Root shared and subfolder resrictions

Posted on 2006-03-22
Medium Priority
Last Modified: 2010-08-05
Hello all,
I have a weird issue. I have set it up before and was doing it again but failed to work.

I have four groups and they are members of mgmt
I have a share called data   and mgmt has full share rights.
then I have four sub folders that are have NTFS set for each group repectively with no inheritance.
so group A should not be able to access any of the other shares except A.

What is happening is that all the groups can access each other but cannot delete or rename, they can however create stuff. very weird.

I have set it up before and it is set like that with no issues on, but I am having problems here and not sure why.
please help
Question by:onlinerack
  • 2
  • 2
  • 2
  • +1
LVL 48

Assisted Solution

Jay_Jay70 earned 400 total points
ID: 16266839
you need to assign the permissions on both the share and security permissions of the folders
LVL 18

Assisted Solution

kjanicke earned 400 total points
ID: 16267595

When you create a new shared resource, the Everyone group is automatically assigned the Read permission, which is the most restrictive.  Share permissions do not apply to users logging g on locally, such as on a terminal server. In these cases, use access control on NTFS to set permissions.

If you use Microsoft Windows Explorer or the Cacls.exe utility, you cannot assign NTFS file system permissions to the root directory of an NTFS volume if the volume is mounted by using a mount point, or no drive letter.

The DACL lists permissions by the object first, followed by the object's parent, then the grandparent, and so on up the directory tree. Each layer has the Deny permissions listed before the Allow permissions. The evaluation starts at the child and checks the permissions at that level before continuing up the tree. This process goes level by level until one of three things happen:

If the evaluation finds a Deny for the requested action, the evaluation stops and the action is denied.
If the evaluation finds an Allow for the requested action, the evaluation stops and the action is allowed.
If the evaluation made it to the top of the tree and the action does not have an Allow or Deny permission specified, the action is still denied.

Author Comment

ID: 16268654
the everyone was removed.
They are not locally, they are coming through drive mappings.
I have their group set as full control in the root share.
then every group has access to each subfolder below it and inherited is disabled.
somehow all the groups seem to be able to access each others folders and create stuff. but cannot rename or delete the original data.
they are not coming through terminal
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 23

Accepted Solution

TheCleaner earned 1200 total points
ID: 16270909
Set it up like this:

"DATA" share - share permissions should be Domain Admins - Full control --- Everyone, Change and Read  (everyone in 2003 doesn't include anonymous so no worries)

Create FolderA, you'll need to make sure then to uninherit permissions...copy them over, then remove anyone but domain admins then....

FolderA - folder in the Data share -- NTFS permissions should be Domain Admins - Full Control --- local FolderA group has Modify rights

You will need to create the local group on the server called FolderA.  Then add to that local group any global groups for this Folder that you create in Active Directory.  For instance, if you want Bob and Tom to have access to FolderA, create a global group in AD called SERVER_FOLDERA, then add them to that group.  Then add that global group to the local group on the server.

It's just best practice to create local groups and then assign global groups to them, then assign the local groups to have the permissions, just FYI.

Repeat for all 4 subfolders.

NOTE:  Obviously if someone is in more than one of the global groups, they'll have access to more than one sub-folder...

Author Comment

ID: 16296727
Thank you for your answer.
followed it.
It turns out the the server\users were granted readonly access to all shares and this is why they could see all the shares so I removed it and it was working well. I have however redid the local groups and added the global into them and it worked well.
LVL 48

Expert Comment

ID: 16296740
well done :)
LVL 23

Expert Comment

ID: 16300663
Thanks for the points!

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question