Which minimum Share & NTFS permissions do you need for the use of Offline Files and Folder Redirection in Windows 2008 / 2008 R2

Which minimum Share & NTFS permissions do you need for the use of Offline Files and Folder Redirection in Windows 2008 / 2008 R2

  • Comments 7
  • Likes
In Microsoft Windows Server 2008 and Windows Server 2008 R2, as an administrator, you can share Folders which can be mapped as Network Drives on a Windows Vista or a Windows 7 Client.
Also you can customize desktops by using Folder Redirection.
Those mapped Drives you can make available offline by using the Offline Files Feature. You can configure the Offline Files Feature via GPO or manually:

You can find more Information how to configure the offline Files Feature by searching the Microsoft TechNet.
You can find more information about Folder Redirection by searching Windows Help for Folder Redirection.

Create security-enhanced offline Files Folder, UNC path like \\ServerName\Share$\Folder1\Folder2  

To make sure that only the user and the domain administrators have permissions to synchronize / open and dynamically create folders for the user during the redirection process
to the offline available Files with the Server Share, do the following:

1. Select a central location in your environment where you would like to store the User Files, and then share this folder.

2. Set Share Permissions for the Everyone group to change.

3. Use the following settings for NTFS Permissions for the root folder Share$ :
 
 - Creator Owner - Full Control, Subfolders and Files Only
 - Local System - Full Control This Folder, Subfolders and Files
 - Administrators - "no permissions"
 - Everyone - "no permissions" 
 - Security group of users that need to put data on share - This Folder Only

+ Travers folder / execute file

+ List Folder/Read Data

+ Read attributes

+ Read extended attributes

+ Create Files / write Data

 
4. NTFS permissions needed for the folders Folder1 and Folder2 for offline file synchronization:
 
- %Username% - Full Control, Owner Of Folder
- Local System  - Full Control
- Administrators - "no permissions"
- Everyone - "no permissions"
Comments
  • Having just configured these settings, and discovered I am now able to write to the target share from a PC and user account that isn't yet a member of the domain, I find myself wondering if those permissions granted to 'Everyone' should instead be granted to a more specific group, such as 'Authenticated Users', in order to prevent random people writing to that folder.

  • Hi,

    Everyone group contains only Accounts from Domain Members. Meaning: every User and System account which is known by the DC is in that Group. If you have access as described above, then you maybe have the Guest Account activated, that is the one which is really dangerous. If not, you should start to search where you have the Security breach, it is for sure not the Everyone Group. Authenticated Users is not enough, because the Background Sync for example is done by the System Account, which is Member of the Everyone Group! Adding the System Account to the Auth. Users will not help.

    Hth

    Jonny

  • I'm pretty sure Authenticated Users would work, as the SYSTEM account when it accesses network resources uses the COMPUTERNAME$ computer account in AD and that is a member of Authenticated Users. The Everyone group does literally mean everyone, not just domain accounts.

  • @Chris

    sorry, nop. Everyone is every in the Domain Authenticated User and not literally everone. If Authenticated Users work for you, fine. You will have Problemes with the Tree Connect like missing write_dac permission for the System account which is needed for the Background sync. You will see that in a Network Trace.

    technet.microsoft.com/.../dd637754.aspx

    The Authenticated Users identity Any user accessing the system through a logon process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization.

    The Everyone identity All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to a system resource.

    the above mentioned Share & NTFS Permissions are the Minimum Permissions needed for Offline Files in W7. There is even a KB Artikel about it:

    support.microsoft.com/.../2512089

  • @JonnyR

    Can you provide further details about the write_dac permission issue that you mentioned to @Chris? An example network trace and associated explanation would be very helpful. Speaking of network traces, have you ever considered doing a blog post (or series) about packet-level analysis of Folder Redirection and Offline Files processes?

    One more thing, do you mind sharing your thoughts about the following guidance?

    helgeklein.com/.../windows-7-offline-files-survival-guide

  • Hi Mark

    - write_dac permission

    the details about write_dac can be found on MSDN:

    technet.microsoft.com/.../cc961992.aspx

    the system account needs write_dac permissions for the background synchronization.

    - packet-level analysis

    nop, due to lack of time

    - thoughts about the following guidance?

    I am sorry but I am not commenting other Blogs in my Blog, the only thing I can tell you is that my Blog is about Offline Files and Folder Redirection, specially for Create security-enhanced offline Files Folder created automatically by the Folder Redirection GPO where you will need the above mentioned minimum permissions. If you create the folders manually the permissions needed are different.  The Part of the Blog you mentioned is about Offline Files only.

    Offline Files and Folder Redirection are two different features. The only thing they have in common is the use of the CSC Cache if you did not disable the automatically make available offline for Folder Redirection.

  • Jonny,

    Thanks for the info and prompt reply.

    Regarding the blog post that I referenced, you’ve provided the clarification that I needed—even without commenting about it. :)

    While it’s now clear to me that your blog post focuses on Folder Redirection in combination with Offline Files, one of your responses to Chris128 implied that the permissions in question were required for Offline Files only:

    “the above mentioned Share & NTFS Permissions are the Minimum Permissions needed for Offline Files in W7. There is even a KB Artikel about it: support.microsoft.com/.../2512089”

    That’s where I got a bit confused. The KB article doesn’t make any reference to Folder Redirection and implies that the “Minimum Permission Required” are only related to Offline Files (the subject of the KB article).

    Now I understand the discrepancy being pointed out in the blog post that I referenced. The guidance provided in KB2512089 is indeed, misleading. It includes some permissions that are not **required** for Offline Files functionality exclusively or even **required** to address the symptom described in the KB article.

    I wish the appropriate team(s) at Microsoft would create a definitive KB article that explains the **absolute minimum** permissions that are truly required for common Folder Redirection and Offline Files usage scenarios (when used together and independently). Instead of just listing a set of permissions, this as yet nonexistent KB article would also explain why each permission is needed. I think that type of KB article would eliminate a lot of confusion that seems (based on related Internet searches) to persist about this subject matter. Dreamers will dream. :)

    Thanks again for your response.

    Best regards,

    Mark

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment