Unity Migration Blog

While working on deploying applications I came across a problem with how the permissions on our home and profile directory permissions were set.

Users had list perms to the root of Home and Profile. As a result, they could see the a-z directories contained within. Users did not have perms to list the contents of the directories under a-z. This was by design. I didn't want to give users an easy way to get a listing of every Unity ID.

This causes problems with application deployment because "My Documents" is redirected to the users home directory. When trying to install a published application, I would receive an error saying something to the effect of:

Access denied to: \\unity\itd\home\a

I had permissions to list the contents of Home and arkurth, but not to the "a" directory. Many MSI application installers use "My Documents" in some way or another. They seem to need permission to list all of the directories that make up the path to where "My Documents" is redirected. If this fails, the MSI installation fails. I have seen this with the old environment which redirected "My Documents" to K:. If the K: drive wasn't mapped, MSI installations would fail.

So, I needed to grant Domain Users list permissions to all of the a-z directories. The side effect of this is that they could now enumerate all of the other users' directory names.

Access-based Enumeration solved this problem. I have enabled Access-based Enumeration for the "Home" and "Profile" shares on FS03. There isn't much to configure - it's either off or on for a particular share. For shared directories, there is a tab under the directory properties:

The Home and Profile shares currently reside at the root of their respective volumes and there is no Access-based Enumeration tab under volume properties:

This doesn't mean that you can't enable Access-based Enumeration. The abecmd utility can be used. The following commands were executed on FS03:

abecmd /enable /Home
abecmd /enable /Profile

The end result is that I can traverse all of the directories making up the path:
\\unity\itd\home\a\arkurth

When I view the a-z directories, I only directories that I have permission to view even though I have list permission on the "a" directory:

First, be sure to change the ERA username and password whenever you install a server. I corrected this on DC03.

DC03 isn't consistently replicating to DC00 or DC01 which is causing problems for everyone working in the domain.

I think the problem is the result of a bad network connection on DC03. If you look at the system event log by opening Computer Management > System Tools > Event Viewer > System, you will see many E1000 errors:

Intel(R) PRO/1000 MT Network Connection #2 Link has been disconnected.

These errors go back to when the server was first installed. I'm guessing there is a problem with how the network cable was made.

I am trying to finish up the WDS server today. Can someone please take a look at this?

The Global Catalog role has been activated on DC03.