Last week a windows admin asked if I knew what the permissions should be for the root level share of home directories or redirected folders.  It has been a few years since I looked this up and I wanted to be certain I had all necessary ACLs, so I committed to researching the question and posting what I found to my blog.

I knew this KB article existed but it is not terribly easy to find since you have to search for "folder redirection" instead of "home directory".  This includes the full description for the root ACL.

http://support.microsoft.com/kb/274443

These are the two steps I was most interested in finding:

2.  Set Share Permissions for the Everyone group to Full Control.

3.  Use the following settings for NTFS Permissions:

  • CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
  • System - Full Control (Apply onto: This Folder, Subfolders and Files)
  • Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)
  • Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
  • Everyone - List Folder/Read Data (Apply onto: This Folder Only)
  • Everyone - Read Attributes (Apply onto: This Folder Only)
  • Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)

Pay attention when configuring the home directory or folder redirection policies.  If you enable the setting to give the user exclusive access to the folder, you will override the inherited permissions and need to reset the ACL.