DBMNSU

New Member
Joined
Aug 10, 2010
Messages
10
I am at a State U and want to create a temporary directory, say, C:\Users\temp, that can be used by multiple students that authenticate through a domain. A trivial task in Linux but are there other ramifications in windows 7? I have found %temp% is C:\Users\staff\AppData\Local\Temp.

Would changing %temp% to C:\Users\temp break other things? Should I just leave %temp% alone but still create and have available C:\Users\temp for other things?

Can I make the above directory where described and what permissions do I need to set to make this happen? Do is just add write or add modify too?

Thanks...
 


Solution
Ok... lets simplify... Forget "Temp" and "%temp% ... no matter what you are naming it, you are creating a shared folder where "Everyone" has full access. You can call it Common, Shared, MuppingSnarf, whatever you like... you're creating a shared folder.

This is actually relatively trivial on Windows... Create a folder --any folder, anywhere on your system-- right click, properties, sharing, share the folder and set "Everyone" to have full control. It's done. Anyone who sees that can use it...

There's no need to make it any more complex than that.
Windows temp files are not open like they are in Linux. Many applications make temporary files while they run and need these folders to be in specific places. Some will use the %temp% environment key, some won't. What would likely happen is that you would find system files --some of which may contain confidential information-- in your newly created folder.

You can, by all means create a folder named Temp any place you like. Also don't forget windows has a "Public" folder that is shared by all users... you could create a Temp folder there for them to use, just don't mess with the environment variable.
 


I looked at the Users\Public directory and couldn't determine the permission settings. When I looked at Security I found CREATOR OWNER with ALLOW="" & DENY=""; SYSTEM with ALLOW="FULL CONTROL/MODIFY/Read&execute/ListFolderContents/Read/Write" ; BATCH with ALLOW="" & DENY="" ; Administrators same as SYSTEM ; INTERACTIVE with ALLOW="" & DENY="" ; SERVICE the same.

With the above permissions, it look like only two groups can create an item in \Users\Public. I logged in as a plain user and was able to create folder \Users\Public\Dir which surprised me. Why was I able to create the folder?

Is there a command line tool that tells the effective permission setting on a folder or file?

Thanks...
 


You need to look at the sharing priveledges, not the security settings.

Right click on \Users\Public Select Properties then Sharing, Advanced Sharing, then permissions.
 


Thanks for answering.

I have looked at sharing for \User\Public and to me it like these are permissions to share with another user on another computer - not read/write/execute permissions. The security settings look more like local machine privileges.

I may need to little more help to understand this.
 


Ok... lets simplify... Forget "Temp" and "%temp% ... no matter what you are naming it, you are creating a shared folder where "Everyone" has full access. You can call it Common, Shared, MuppingSnarf, whatever you like... you're creating a shared folder.

This is actually relatively trivial on Windows... Create a folder --any folder, anywhere on your system-- right click, properties, sharing, share the folder and set "Everyone" to have full control. It's done. Anyone who sees that can use it...

There's no need to make it any more complex than that.
 


Solution
I get it now - you are calling a shared folder not one being shared across the network but shared among users on the local machine. So the security settings on a folder are what I change.

I like the simplicity of your solution but would that allow a non-privileged user (NPU) to delete the folder? How do I limit that?

Also - why does the security settings on \user\Public allow a NPU to create a folder or document. On \Users I found Everyone with Read&Exec;ListFolderContents;Read - is that inherited through the subsequent directories and files? So I can see the contents of \Users (that are not hidden) but not create anything in \Users as a NPU. But on \User\Public I don't see any reference to Everyone yet it looks like everyone can create and delete folders&files.

I know this is trivial in a single user machine but in a student environment the computers gets "messy" if not locked-down.
 


Nope ... I am calling a shared folder one that is shared across the network.
You make your permission settings in the file share, NOT in the user permissions.

In fact I would strongly advise you against changing security settings on any folder on a windows system unless it is absolutely necessary. Windows user permissions are a dog's breakfast of inheritance and can cause some very unpredictable results when changed.

I am talking about network sharing and network permissions...
Lets try an example...
Assuming you have win7 set up and accessing files correctly on a Work Network...

To create a new folder open the existing folder you want this one to be inside...
Right click on open space in Windows Explorer...
From the context menu select NEW then FOLDER...
Name your folder FRED (for our example) and you're done.

This new folder will not be shared on the network or amongst other users... you OWN it. Do not even look at the security tab, as we are not going there.

Now to share your new folder named FRED ...
right click and select SHARE WITH -> ADVANCED SHARING -> ADVANCED SHARING.
Now you will see a dialog with only one checkbox that says "share this folder" ...
Check the box.
Now name your share...We'll call it FRED_SHARE for our example.
Next click on PERMISSIONS at the bottom of that dialog...
This is the sharing permissions which are completely separate from user permissions.
You will see a dialog that lists users...
Initially it only has EVERYONE in it...
At the bottom you will see a list of permissions --full control, change, read.
To let everyone who has access to the computer add, change, delete, etc. simply check "Full Control"...
OK your way back out.

Now when users connect to your computer over the LAN they will see FRED_SHARE listed... and they can use it as they see fit.

We could have just as easily named it TEMP ...

Really it's that easy.
 


Thanks for your detailed description. I now see you are not answering my questions.

Bye...
 


Back
Top