I have a 2008R2 domain in which the users have only following specific rights on their home folders & sub folders: >>List folder/Read data >>Create files/Write Data >>Create folders / append data >>Delete subfolders and files >>Read Attributes Problem is that when a user creates a folder in his home folder he gets 2 additional specific rights on that new sub folder which are: >>View Permissions >>Change Change Permissions whereas I have already defined in the home folder ACL that the user is only allowed with 5 specific security permissions on home folder and subfolders. How can the problem be resolved. I want that the user must have only 5 specific permissions on his home folder and subsequent sub folders.

Make it part of the new user creation, first create AD user, then create home folder with the correct permissions. That way the home folder will not be automatically generated and will have the permissions you explicitly set on the folder.

Dear Jaap Thanks for replying. There is no problem with setting of permissions of the home folder. Problem is with the security permissions of the sub folders created by the user in his home folder. After creation of an AD user the home folder is created automatically. I change the home folder security permissions manually as per my requirement. Problem arises when the user creates a subfolder which automatically has two extra permissions added which are View Permissions & Change Change Permissions. I want that for each subfolder created the permissions should be the same as of the home folder but this does not happens.

Hi, Thanks for your posting. There are two types of permissions: explicit permissions and inherited permission. Explicit permissions are those that are set by default when the object is created, by user action. Inherited permissions are those that are propagated to an object form a parent object. Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container. Notes: Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry. Explicit permissions take precedence over inherited permissions, even inherited Deny permissions. You may refer to this article to set optimized permission on a sharefolder: How to dynamically create security-enhanced redirected folders by using folder redirection http://support.microsoft.com/kb/274443 For more information please refer to following MS articles: Explicit vs. inherited permissions http://technet.microsoft.com/en-us/library/cc736316(WS.10).aspx How inheritance affects file and folder permissions http://technet.microsoft.com/en-us/library/cc758779(v=ws.10).aspxLawrence TechNet Community Support

Thanks Lawrence! So this means that the scenario which I want to implement is impossible as per the Folder Security Permission Setup of Microsoft Windows? If "YES" then can ADRMS be of any help in implementing what i really want? If ADRMS is helpful in implementing such a scenario I would be grateful if anyone could guide me to the relevant KB Article. Regards

Hi, Thanks for your posting. Since that home folder is created when user first logon, so user is the Owner. Form definition of permission an owner of an objects always has the ability to read and change permissions on the object. So the only way is change Owner for each home folder, also this change only take effect on exist files and folders. New create files and folders have explicit permission, and user is Owner, has read and change permission by design. For more information please refer to following MS articles: How Permissions Work http://technet.microsoft.com/en-us/library/cc783530(v=WS.10).aspx Lawrence TechNet Community Support

Thanks Lawrence! I already got your point from your last post. I just wanted to ask that whether ADRMS can help me implementing the idea i.e when the user creates a subfolder in his home folder he is not granted explicitly the view & change permissions rights?

Hi, Thanks for your posting. Since that home folder is created when user first logon, so user is the Owner. Form definition of permission an owner of an objects always has the ability to read and change permissions on the object. So the only way is change Owner for each home folder, also this change only take effect on exist files and folders. New create files and folders have explicit permission, and user is Owner, has read and change permission by design. For more information please refer to following MS articles: How Permissions Work http://technet.microsoft.com/en-us/library/cc783530(v=WS.10).aspx Lawrence TechNet Community Support

Hi, Thanks for your posting. > I just wanted to ask that whether ADRMS can help me implementing the idea. I think you misunderstand the function of Active Directory Rights Management Services (ADRMS). Active Directory Rights Management Services (AD RMS), a format and application-agnostic technology, provides services to enable the creation of information-protection solutions. It will work with any AD RMS-enabled application to provide persistent usage policies for sensitive information. Content that can be protected by using AD RMS includes intranet Web sites, e-mail messages, and documents. AD RMS includes a set of core functions that allow developers to add information protection to the functionality of existing applications. Its not applicable for your scenario. For more information please refer to following MS articles: Active Directory Rights Management Services Overview http://technet.microsoft.com/en-us/library/74272acc-0f2d-4dc2-876f-15b156a0b4e0.aspx Active Directory Rights Management Services Role http://technet.microsoft.com/en-us/library/cc771307(v=ws.10).aspx Active Directory Rights Management Services http://technet.microsoft.com/en-us/library/cc771234(v=ws.10).aspx Lawrence TechNet Community Support

Hi, Thanks for your posting. > I just wanted to ask that whether ADRMS can help me implementing the idea. I think you misunderstand the function of Active Directory Rights Management Services (ADRMS). Active Directory Rights Management Services (AD RMS), a format and application-agnostic technology, provides services to enable the creation of information-protection solutions. It will work with any AD RMS-enabled application to provide persistent usage policies for sensitive information. Content that can be protected by using AD RMS includes intranet Web sites, e-mail messages, and documents. AD RMS includes a set of core functions that allow developers to add information protection to the functionality of existing applications. Its not applicable for your scenario. For more information please refer to following MS articles: Active Directory Rights Management Services Overview http://technet.microsoft.com/en-us/library/74272acc-0f2d-4dc2-876f-15b156a0b4e0.aspx Active Directory Rights Management Services Role http://technet.microsoft.com/en-us/library/cc771307(v=ws.10).aspx Active Directory Rights Management Services http://technet.microsoft.com/en-us/library/cc771234(v=ws.10).aspx Lawrence TechNet Community Support