domain shared folder access restrictions

hello, i hope someone can help me sort out this situation.

we have a shared folder lets call it "Folder1".  Folder1 needs to be accessible from 5 different users on the domain and no one else.  

Now heres where the problem comes in; when i add the users into sharing permissions, give them full access,  and then try to acces the folder from each of those accounts i can't view the share any longer.  
When i enable full access to group "Everyone" then the users and the rest of the network have access to the folder which is bad.  I even tried creating a group with all 5 users added into it to see if just adding the group to the share access would work but that didn't work either.

thanks,
matt.
LVL 1
dosleAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rindiCommented:
Did you just give the users access via the sharing option? If not, you will also have to adjust the properties of the folder itself via security. The allowed user group must also be allowed the correct access in Security. Also make sure those users are member of that Group, but I guess you have done that. Don't forget to remove the "everyone" group from that folder. If you have restricted the access for "everyone", that will have precedence over the other users and groups entered in that folder, as every user every user is a member of the "everyone" group. Also remove other groups from the folder which shouldn't be allowed access. If those users who should be allowed access and they are a member of a further group which isn't allowed access, it is always the restrictive group which takes preference.
0
dosleAuthor Commented:
i just removed the 'Everyone" group in both sharing and file security, so now its just my user trying to access the share, all privledges, with no success.
0
dosleAuthor Commented:
I think I just partially figured out the problem, when all our computers were set up some of them log onto the Domain and some are local.  I tested it by logging off the local account which is what i was testing on all this time, then logging onto to the domain and i was able to acccess the share just fine.

now is there a way for those computers that log on locally to get access?
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

ajschwCommented:
local accounts won't have permissions on the domain...if the shared folder is on the server, then no, at least not to my knowledge. When you set security permissions on the domain, you can't set it to a local computer account. What is stopping you from putting the local account on the domain though?
0
ajschwCommented:
Here is the exception: if you create an account on the server that is the same exact user name and password as the local account, even if they don't use the domain account and still use their local account, windows cannot tell the difference...I just tried it here. So basically, let's say user bob has a local account, and you want him to have access to a shared folder on the domain, create an account in active directory for him and tell him to set the password that is the same as his local account...But that depends again on why bob wouldn't have a domain account to begin with...
hope this helps
adam
0
dosleAuthor Commented:
so my only option is to have the users log onto the domain.  when they log onto the domain though its nothing like there local account which thy are accustomed to using.  this is why i am staying away from moving everyone (70 users) over to domain logon, unless someone has a method that can help the situation.  
0
Problem_SolverCommented:
It sounds like you need to setup roaming profiles, it depends on the client OS how to transfer the local profile to the roaming profile stored on the server, so can't help more without knowing the versions of server & client OS, in the longer term learning about policies & profiles may make your admin time easier.

Steve
0
poseidoncanuckCommented:
Dosle, you imply in your last comment that when the person logs on with their new domain account, their old settings are missing (e.g. Desktop, wallpaper, browser Favorites, email, etc.)?  If this is the case, there's a simple solution that WILL allow you to migrate everyone over to using their domain account, and stop using those silly local accounts :)
http://support.microsoft.com/kb/314045/EN-US

I've done this many times before, and it works fine.  When following this KB article, perform the steps under "Grant Full Control Permission for the User Profile Folder" and "Edit the User Profile Registry Key".  Where they say "old user profile", "your restored user profile" or "the profile folder that you are restoring", that's the user's original profile for the local user account; where they say "your user profile folder", that's the user's new profile folder.

You could take one of two approaches:
- grant Full Control permissions for the old profile folder to the domain user account, and point both logons to the same Profile folder, or
- grant Full Control permissions for the old profile directory to the domain user account, remove the local account's permissions to the folder, and change the ProfileImagePath setting for the domain account to point to the old profile folder.

Personally, I'd prefer the latter choice, as it strongly encourages your users to stick with the domain account.  If you gave them the either/or choice, there's a lot less incentive to use the "new" domain account approach.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dosleAuthor Commented:
thanks for the input.  I will be testing this approach on some machines soon :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.