daveyd123
asked on
Permission issue with Server 2003
I can log on locally or Remote Desktop into our 2003 Server and create a folder on the root of the "D" drive. In the folder I put a sample text file.
I have set the share as well as the NTFS permissions on that folder to only Domain Admins, Full Control. The folder is not inheriting any permissions from the root. The only permissions on the folder and the text file is Domain Admins, Full Control.
Now...When I log on locally or through Remote Desktop to the Server, I can add and delete files in the Folder metioned above. BUT...when I browse using the RUN command from my PC and use the UNC (\\servername\d$), I CANNOT add files or delete anything in the folder...I cannot delete the folder either. Even if I map a drive, I get the same results.
I am in the Domain Admins group. Any ideas??
I have set the share as well as the NTFS permissions on that folder to only Domain Admins, Full Control. The folder is not inheriting any permissions from the root. The only permissions on the folder and the text file is Domain Admins, Full Control.
Now...When I log on locally or through Remote Desktop to the Server, I can add and delete files in the Folder metioned above. BUT...when I browse using the RUN command from my PC and use the UNC (\\servername\d$), I CANNOT add files or delete anything in the folder...I cannot delete the folder either. Even if I map a drive, I get the same results.
I am in the Domain Admins group. Any ideas??
ASKER
The root of the drive is shared as the admin share D$. The folder resides on D$. The folder is not inheriting permissions. The share permissions set on the folder are Domain Admins, Full Control and Everyone, Full Control. The NTFS permissions are set to Domain Admins, Full Control and System, Full Control.
If I browse to \\servername\sharedfolder,
If I browse to \\servername\d$, I cannot delete the shared folder or modify the contents
The NTFS permissions on the D$ drive are...Everyone, Modify, Domain Admins, Full Control, System, Full Control, Authenicated Users, Modify
Once again, I am a Domain Admin
If I browse to \\servername\sharedfolder,
If I browse to \\servername\d$, I cannot delete the shared folder or modify the contents
The NTFS permissions on the D$ drive are...Everyone, Modify, Domain Admins, Full Control, System, Full Control, Authenicated Users, Modify
Once again, I am a Domain Admin
Because you are (by default) a member of Authenticated Users - the most restrictive share permissions apply - thus Modify (and I bet some Special Permissions also).
ASKER
OK...here is what I am trying to do...
I created a shared folder named "Shared" on the D: drive. In the "shared" folder are subfolders for each Department. (Finance, HR) I created 2 Security groups (Finance group, HR group)
I want Finance users to have Full control of the files/folders in the Finance folder but not be able to delete the Finance Folder itself.
If I give the Finance group NTFS Modify permissions to the Finance folder, the users can delete the entire Finance folder...which I dont want.
Like I said, I need the users to be able to have full control of their files in their respective folders...without being able to delete the entire folder itself.
I created a shared folder named "Shared" on the D: drive. In the "shared" folder are subfolders for each Department. (Finance, HR) I created 2 Security groups (Finance group, HR group)
I want Finance users to have Full control of the files/folders in the Finance folder but not be able to delete the Finance Folder itself.
If I give the Finance group NTFS Modify permissions to the Finance folder, the users can delete the entire Finance folder...which I dont want.
Like I said, I need the users to be able to have full control of their files in their respective folders...without being able to delete the entire folder itself.
Not possible with Windows.
I have heard many requests on this. The plain truth is you cannot remove Delete permissions without affecting Write permissions. You can try to work with specifically Denying Delete, but I think you will see that by doing so you cannot create a new folder and change it's name - I have toyed with this in the past and can't completely remember all the combinations and their results. However, I did this on Windows 2000 Server - perhaps this is now possible on 2003??
Perhaps, try this:
Make sure Administrators and SYSTEM have Full Control. Remove Inheritance from the root and copy the ACEs. Remove Authenticated Users and Everyone. Add your Finance Group. Select Finance Group and hit the Advanced button. Select the Finance Group again and select Edit. Check the box beside Delete Files and Folders under Deny. Try creating and deleting while logged in as a member of Finance Group. If it works the way it's logically supposed to, you should not be able to delete. Now, if you want to do this at each folder then remove inheritance and copy ACEs to the folder and from Advanced, then Edit for the Finance Group simple Deny the Delete only on the folder - instead of Delete Files and Folders.
You also could create the Finance folder and give Read Only, but allow create files and folders. This way they become Owners of anything they create and have full control of them while still inheriting Read from the parent for the rest of the members.
Advise what your outcome is.
I have heard many requests on this. The plain truth is you cannot remove Delete permissions without affecting Write permissions. You can try to work with specifically Denying Delete, but I think you will see that by doing so you cannot create a new folder and change it's name - I have toyed with this in the past and can't completely remember all the combinations and their results. However, I did this on Windows 2000 Server - perhaps this is now possible on 2003??
Perhaps, try this:
Make sure Administrators and SYSTEM have Full Control. Remove Inheritance from the root and copy the ACEs. Remove Authenticated Users and Everyone. Add your Finance Group. Select Finance Group and hit the Advanced button. Select the Finance Group again and select Edit. Check the box beside Delete Files and Folders under Deny. Try creating and deleting while logged in as a member of Finance Group. If it works the way it's logically supposed to, you should not be able to delete. Now, if you want to do this at each folder then remove inheritance and copy ACEs to the folder and from Advanced, then Edit for the Finance Group simple Deny the Delete only on the folder - instead of Delete Files and Folders.
You also could create the Finance folder and give Read Only, but allow create files and folders. This way they become Owners of anything they create and have full control of them while still inheriting Read from the parent for the rest of the members.
Advise what your outcome is.
ASKER
I figured it out!!
Here's how its setup...
I created a shared folder on the root of D: named "Shared". Gave the Change share permission to Domain Users.
Created a subfolder in "shared" and named it Finance. Gave the Finance group Read & Excute, List Folder Contents, Read and Special (Delete Subfolders and Files) NTFS Permissions.
Now members of the Finance group can create, modify and delete files in the Finance folder...when they try to delete the entire Finance folder...they get Access Denied :-)
*all the folders are not inheriting any permissions
Here's how its setup...
I created a shared folder on the root of D: named "Shared". Gave the Change share permission to Domain Users.
Created a subfolder in "shared" and named it Finance. Gave the Finance group Read & Excute, List Folder Contents, Read and Special (Delete Subfolders and Files) NTFS Permissions.
Now members of the Finance group can create, modify and delete files in the Finance folder...when they try to delete the entire Finance folder...they get Access Denied :-)
*all the folders are not inheriting any permissions
Very nice.
This is a useful thread.
Cheers!
NM
This is a useful thread.
Cheers!
NM
Well, he kind of answered his own question.....
PAQ and refund...
PAQ and refund...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Advise.