So the backstory is we have setup redirection of My Documents to our users home directory. This is created by AD by mapping a drive letter to \\fileserver\homeshare\%username% and this was setup a while ago, following what I can tell are 'best practices' as suggested by Microsoft.
Refer to this overview about what Microsoft suggests: http:/
Here is what I'm having a problem with:
- Microsoft suggests Everyone get Full permissions to the share vs. Authenticated Users
- Users are the owners of their folders upon automatic creation. They are set by the suggested ACL to have Full Control over their Home folder
- Users are not domain admins, so they do not understand how NTFS permissions function removing all other users other than themselves.. (and sometimes, comically, themselves)
- From what I've seen, giving them modify only (Owner = Modify) on the home directory root should solve this problem, and has worked in limited testing
What do you guys do? I cant find solid evidence that says why they need full control other than a poor cop out or whomever wrote the KB document didn't have security at the forefront.
I also know some places lock it down so tight that Admins don't have access, and I have no issues with that, just it's not what we do here (yet) so I'd like to be confident that we are backing our users data up and continue to allow us to support our users how they are.