Root shared and subfolder resrictions

Posted on 2006-03-22
Last Modified: 2010-08-05
Hello all,
I have a weird issue. I have set it up before and was doing it again but failed to work.

I have four groups and they are members of mgmt
I have a share called data   and mgmt has full share rights.
then I have four sub folders that are have NTFS set for each group repectively with no inheritance.
so group A should not be able to access any of the other shares except A.

What is happening is that all the groups can access each other but cannot delete or rename, they can however create stuff. very weird.

I have set it up before and it is set like that with no issues on, but I am having problems here and not sure why.
please help
Question by:onlinerack
    LVL 48

    Assisted Solution

    you need to assign the permissions on both the share and security permissions of the folders
    LVL 18

    Assisted Solution


    When you create a new shared resource, the Everyone group is automatically assigned the Read permission, which is the most restrictive.  Share permissions do not apply to users logging g on locally, such as on a terminal server. In these cases, use access control on NTFS to set permissions.

    If you use Microsoft Windows Explorer or the Cacls.exe utility, you cannot assign NTFS file system permissions to the root directory of an NTFS volume if the volume is mounted by using a mount point, or no drive letter.

    The DACL lists permissions by the object first, followed by the object's parent, then the grandparent, and so on up the directory tree. Each layer has the Deny permissions listed before the Allow permissions. The evaluation starts at the child and checks the permissions at that level before continuing up the tree. This process goes level by level until one of three things happen:

    If the evaluation finds a Deny for the requested action, the evaluation stops and the action is denied.
    If the evaluation finds an Allow for the requested action, the evaluation stops and the action is allowed.
    If the evaluation made it to the top of the tree and the action does not have an Allow or Deny permission specified, the action is still denied.
    LVL 5

    Author Comment

    the everyone was removed.
    They are not locally, they are coming through drive mappings.
    I have their group set as full control in the root share.
    then every group has access to each subfolder below it and inherited is disabled.
    somehow all the groups seem to be able to access each others folders and create stuff. but cannot rename or delete the original data.
    they are not coming through terminal
    LVL 23

    Accepted Solution

    Set it up like this:

    "DATA" share - share permissions should be Domain Admins - Full control --- Everyone, Change and Read  (everyone in 2003 doesn't include anonymous so no worries)

    Create FolderA, you'll need to make sure then to uninherit permissions...copy them over, then remove anyone but domain admins then....

    FolderA - folder in the Data share -- NTFS permissions should be Domain Admins - Full Control --- local FolderA group has Modify rights

    You will need to create the local group on the server called FolderA.  Then add to that local group any global groups for this Folder that you create in Active Directory.  For instance, if you want Bob and Tom to have access to FolderA, create a global group in AD called SERVER_FOLDERA, then add them to that group.  Then add that global group to the local group on the server.

    It's just best practice to create local groups and then assign global groups to them, then assign the local groups to have the permissions, just FYI.

    Repeat for all 4 subfolders.

    NOTE:  Obviously if someone is in more than one of the global groups, they'll have access to more than one sub-folder...
    LVL 5

    Author Comment

    Thank you for your answer.
    followed it.
    It turns out the the server\users were granted readonly access to all shares and this is why they could see all the shares so I removed it and it was working well. I have however redid the local groups and added the global into them and it worked well.
    LVL 48

    Expert Comment

    well done :)
    LVL 23

    Expert Comment

    Thanks for the points!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
    This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now