Solved

New Superuser - Setting permissions for a shared drive

Posted on 2001-08-02
15
156 Views
Last Modified: 2010-04-13
I have inherited the task of assigning permissions for users on a shared drive. This responsibility comes with no documentation - go figure! Being the *new* superuser for this shared drive,  I only have the ability to assign permissions for users once their account has been created. I can not create users or groups. Again, I can only assign permissions to existing users.

Being on Windows 2000, I have been instructed to use a "File Manager" program to assign permissions. I was told that using Explorer for permissions is basically unusable. So I have this "File Manager" App for assigning permissions.

I need to know the processes for modifying permissions for a user. Is there a resource on the Net I can reference? Either help using this File Manager or DOS Commands (with explanations) would be great. Any ideas? Thanks!


TK
0
Comment
Question by:TK421
  • 4
  • 3
  • 2
  • +3
15 Comments
 
LVL 4

Expert Comment

by:tituba2
ID: 6344842
You need administrator rights to create groups and assign permissions.  If you are not the administrator, then you need to have your admin create the group and assign permissions.  User's with standard or restricted rights cannot do this.
0
 

Author Comment

by:TK421
ID: 6344869
My employer has this structure:

Someone else only has permission to create accounts. THEN I am responsible (as admin) to set their permissions. I think it's a weird setup. Perhaps I'll understand why they have this structure as I learn more...

So I am the admin for setting permissions only (not creating a group or user).

HTH,
TK
0
 
LVL 4

Expert Comment

by:tituba2
ID: 6344904
Yes.  In Windows 2000 there are several levels of rights (Power Users, Administrators, Backup etc) that can be granted.  Each level has it's own set of abilities.  These are assigned by the Administrator of the domain.  You will need the administrator to grant you the right or create the group for you.
0
 

Author Comment

by:TK421
ID: 6344953
We are getting off track here. As the superuser for the drive I 'own', I am not looking to get the ability to create groups/users.

I am looking for ways to set permissions only. For example, here's one DOS string I know:

cacls folder /t /e /g groupname:r  <-------- This line will give a user READ access to folder, subfolders and files.

I am looking for descriptions of the operators (/t /e /g) and examples for other related tasks a person assigning permissions may need. Like I'd like to know the method to give access to a user for a folder WITHOUT access to the subfolders below, things like this...

HTH,
TK421
0
 
LVL 25

Expert Comment

by:dew_associates
ID: 6345335
TK, are you using the Win2k file manager or a 3rd party application? If 3rd party, why not set permissions using native Windows 2000 methods?

Dennis
0
 
LVL 17

Expert Comment

by:mikecr
ID: 6345699
This could get interesting because you have Share permissions and file permissions and they can override each other depending on which one is the most restrictive. Now, do you want to assign file level permissions to directories and files or do you want to assign share level permissions? File level will give you read, write, full control, on a file per file basis where share permissions will not and once allowed people can see everything but may not be able to manipulate it.
0
 

Author Comment

by:TK421
ID: 6345706
dew_associates,

I am a newbie to the permissions world. What are the native W2K methods? Is it like 'right-clicking' on a folder | Properties | Security....
I was told from our Desktop support that this method was too slow and is basically unusable. They have supplied me with "File Manager" (exactly like the File Manager from the ole days of Win 3.11. Remember?? Yikes!
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 25

Accepted Solution

by:
dew_associates earned 100 total points
ID: 6345739
I know you have allot to accomplish TK, but I think maybe you could use some info from the Win2k resource kit on shares, permissions and how to set them properly.

Try this and read some of the info:

http://www.microsoft.com/windows2000/techinfo/reskit/en/default.asp
0
 
LVL 17

Expert Comment

by:mikecr
ID: 6345805
I have to agree with dew_associates, you need to do a wee bit of research first before going in and delegating because this could get ugly.
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6346528
If you enter "help cacls" at the command line, it will output a description on what you can do with it. However, in Windows 2000, I find the right assigment via Explorer not bad at all (as long as you don't want to set/reset thousands of files, where it's pretty slow).

For shares, there are two levels of access control applying; the more restrictive one will be used. First, you can grant read or full permissions for specific users/groups (I'll just say users from now on, but its valid for groups also). If you set the share access to read-only, the user will only be able to read data, no matter what the file ACL is. And if a user has full share access fur tries to read a file he's not allowed, he'll still get an access dneied message.

So, you should set the correct rights on both the share and the ACL correctly. For instance, you could set up that a user may read and write in a directory when workin locally on the machine, but is restricted to read-only when accessing the very same directory via a share over the network. I guess you figure out what I mean.

To set up shares from the command line (but again, Explorer does the job just fine for me), you can use the "net share" command. To get help on the command, enter "net share /?", fo a list of shared ressources, enter "net share" without any additional parameter.
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6346538
Btw, for public wrtie-enabled dirs where you do not want to have people modify other's data (but allow them to read it), you can use the special CREATOR-OWNER user which represents the owner of the file. So, allow the CREATOR-OWNER full access (this includes deleting) and the other users just read, and allow read and write to the directory itself.
0
 
LVL 1

Expert Comment

by:forenzixbe
ID: 6348376
Yo,

i think it is more a case of 'what' than a case of 'howto'.

1st, Your desktop support is BS'in you when saying that Explorer is unusable for this task.  Explorer would do just fine...

2nd, I think you need to sit together with all the people that are in control of all the various tasks AND with the chipmunk that implemented your companies network security strategy.  The way it sounds, you are either not allowed to know anything about the security strategy or your managers think it is not necessary to know anything about it.

help cacls in a DOS window will show you some help on the cacls command.  And I think that is all you need to know to perform the task you were instructed to do.


Cheers,

F.


0
 

Author Comment

by:TK421
ID: 6355764
Thanks to all who replied. LOL to forenzixbe! You hit the nail on the head!
I'll review and close this question soon...

TK
0
 
LVL 1

Expert Comment

by:forenzixbe
ID: 6357195
Been there, done that =)

some companies get so paranoid ... and they start to cut the jobs into very tiny slices ... don't they realize that if they miss one tiny slice, their apple is incomplete ?

Duh, forgot to number the slices ...

Greetz,

F
0
 
LVL 1

Expert Comment

by:forenzixbe
ID: 6357371
Been there, done that =)

some companies get so paranoid ... and they start to cut the jobs into very tiny slices ... don't they realize that if they miss one tiny slice, their apple is incomplete ?

Duh, forgot to number the slices ...

Greetz,

F
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Why won't wireshark open my tcpdump file from linux 13 2,936
P2V Windows NT/2000 SP4 3 1,812
win2k service packs 5 638
Registry Error Stop 0X0000051 3 2,756
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Find out what the Office 365 disclaimer function is, why you would use it and its limited ability to create Office 365 signatures.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now