Applies to: All versions of Centrify DirectControl on Mac OS X
When setting up the network home folders from one of the following KBs:
The Security permissions allow for any authenticated user to access the network home folder of any other AD user.
How can this be restricted so that users can only access their own network home folders?
- The following information can also be found on page 33 of the Centrify Admin Guide for Mac OS X:
- The steps in the Admin Guide and this KB are provided as a best-practice example of the most common type of network home folder environment. Please be aware that Centrify does NOT manage folder security and share permission settings on network file servers, the Centrify agent only provides the authentication into the server, and then the Mac share mounter reads the security settings as presented by the file server itself.
User access to network home folders can be restricted using the following steps:
- Go to one of the user home directories on the network share and right-click to open the folder properties:
Security tab > Advanced button > Change Permissions button
- Clear the [ Include inheritable permissions from the object’s parent ] checkbox > click "Remove" when prompted
- Press the Add button > enter "Users" > Check Names button (it should return the Users group) > OK button
- Select the following permissions for Users:
- Traverse folder / execute file
- Read Attributes
- Read Extended Attributes
- Create files / Write Data
- Create Folder / Append Data
- The end result will be that the user will have a network home folder whose access is only allowed for the user's own account, and the default Administrators group.
The default Users group will only have the Special permissions configured.
The Owner of the folder should be registered to the default Administrators group.