Users folders are allowing list folder contents to all users.
Each folder in C:\Users is allowing me to list the folder's contents at the top level. For example Joe can read the contents of C:\Users\Bill as well as his own C:\Users\Joe. I had expected each Users folder to be private to the user to which it is assigned. Therefore Joe should not be able to see what is in C:\Users\Bill. Is there a particular setting which may have opened list folder contents for all of the Users folders? Test system: Windows 7 Professional x64 with all updates as of October 15, 2010.
October 15th, 2010 11:06pm

I find that each subfolder of C:\Users has permission entries for the HomeUsers group. The permissions table is set to Allow the following (all other checkboxes are empty) for the group: Traverse folder / execute file List folder / read data Read attributes Read extended attributes Read permissions All of the user accounts are members of the HomeUsers group. I have confirmed that removing the permission entries from the HomeUsers group from a C:\Users folder achieves the desired behavior. Following my original example, removing the permission entries for the HomeUsers group from C:\Users\Bill results in Joe being unable to see the contents of C:\Users\Bill. Therefore it seems that joining a computer to a Homegroup has the unexpected effect of allowing all of the local users to view each others C:\Users folder on the local machine. I have not done any further testing to identify what features of Homegroup fail now that I have revoked these permission entries. Test system: Windows 7 Professional x64 with all updates as of October 15, 2010. System is a member of a Homegroup. System is not a member of a Domain.
Free Windows Admin Tool Kit Click here and download it now
October 15th, 2010 11:54pm

Thanks for the reply leo HuangLijun. I am seeing different behavior with newly created accounts as of October 19, 2010 on a fully-updated system. Newly created accounts are generating C:\Users folders with permissions assigned only to the SYSTEM and Administrators Groups and to the new user account. Permissions are not assigned to the HomeUsers group as described in my first two posts. Therefore I am able to repeat the behavior you are seeing and not the behavior described in my first two posts. Unfortunately then I don't have a full test case defined to reproduce the behavior I reported in the first two posts of this thread. I am certain that the HomeUsers groups priveleges I described were not manually assigned since I am the only one with Administrator access on the test machines and I did not perform the assignments manually. I would need to pursue at least two possibilities for further investigation. One possible source of the HomeUsers group priveleges may have been a defect in the Homegroup features that was patched via Windows Update sometime between August 22, 2010 and October 12, 2010. Another possible source of the HomeUsers group priveleges may be an application level operation in either a Windows component or in a third-party application. Let me know if you can suggest any strategies I could use for further investigation. Does Windows 7 leave an audit trail of NTFS permission assignments that I could query?
October 19th, 2010 8:00pm

That's actually quite interesting. For my original account, created during installation of Win7 X64, the permissions described by User01 are there. What's even more interesting is that each folder and subfolder the ACL contains an entry with the rights assigned to "This Folder Only". It appears that whatever creates the initial accounts during Win7 installation explicitly applies this to each folder and subfolder of the user accounts. I can only imagine that when a user account is created at a later time the permissions are created on user login and therefore inherit the proper permissions as defined for the "Creator" security principal. It's disapointing but I still like the OS. Good catch.
Free Windows Admin Tool Kit Click here and download it now
November 25th, 2010 7:59pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics