[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 299
  • Last Modified:

NTFS permission on shared folder

Hi

I want to create a shared folder, giving 'Everyone' full control of the share, but defining my access policy using NTFS secuirty.

I have two groups in my domain, I want one group to be able to read, write, create new files, rename, delete etc... and the other group to be read only.

The groups already exist.

*I do not want anyone (except Domain Admins) to be able to change the permission of files are folders within this share*.

I notice that if someone modifies a shared file, they become the owner, and then can remove permissions and stop others accessing the file.

Can anyone tell me what permission I need and how I should apply them.

Many thanks




Gareth
0
localgareth
Asked:
localgareth
  • 6
  • 3
  • 2
  • +1
2 Solutions
 
kfullartonCommented:
Set your Share permission to "change".  This will prevent anyone form modifying the share and becoming the owner.
0
 
luv2smileCommented:
This is fairly simple to setup:

Set these rights for the read only group:

read and execute
read

For the other group:

From the security tab, click the advanced button, add the other group and then edit the permissions

Check allow for all rights except:

Change permissions
Take Ownership
0
 
localgarethAuthor Commented:
luv2smile, thanks... that sounds like what I need. However, who will own the files in this instance? Will it be administrator (the user used to copy the files into the share)?

What will happen when someone opens a file, and saves changes. Who will be the new owner?

Thanks


Gareth
0
Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

 
localgarethAuthor Commented:
kfullarton, I dont think the Share permissions are indepth enough, I need NTFS permissions. Thanks anyway.
0
 
mikeleebrlaCommented:
it is common practice to set the share permission to everyone to have full permission and to let NTFS handle secuirty of the files/folders.  If you start setting sharing AND NTFS permissions administration can get to be a nightmare.

the owner of the file will be whoever created the file initially unless it is specifically changed.  opening the file and saving changes won't change the owner.
0
 
luv2smileCommented:
The owner is usually the person who created the file and so the ownership should stay the same....with the person who created the file/folder as the owner.
0
 
localgarethAuthor Commented:
I have copied hundreds of Word documents to the share, from a CD-R as administrator. When a user opens the word document, adds some text and saves, their username is added to the NTFS secuirty options with 'Full Control', and I don't want this to happen, 'cos then they can stop other people viewing the file and tamper with permissions.

0
 
mikeleebrlaCommented:
that is something completely different that being the owner of the file. there can be millions of people with full access to the file but only one owner.  what you need to do is DENY these people's modify permissions on the folder and all files that the folder contatins.  This will resolve this problem wince deny takes presidence over allow permissions.  IE, if you deny them from being able to modify permissions it doesn't matter if they have the  full control right , they wont be able modify permissions.
0
 
localgarethAuthor Commented:
Mike, so on the NTFS permissions, is the  'Modify' setting just related to permissions, and not modifying the files themselves?

How does this setup sound?

DOMAIN\Administrator
Full Control: Allow

System
Full Control: Allow

DOMAIN\Users
Read & Execute: Allow
List folder contents: Allow
Read: Allow
Write: Allow

DOMAIN\Guest Users
Read & Execute: Allow
List folder contents: Allow
Read: Allow

With this setup, would anyone in DOMAIN\Users be able to change permissions or remove others from accessing the file?  Or do I need to explicitly deny Modify on the DOMAIN\Users permissions?

Hope this makes sense.



Gareth
0
 
mikeleebrlaCommented:
if you click advanced you will see a more granular set of permissions.  Actually when you click on any of the options on the secuirty tab (without clicking advanced) you are just selected a predefined group of the more granular options.  When you uncheck modify on a folder, you are actually unchecking these more granular options:
Full control
delete subfolders and files
delete
change permissions
take ownership

again, if you dont want your domain "users"  modifying the rights on these files, i would deny this right from them.   This is the "change permissions" right in the advanced security section.  be careful though, DO NOT take this right away from the built in group "domain users" since all domain accounts are a member of this group (including administrator.  If you are uncomfortable using the deny option, you can just make sure that allow is not checked.  but again, if you uncheck this for the built in group "domain users" this will apply to the domain administrator.  I wouldn't use this built in group at all for setting file permissions. I would recommend you set up a group that consists of all of your non-administrator users and use this group to set your security.
0
 
localgarethAuthor Commented:
Hi

Okay, I understand about using the built in group, and have created a new secuirty group containing my users but not administrators.

The problem is, after opening a documents (like a word or excel file) and saving it, the user then has access to be able to remove permission from the administrator or other users.

Thanks for the explanation about deny, that has tripped me up before.

Gareth
0
 
localgarethAuthor Commented:
I guess no one cares!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now