Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2920: How to restrict network home folders so users can only access their own network homes.

Mac & PC Management Service ,  

12 April,16 at 11:13 AM

Applies to: All versions of Centrify DirectControl on Mac OS X
When setting up the network home folders from one of the following KBs:
The Security permissions allow for any authenticated user to access the network home folder of any other AD user.
How can this be restricted so that users can only access their own network home folders?

  • The following information can also be found on page 33 of the Centrify Admin Guide for Mac OS X
  • The steps in the Admin Guide and this KB are provided as a best-practice example of the most common type of network home folder environment. Please be aware that Centrify does NOT manage folder security and share permission settings on network file servers, the Centrify agent only provides the authentication into the server, and then the Mac share mounter reads the security settings as presented by the file server itself.

User access to network home folders can be restricted using the following steps: 
  1. Go to one of the user home directories on the network share and right-click to open the folder properties: 
    Security tab > Advanced button > Change Permissions button 
  2. Clear the [ Include inheritable permissions from the object’s parent ] checkbox > click "Remove" when prompted 
  3. Press the Add button > enter "Users" > Check Names button (it should return the Users group) > OK button 
  4. Select the following permissions for Users:
    • Traverse folder / execute file 
    • Read Attributes 
    • Read Extended Attributes 
    • Create files / Write Data 
    • Create Folder / Append Data 

      User-added image
  5. The end result will be that the user will have a network home folder whose access is only allowed for the user's own account, and the default Administrators group.
    The default Users group will only have the Special permissions configured.
    The Owner of the folder should be registered to the default Administrators group.  

    User-added image

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.