TK421
asked on
New Superuser - Setting permissions for a shared drive
I have inherited the task of assigning permissions for users on a shared drive. This responsibility comes with no documentation - go figure! Being the *new* superuser for this shared drive, I only have the ability to assign permissions for users once their account has been created. I can not create users or groups. Again, I can only assign permissions to existing users.
Being on Windows 2000, I have been instructed to use a "File Manager" program to assign permissions. I was told that using Explorer for permissions is basically unusable. So I have this "File Manager" App for assigning permissions.
I need to know the processes for modifying permissions for a user. Is there a resource on the Net I can reference? Either help using this File Manager or DOS Commands (with explanations) would be great. Any ideas? Thanks!
TK
Being on Windows 2000, I have been instructed to use a "File Manager" program to assign permissions. I was told that using Explorer for permissions is basically unusable. So I have this "File Manager" App for assigning permissions.
I need to know the processes for modifying permissions for a user. Is there a resource on the Net I can reference? Either help using this File Manager or DOS Commands (with explanations) would be great. Any ideas? Thanks!
TK
You need administrator rights to create groups and assign permissions. If you are not the administrator, then you need to have your admin create the group and assign permissions. User's with standard or restricted rights cannot do this.
ASKER
My employer has this structure:
Someone else only has permission to create accounts. THEN I am responsible (as admin) to set their permissions. I think it's a weird setup. Perhaps I'll understand why they have this structure as I learn more...
So I am the admin for setting permissions only (not creating a group or user).
HTH,
TK
Someone else only has permission to create accounts. THEN I am responsible (as admin) to set their permissions. I think it's a weird setup. Perhaps I'll understand why they have this structure as I learn more...
So I am the admin for setting permissions only (not creating a group or user).
HTH,
TK
Yes. In Windows 2000 there are several levels of rights (Power Users, Administrators, Backup etc) that can be granted. Each level has it's own set of abilities. These are assigned by the Administrator of the domain. You will need the administrator to grant you the right or create the group for you.
ASKER
We are getting off track here. As the superuser for the drive I 'own', I am not looking to get the ability to create groups/users.
I am looking for ways to set permissions only. For example, here's one DOS string I know:
cacls folder /t /e /g groupname:r <-------- This line will give a user READ access to folder, subfolders and files.
I am looking for descriptions of the operators (/t /e /g) and examples for other related tasks a person assigning permissions may need. Like I'd like to know the method to give access to a user for a folder WITHOUT access to the subfolders below, things like this...
HTH,
TK421
I am looking for ways to set permissions only. For example, here's one DOS string I know:
cacls folder /t /e /g groupname:r <-------- This line will give a user READ access to folder, subfolders and files.
I am looking for descriptions of the operators (/t /e /g) and examples for other related tasks a person assigning permissions may need. Like I'd like to know the method to give access to a user for a folder WITHOUT access to the subfolders below, things like this...
HTH,
TK421
TK, are you using the Win2k file manager or a 3rd party application? If 3rd party, why not set permissions using native Windows 2000 methods?
Dennis
Dennis
This could get interesting because you have Share permissions and file permissions and they can override each other depending on which one is the most restrictive. Now, do you want to assign file level permissions to directories and files or do you want to assign share level permissions? File level will give you read, write, full control, on a file per file basis where share permissions will not and once allowed people can see everything but may not be able to manipulate it.
ASKER
dew_associates,
I am a newbie to the permissions world. What are the native W2K methods? Is it like 'right-clicking' on a folder | Properties | Security....
I was told from our Desktop support that this method was too slow and is basically unusable. They have supplied me with "File Manager" (exactly like the File Manager from the ole days of Win 3.11. Remember?? Yikes!
I am a newbie to the permissions world. What are the native W2K methods? Is it like 'right-clicking' on a folder | Properties | Security....
I was told from our Desktop support that this method was too slow and is basically unusable. They have supplied me with "File Manager" (exactly like the File Manager from the ole days of Win 3.11. Remember?? Yikes!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have to agree with dew_associates, you need to do a wee bit of research first before going in and delegating because this could get ugly.
