[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 143
  • Last Modified:

File server setup properly

Hi all,

I am new to Windows 2003 server. So please bear with my simple question (if it is a simple question).

I currently have the following structure set up for my file server.

d:\network_files
    > users
       >> joe.blow
       >> john.smith (and so on)

I shared my folders in the "users" folder level, so that users can just go //server/users/username and access their folder. My "users" folder have network permission for Everyone - read & change.

Here is my problem : I have noticed that if i set network persmission to everyone - read & change at user level, John.smith can go into joe.blow's acct folder and change the content inside it. Basically, users can trick another by deleting all their folders.
However, if i change the "users" folder to only read for everyone, users will not be able to create any folder or files even in their own folder.

How do i solve this problem, without having to share all the users folder individually ?

THANKS IN ADVANCE!!

0
hermanlam
Asked:
hermanlam
  • 6
  • 4
  • 3
  • +1
1 Solution
 
KaliKoderCommented:
Hello HermanLam,

What you need to do is share the Users folder, and give it share permissions of everyone Full control, then restrict the joe.blow and john.smith folders with NTFS permissions such that only admins and Joe.blow had access to the joe.blow folder. When you are making the NTFS permission change, make sure you propogate the change to all child objects (subfolders) from the joe.blow folder down.

Thanks and Good Luck!
0
 
jholland79Commented:
Mmm, maybe I'm misunderstanding things but is the idea not to give Everyone 'Full Permision' on the share, and NTFS 'Create Folder' permission for the Users folder, restricted to 'this folder only'. Give 'Full Control' on the folder to CREATOR_OWNER and Admins, ensuring that all users 'own' their own folders.
Does this work?
0
 
hermanlamAuthor Commented:
yes. jholland79 is right. I don't want full control at the user folder level. if i grant full control, users can create folder off other people's.

jholland79 : i think your solution makes a lot of sense, and exactly what i want. We have migrated our environment from linux, and setting these up is just a breeze with the owner of the folder clearly listed when i do ls.

I know how to change owner of each account folder to the users, and then grant create owner full rights. However, how do you do 'Create folder' and restricted to 'this folder only'??
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
hermanlamAuthor Commented:
i keep having "access denied" when i try to create a folder or a file. It seems like it is stuck at the network permission level.
(i.e.: Sharing permission tab when i right click on a folder)

Please help Thanks!
0
 
KaliKoderCommented:
Hello Hermanlam,

You need to take the owenership of the top level folder. Make sure you are logged on as administrator, then take ownership of the top level folder and then make sure to propogate the change to all sub folders (child objects). Please let me know if you need help in doing this and need step by step instructions.
0
 
hermanlamAuthor Commented:
should i take owner as users group or what group should the owner be ?
0
 
jholland79Commented:
Hi hermanlam,
I'm on my home (XP Home) PC at the moment, so I can't check this. I think if you add 'Everyone' to the list of users under the 'Security' tab then click advanced, you can set allow 'Create Folders' permission and set 'this folder only'.
As for the 'Access Denied', I have two questions:
1. Are you logged in at the machine on which the share resides?
2. If not, check that the 'Permissions' on the share are correct. Remember that windows only allows the most restrictive permissions set on a. the share and b. the folder (NTFS permissions).
Hope this helps.
John.
ps. KaliKoder, you advise that he takes ownership of entire folder and all child object. Will this not a. make use of CREATOR_OWNER impossible and b. interfere with any Quota system that might be used now or in the future.
pps. Perhaps SYSTEM should also have 'Full Control' over either the entire folder or top level only. Can't check this, since I am at home.
0
 
WeHeCommented:
in an bigger enviroment, this is usually solved in the following kind:
Give "Everyone" and/or "Authenticated Users" the "Change" (which is Read&Change) Rights for the Share.
On the D:\network_files\users folders you grant "Full Control" for Administrators and "List Contents" for Authenticated Users.
On each User Directory (joe.blow, ...), you Switch off Inheritance (Advanced on Security Tab) and give the User "Change" Rights for his Folder.
If this is too much to do manually, use XCACLS or CACLS to set permissions per script.
0
 
KaliKoderCommented:
Hello Hermanlam,

You need to take owenership as yourself (the administrator) users dont need ownership to anything, to do their work, they only need "change" access. If you are still not clear, I can provide you a step by step instruction, please let me know.

Thanks
0
 
hermanlamAuthor Commented:
KaliKoder : Yes. Could you please ? are you basically suggesting something similar to WeHe ?

WeHe : Thanks for the tip. I will try out your method. Thanks for the tip for using XCACLS ...never knew such thing exists
0
 
KaliKoderCommented:
Hello Hermanlam,

- Please log on as the administrator
- First you need to make sure, you have the ownership of the D:\network_files folder and all folders below it. To do this, right click on the network_files folder -> properties -> security -> Click on Advanced button -> Go to Owner tab -> Make sure your account or the group whose member your account is (typically domain administrators / administrators) is listed there. Make sure the button that says "Replace owner on sub containers i checked -> click Apply. Click ok twice to get out of the folder properties.
- Please log off and re log on ( this is to make sure new permissions take effect and you get the new access token)
- Go to the D:\network_files\users folder and share it with share permissions of Everyone = Full Control. To do this, right click on the "users" folder and goto properties -> Sharing -> Click on "Share this folder" and in the box below, give it a descriptive name like "users" or "home" etc. Click on the permissions button here, and make sure the "everyone" group is highlighted, and check the "allow - Full Control" checkbox, hit apply. Click ok to get out of the folder properties
- Now go to the D:\network_files\users\joe.blow folder, right click on it and go to  properties -> security -> On here make sure the user joe.blow is listed and has "Modify" permissions, administrators have full control. CLick on the Advanced button, and make sure on the permissions tab, the check box that says, "replace permissions on entire chid objects..." is checked, and hit apply. Click ok and ok again to get out of the folder properties

Thats it, you are all set. The user joe.blow should be able to map to \\yourservername\thesharenameyoumade\joe.blow and only him and the administrators would be able to see the contents of this.

Thanks
0
 
hermanlamAuthor Commented:
Hey Kalikoder,

I modified the permissions according to your method, however john.smith can go into joe.blow's acct folder and change the content inside it. This setup still does not provide the restricted access I want.

Are there any other things I have to watch out for?

Thanks.
0
 
WeHeCommented:
> WeHe : Thanks for the tip. I will try out your method. Thanks for the tip for using XCACLS ...never knew such thing exists

Did you try it? We use this on our 17k home/profile shares and it works fine:)
0
 
hermanlamAuthor Commented:
thanks! Wehe! Your solutions works perfectly.

By the way KaliKoder, your method doesn't quite work. It still gives people unlimited access to every of the sub folders.

Just one more thing Wehe, any good tutorials for XCACLS?
0
 
WeHeCommented:
no tutorial, just the builtin help.
what do you need?
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 6
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now