• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 138
  • Last Modified:

Permission issue with Server 2003

I can log on locally or Remote Desktop into our 2003 Server and create a folder on the root of the "D" drive.  In the folder I put a sample text file.

I have set the share as well as the NTFS permissions on that folder to only Domain Admins, Full Control.  The folder is not inheriting any permissions from the root.  The only permissions on the folder and the text file is Domain Admins, Full Control.

Now...When I log on locally or through Remote Desktop to the Server, I can add and delete files in the Folder metioned above.  BUT...when I browse using the RUN command from my PC and use the UNC (\\servername\d$), I CANNOT add files or delete anything in the folder...I cannot delete the folder either.  Even if I map a drive, I get the same results.

I am in the Domain Admins group.  Any ideas??
0
daveyd123
Asked:
daveyd123
  • 5
  • 3
1 Solution
 
Netman66Commented:
Make sure SYSTEM has Full Control too.

Advise.
0
 
daveyd123Author Commented:
The root of the drive is shared as the admin share D$.  The folder resides on D$.  The folder is not inheriting permissions.  The share permissions set on the folder are Domain Admins, Full Control and Everyone, Full Control.  The NTFS permissions are set to Domain Admins, Full Control and System, Full Control.

If I browse to \\servername\sharedfolder, I can add/delete contents of the folder.

If I browse to \\servername\d$, I cannot delete the shared folder or modify the contents

The NTFS permissions on the D$ drive are...Everyone, Modify, Domain Admins, Full Control, System, Full Control, Authenicated Users, Modify


Once again, I am a Domain Admin


0
 
Netman66Commented:
Because you are (by default) a member of Authenticated Users - the most restrictive share permissions apply - thus Modify (and I bet some Special Permissions also).

0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 
daveyd123Author Commented:
OK...here is what I am trying to do...

I created a shared folder named "Shared" on the D: drive.  In the "shared" folder are subfolders for each Department. (Finance, HR)  I created 2 Security groups (Finance group, HR group)

I want Finance users to have Full control of the files/folders in the Finance folder but not be able to delete the Finance Folder itself.

If I give the Finance group NTFS Modify permissions to the Finance folder, the users can delete the entire Finance folder...which I dont want.

Like I said, I need the users to be able to have full control of their files in their respective folders...without being able to delete the entire folder itself.



0
 
Netman66Commented:
Not possible with Windows.

I have heard many requests on this.  The plain truth is you cannot remove Delete permissions without affecting Write permissions.  You can try to work with specifically Denying Delete, but I think you will see that by doing so you cannot create a new folder and change it's name - I have toyed with this in the past and can't completely remember all the combinations and their results.  However, I did this on Windows 2000 Server - perhaps this is now possible on 2003??

Perhaps, try this:

Make sure Administrators and SYSTEM have Full Control.  Remove Inheritance from the root and copy the ACEs.  Remove Authenticated Users and Everyone.  Add your Finance Group.  Select Finance Group and hit the Advanced button.  Select the Finance Group again and select Edit.  Check the box beside Delete Files and Folders under Deny.  Try creating and deleting while logged in as a member of Finance Group.  If it works the way it's logically supposed to, you should not be able to delete.  Now, if you want to do this at each folder then remove inheritance and copy ACEs to the folder and from Advanced, then Edit for the Finance Group simple Deny the Delete only on the folder - instead of Delete Files and Folders.

You also could create the Finance folder and give Read Only, but allow create files and folders.  This way they become Owners of anything they create and have full control of them while still inheriting Read from the parent for the rest of the members.

Advise what your outcome is.



0
 
daveyd123Author Commented:
I figured it out!!

Here's how its setup...

I created a shared folder on the root of D: named "Shared".  Gave the Change share permission to Domain Users.
Created a subfolder in "shared" and named it Finance.  Gave the Finance group Read & Excute, List Folder Contents, Read and Special (Delete Subfolders and Files) NTFS Permissions.

Now members of the Finance group can create, modify and delete files in the Finance folder...when they try to delete the entire Finance folder...they get Access Denied  :-)

*all the folders are not inheriting any permissions
0
 
Netman66Commented:
Very nice.

This is a useful thread.

Cheers!
NM
0
 
Netman66Commented:
Well, he kind of answered his own question.....

PAQ and refund...

0
 
moduloCommented:
Closed, 100 points refunded.

modulo
Community Support Moderator
Experts Exchange
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now