Contact us at 408.675.5020 or sales@identitymaestro.com

Home Page

Knowledge Base Search     Advanced

Configure Create AD User Windows Home Folder Permissions

Article ID: 1772
Last updated: 13 Apr, 2020

By default, Identity Maestro will assign Full Control file system permissions to the user for their own home folder when creating a new user.  Some client environments prefer to set more restrictive file system permissions, typically removing Full Control so the user is no longer able to change the permissions on their home folder or share their home folder to another user, but they can do everything else.  

This article will discuss:

Applies to

  • Identity Maestro 4.1.1+

Configure Home Folder ACL Permissions 

Administrators can control home folder file system permissions by setting option keys in the configuration file for the ServiceControl Connection Agent service.  The Omni.Services.Connection.exe.config file is located in the \IdentityMaestro\Agents\Omni.Services.Connection folder.

Option Key Home Directory Providers Special Use Case Release Versions
WindowsHomeDirectories.AccessRights UNC Direct
Local
Home folders hosted in DFS Shares.
UNC Direct or WMI.
4.1.1 or higher
WindowsHomeDirectories.AccessRights.FileSystemRights WMI None 4.0.5 or higher

Choosing the correct option key is based on which Home Directory Provider is configured in the Active Directory connection.

Setting Permissions for UNC Direct and Local

If the Home Directory Provider is set to either UNC Direct or Local set the WindowsHomeDirectories.AccessRights option key in the \IdentityMaestro\Agents\Omni.Services.ConnectionOmni.Services.Connection.exe.config file.

The default that is automatically set is for Full Control permissions which turns out to be:

<add key="WindowsHomeDirectories.AccessRights" value="FullControl; ContainerInherit, ObjectInherit; None; Allow" />

There is a slightly more restrictive version that is often found on the Internet as a recommendation.  It removes the FullControl (and thus ChangePermission & TakeOwnership) permissions, so the user is no longer able to change the Access Control List (ACL) on their home folder, but they can do everything else.  That assignment would look like this:

<add key="WindowsHomeDirectories.AccessRights" value="AppendData, CreateDirectories, CreateFiles, Delete, DeleteSubdirectoriesAndFiles, ExecuteFile, ListDirectory, Modify, Read, ReadAndExecute, ReadData, ReadAttributes, ReadPermissions, Write, WriteData; ContainerInherit, ObjectInherit; None; Allow" />

Add the applicable option key to the  Omni.Services.Connection.exe.config file.


Setting Permissions for DFS

If the Home Directory Provider is set to UNC Direct or WMI and the home folders are being created in a DFS Share, then we set the desired permissions in the Omni.Services.Connection.exe.config file.  Permissions will be assigned according to the “WindowsHomeDirectories.AccessRights” key as it is explained for UNC Direct above.

Setting Permissions for WMI

If the Home Directory Provider is set to WMI and the home folders are not being created in a DFS share, then permissions are being controlled using a WindowsHomeDirectories.AccessRights.FileSystemRights option key.  The default is for Full Control with the key being automatically set to:

<add key="WindowsHomeDirectories.AccessRights.FileSystemRights" value="2032127" />

There is a slightly more restrictive version that is often found on the internet as a recommendation. It removes the FullControl (and thus ChangePermission & TakeOwnership settings), so the user is no longer able to change the permissions on their home folder, but they can do everything else.  That assignment would look like this:

<add key="WindowsHomeDirectories.AccessRights.FileSystemRights" value="197397" />

Calculating the FileSystemRights Key Value

Each permission is assigned a numerical value. To calculate the correct value, do not count permissions that are not being included (e.g. ChangePermissions, TakeOwnership,Synchronize, and FullControl. Otherwise apply the following rules:

  • Add the values together, but don’t duplicate if you have 2 things with the same number (ReadData and ListDirectory are both 1 for instance)
  • Ignore any that are not a pure power of 2 (Read and Execute is actually the sum of Read (131209) and ExecuteFile (32) which is why it is not a power of 2)

Here is an example spreadsheet calculation for restricted permissions assignment that removes FullControl:

Create Home Folder Retries

Home folder creation may timeout and fail.  This can happen if the Windows server hosting home folders is slow with responding to the create home folder request.  By default, the create home folder process will automatically retry three times before reporting an error. There is an option key to increase the number of retries to increase the chances that the Windows server hosting home folders responds. set the HomeDirectory.CheckCreationRetries option key in the \IdentityMaestro\Agents\Omni.Services.ConnectionOmni.Services.Connection.exe.config file.

<add key="HomeDirectory.CheckCreationRetries" value="5" />

This article was:   Helpful | Not helpful Report an issue


Article ID: 1772
Last updated: 13 Apr, 2020
Revision: 14
Views: 334
Comments: 0
print  Print email  Email to friend share  Share pool  Add to pool comment  Add comment
Prev     Next
Configure Windows AD Home Folder Support       Configure eDirectory NSS Home Directory Support