+ Travers folder / execute file
+ List Folder/Read Data
+ Read attributes
+ Read extended attributes
+ Create Files / write Data
Having just configured these settings, and discovered I am now able to write to the target share from a PC and user account that isn't yet a member of the domain, I find myself wondering if those permissions granted to 'Everyone' should instead be granted to a more specific group, such as 'Authenticated Users', in order to prevent random people writing to that folder.
Everyone group contains only Accounts from Domain Members. Meaning: every User and System account which is known by the DC is in that Group. If you have access as described above, then you maybe have the Guest Account activated, that is the one which is really dangerous. If not, you should start to search where you have the Security breach, it is for sure not the Everyone Group. Authenticated Users is not enough, because the Background Sync for example is done by the System Account, which is Member of the Everyone Group! Adding the System Account to the Auth. Users will not help.
I'm pretty sure Authenticated Users would work, as the SYSTEM account when it accesses network resources uses the COMPUTERNAME$ computer account in AD and that is a member of Authenticated Users. The Everyone group does literally mean everyone, not just domain accounts.
sorry, nop. Everyone is every in the Domain Authenticated User and not literally everone. If Authenticated Users work for you, fine. You will have Problemes with the Tree Connect like missing write_dac permission for the System account which is needed for the Background sync. You will see that in a Network Trace.
The Authenticated Users identity Any user accessing the system through a logon process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization.
The Everyone identity All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to a system resource.
the above mentioned Share & NTFS Permissions are the Minimum Permissions needed for Offline Files in W7. There is even a KB Artikel about it:
Can you provide further details about the write_dac permission issue that you mentioned to @Chris? An example network trace and associated explanation would be very helpful. Speaking of network traces, have you ever considered doing a blog post (or series)
about packet-level analysis of Folder Redirection and Offline Files processes?
One more thing, do you mind sharing your thoughts about the following guidance?
- write_dac permission
the details about write_dac can be found on MSDN:
the system account needs write_dac permissions for the background synchronization.
- packet-level analysis
nop, due to lack of time
- thoughts about the following guidance?
I am sorry but I am not commenting other Blogs in my Blog, the only thing I can tell you is that my Blog is about Offline Files and Folder Redirection, specially for Create security-enhanced offline Files Folder created automatically by the Folder Redirection GPO where you will need the above mentioned minimum permissions. If you create the folders manually the permissions needed are different. The Part of the Blog you mentioned is about Offline Files only.
Offline Files and Folder Redirection are two different features. The only thing they have in common is the use of the CSC Cache if you did not disable the automatically make available offline for Folder Redirection.
Thanks for the info and prompt reply.
Regarding the blog post that I referenced, you’ve provided the clarification that I needed—even without commenting about it. :)
While it’s now clear to me that your blog post focuses on Folder Redirection in combination with Offline Files, one of your responses to Chris128 implied that the permissions in question were required for Offline Files only:
“the above mentioned Share & NTFS Permissions are the Minimum Permissions needed for Offline Files in W7. There is even a KB Artikel about it: support.microsoft.com/.../2512089”
That’s where I got a bit confused. The KB article doesn’t make any reference to Folder Redirection and implies that the “Minimum Permission Required” are only related to Offline Files (the subject of the KB article).
Now I understand the discrepancy being pointed out in the blog post that I referenced. The guidance provided in KB2512089 is indeed, misleading. It includes some permissions that are not **required** for Offline Files functionality exclusively or even **required** to address the symptom described in the KB article.
I wish the appropriate team(s) at Microsoft would create a definitive KB article that explains the **absolute minimum** permissions that are truly required for common Folder Redirection and Offline Files usage scenarios (when used together and independently). Instead of just listing a set of permissions, this as yet nonexistent KB article would also explain why each permission is needed. I think that type of KB article would eliminate a lot of confusion that seems (based on related Internet searches) to persist about this subject matter. Dreamers will dream. :)
Thanks again for your response.