directories. However both are created by the SYSTEM.

Lisa King
Arizona State University
http://www.full-disc-encryption.com

Anthony · Sep 3, 2006

This is an odd one, because the way the permissions are set for the home
directory is determined by the client used to create the account. It changed
in later versions of the adminpak.
You now need to set the minimum default permissions you want to be inherited
at the root of the home folders.
http://support.microsoft.com/kb/817009/en-us.
1) Profiles are created in the profile folder by the user when they first
log on. The setting in the account determines the path where it will be
created. Therefore the user must have the rights in the root Profiles folder
to create the folder and to set the permissions on it.
2) Home folders are created by the person adding or editing the account. The
setting causes the user logging on to map a drive to it. Therefore the user
does not need the rights to create a folder in the root folder.
3) Redirecting a folder like My Documents will also cause a personal folder
to be created, but by the user when they log on and execute the redirect. If
you have not pre-created the user's Home folder, the user Will need
permissions to create a folder in the root in order to redirect.
Anthony

Lisa King · Sep 3, 2006

Anthony,

I think you mis-understood the setup. These are NOT regular User's home
directories. These are "Terminal Server" User Home Directories. These DON'T
created upon account, instead they get created upon first logon to the
Terminal services

Lisa King
Arizona State University
http://www.full-disc-encryption.com

Anthony · Sep 4, 2006

When you next create a new account with a TS profile, have a quick look and
see if a home folder has been created.
Anthony

Anthony · Sep 4, 2006

I was aware you are talking about TS Profiles and TS Home directories. I
missed that you are talking about making the settings through Group Policy
rather than directly in the user's account under the Terminal Services
settings.
However the difference in inheritance between Profiles and Home folders is
normal in W2K3, so I am not sure the Group Policy aspect changes what you
are seeing,
Anthony

Lisa King · Sep 5, 2006

However the difference in inheritance between Profiles and Home folders is

normal in W2K3, so I am not sure the Group Policy aspect changes what you
are seeing,
Anthony

I understand about the differences. But the problem remains. How can I make
sure that permissions are not inherited. The inheritence causes the users
home directories to become readable/writable by all users. :-(

Lisa King
Arizona State University
http://www.full-disc-encryption.com

Anthony · Sep 5, 2006

It is in the link I gave you: http://support.microsoft.com/kb/817009/en-us.
Either don't give users permissions at the root folder (which they don't
need) or turn off inheritance.
Anthony

Lisa King · Sep 5, 2006

It is in the link I gave you:

http://support.microsoft.com/kb/817009/en-us.
Either don't give users permissions at the root folder (which they don't
need) or turn off inheritance.

Actually the user's DO need permissions that the root level if the folders
are to be created automatically using local GPO.

Inheritance is already turn-off . But it doesn't seem to make any
difference. :-(

Lisa King
Arizona State University
http://www.full-disc-encryption.com

Anthony · Sep 5, 2006

So the problem is that you have turned inheritance off on the root folder
but the subfolders are still inheriting? I don't have any suggestions on
that. Maybe someone else will.
Anthony

Lisa King · Sep 5, 2006

Anthony said:
So the problem is that you have turned inheritance off on the root folder
but the subfolders are still inheriting? I don't have any suggestions on
that. Maybe someone else will.

Can anyone try this scenario out in their environment and see if they can
reproduce the problem?

Lisa King
Arizona State University
http://www.full-disc-encryption.com