If you enter "help cacls" at the command line, it will output a description on what you can do with it. However, in Windows 2000, I find the right assigment via Explorer not bad at all (as long as you don't want to set/reset thousands of files, where it's pretty slow).
For shares, there are two levels of access control applying; the more restrictive one will be used. First, you can grant read or full permissions for specific users/groups (I'll just say users from now on, but its valid for groups also). If you set the share access to read-only, the user will only be able to read data, no matter what the file ACL is. And if a user has full share access fur tries to read a file he's not allowed, he'll still get an access dneied message.
So, you should set the correct rights on both the share and the ACL correctly. For instance, you could set up that a user may read and write in a directory when workin locally on the machine, but is restricted to read-only when accessing the very same directory via a share over the network. I guess you figure out what I mean.
To set up shares from the command line (but again, Explorer does the job just fine for me), you can use the "net share" command. To get help on the command, enter "net share /?", fo a list of shared ressources, enter "net share" without any additional parameter.
For shares, there are two levels of access control applying; the more restrictive one will be used. First, you can grant read or full permissions for specific users/groups (I'll just say users from now on, but its valid for groups also). If you set the share access to read-only, the user will only be able to read data, no matter what the file ACL is. And if a user has full share access fur tries to read a file he's not allowed, he'll still get an access dneied message.
So, you should set the correct rights on both the share and the ACL correctly. For instance, you could set up that a user may read and write in a directory when workin locally on the machine, but is restricted to read-only when accessing the very same directory via a share over the network. I guess you figure out what I mean.
To set up shares from the command line (but again, Explorer does the job just fine for me), you can use the "net share" command. To get help on the command, enter "net share /?", fo a list of shared ressources, enter "net share" without any additional parameter.
Btw, for public wrtie-enabled dirs where you do not want to have people modify other's data (but allow them to read it), you can use the special CREATOR-OWNER user which represents the owner of the file. So, allow the CREATOR-OWNER full access (this includes deleting) and the other users just read, and allow read and write to the directory itself.
Yo,
i think it is more a case of 'what' than a case of 'howto'.
1st, Your desktop support is BS'in you when saying that Explorer is unusable for this task. Explorer would do just fine...
2nd, I think you need to sit together with all the people that are in control of all the various tasks AND with the chipmunk that implemented your companies network security strategy. The way it sounds, you are either not allowed to know anything about the security strategy or your managers think it is not necessary to know anything about it.
help cacls in a DOS window will show you some help on the cacls command. And I think that is all you need to know to perform the task you were instructed to do.
Cheers,
F.
i think it is more a case of 'what' than a case of 'howto'.
1st, Your desktop support is BS'in you when saying that Explorer is unusable for this task. Explorer would do just fine...
2nd, I think you need to sit together with all the people that are in control of all the various tasks AND with the chipmunk that implemented your companies network security strategy. The way it sounds, you are either not allowed to know anything about the security strategy or your managers think it is not necessary to know anything about it.
help cacls in a DOS window will show you some help on the cacls command. And I think that is all you need to know to perform the task you were instructed to do.
Cheers,
F.
ASKER
Thanks to all who replied. LOL to forenzixbe! You hit the nail on the head!
I'll review and close this question soon...
TK
I'll review and close this question soon...
TK
Been there, done that =)
some companies get so paranoid ... and they start to cut the jobs into very tiny slices ... don't they realize that if they miss one tiny slice, their apple is incomplete ?
Duh, forgot to number the slices ...
Greetz,
F
some companies get so paranoid ... and they start to cut the jobs into very tiny slices ... don't they realize that if they miss one tiny slice, their apple is incomplete ?
Duh, forgot to number the slices ...
Greetz,
F
Been there, done that =)
some companies get so paranoid ... and they start to cut the jobs into very tiny slices ... don't they realize that if they miss one tiny slice, their apple is incomplete ?
Duh, forgot to number the slices ...
Greetz,
F
some companies get so paranoid ... and they start to cut the jobs into very tiny slices ... don't they realize that if they miss one tiny slice, their apple is incomplete ?
Duh, forgot to number the slices ...
Greetz,
F