Cerulean
[H]F Junkie
- Joined
- Jul 27, 2006
- Messages
- 9,476
I did research earlier this year on setting up a VMware View Persona repository with correct NTFS and Share permissions. These are the results of my findings with approval from a VMware support technician:
My question is regarding the Owner of X:\Testbed-Persona\Profiles and X:\Testbed-Persona\AppData so that an administrator could login under their credentials into the server storing the Persona repository and browse into these directories. If the Owner is set to SYSTEM, the administrators will get an error when they try to open the folder saying they don't have permission to access the folder.
The Microsoft article http://lucca.hardforum.com/rewrite/...spx&id=1&match=1&source=none&destination=none never said anything about what the correct Owner should be.
Please see http://technet.microsoft.com/en-us/library/cc757013(WS.10).aspx
Do not force access into Profiles or AppData folders or you will screw up correctly set permissions (unless someone broke them already, then whatever) and go against official requirements & recommendations of Microsoft and VMware
Security permissions for X:\Testbed-Persona\AppData & X:\Testbed-Persona\Profiles
Code:+-------+-------------------------------+---------------+-----------------------+-------------------------------- Owner: SYSTEM Type Principal Access Inherited from Applies to Allow SYSTEM Full control None This folder, subfolders and files Allow CREATOR OWNER Full control None Subfolders and files only Allow vdi_FCTY1 (COMPANY1\vdi_FCTY1) Special None This folder only Allow vdi_FCTY2 (COMPANY1\vdi_FCTY2) Special None This folder only
'Special' entails ONLY the following Advanced permissions (everything else uncheckmarked):
List folder / read data
Create folders / append data
Share permissions for X:\Testbed-Persona\AppData & X:\Testbed-Persona\Profiles
Code:+---------------------------------------+--------------------------------- Group or user name Permissions vdi_FCTY1 (COMPANY1\vdi_FCTY1) Allow Full Control + Change + Read vdi_FCTY2 (COMPANY1\vdi_FCTY2) Allow Full Control + Change + Read
Share name for X:\Testbed-Persona\AppData is AppData$
Share comments for X:\Testbed-Persona\AppData is: Application Data (Roaming)
Share name for X:\Testbed-Persona\Profiles is Profiles$
Share comments for X:\Testbed-Persona\Profiles is: Persona repository location
If I am dead or gone, to change permissions you must modify the NTFS security permissions by changing the owner to %hostname%\Administrators (do not "Replace owner on subcontainers and objects") --> OK out of everything. Changing owner is enough to at least let you see what the permissions are on the folder and be able to modify share permissions. Be sure to remove %hostname%\Administrators from the permissions and change the owner back to SYSTEM --> OK out of everything. I have not done research yet to see what the appropriate owner is supposed to be on the folder, so I had decided to set it to SYSTEM to be on the safe side.
IF NECESSARY (which you shouldn't even need to do) add %hostname%\Administrators with "Full control" applying to "This folder, subfolders and files" but do not replace objects/containers.
My question is regarding the Owner of X:\Testbed-Persona\Profiles and X:\Testbed-Persona\AppData so that an administrator could login under their credentials into the server storing the Persona repository and browse into these directories. If the Owner is set to SYSTEM, the administrators will get an error when they try to open the folder saying they don't have permission to access the folder.
The Microsoft article http://lucca.hardforum.com/rewrite/...spx&id=1&match=1&source=none&destination=none never said anything about what the correct Owner should be.