Learn how to a build a cloud-first strategyRegister Now


Folder Permissions

Posted on 2006-05-03
Medium Priority
Last Modified: 2011-06-03
I use a single folder for My Documents for everyone in our domain.  Everyone is redirected to this folder.  I want to give my inside users full access to My Documents and access to selected folders to my outside contractors via RWW.  I created a security group called "Outside Contractors".  All the outside contractors are a member of this group and Remote Web Workstation Users group.  The inside users are members of the Domain Users or Domain Power Users Group.  I set up the My Documents as a share for Authenticated Users having full control.  I have set up permissions as follows:

Domain Users Group
Domain Power Users Group
       My Documents:  Full Control

Outside Contractors
       My Documents:  List Folder, Read Data, this folder only
       Selected Folders: Read and Execute, List Folder, Read

With this setup, my outside contractors only have access to the selected folders.  But my inside people have no access to My Documents at all!!!????  The inside people get access when I give "Authenticated Users" full access to My Documents but then the outside contractors have full access to all the folders.  How should I set this up?

With the setup above, the outside contractors see all the folders in My Documents but only have access to the selected folders.  Is there a way to set it up where they only see the selected folders?  I would prefer my inside people  have only one place to look for documents.

I am getting to really hate SBS!!!
Question by:thenelson
  • 5
  • 3
  • 2
LVL 30

Expert Comment

by:Irwin Santos
ID: 16600493
How about not use the Admin's My Documents?

create another folder, then apply the above controls you mentioned. and test
LVL 39

Author Comment

ID: 16600835
I can try that but I doubt I would get anything different since the My Documents folder on the server is not a system folder but just a normal folder.  I will let you know how another folder works.

LVL 39

Author Comment

ID: 16601071
I tried another folder and it worked!  However it still leaves me with the outside contractors able to access My Documents.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 30

Expert Comment

by:Irwin Santos
ID: 16601379
well apply the GPO to the newly created folder for the outside contractors..

My Documents folder has permissions for the local user and that is preventing normal access from all your other users.
LVL 39

Author Comment

ID: 16601425
>My Documents folder has permissions for the local user and that is preventing normal access from all your other users.
I don't understand what you are saying.

I don't want the outside contractors to have access to the My Documents folder or sections of the My Documents folder.  The inside people must have access to it.  If My Documents permissions is Authenticated Users, then everyone has access.  If My Documents permissions is Domain Users and Domain Power Users Group then noone (except the admin) has access.  Neither is acceptable.
LVL 30

Assisted Solution

by:Irwin Santos
Irwin Santos earned 400 total points
ID: 16601594
"I don't understand what you are saying."
DO NOT USE My Documents to share ANYTHING.  This is one of those reserved folders that has additonal permissions to the local user, and thus will conflict with your GPO for the different groups that you have.

Place all your files in a separate folder and give access accordingly via GPO for your domain users & outside contractors, consider the permissions/access for each group.

LVL 74

Accepted Solution

Jeffrey Kane - TechSoEasy earned 1600 total points
ID: 16601830

Are you manually adding these folks to these groups and NOT using the Templates?  I provided you with the link to how to create a restricted group because it is the way it really needs to be done on SBS.

FYI, ALL users must be members of the DOMAIN USERS group.  If you essentially follow the steps 6a - 6e in


you will successfully create the restricted user group and have working profiles.  When you're making the TEMPLATE for the outside users, you will add just two security groups to it, OUTSIDE CONTRACTORS and REMOTE WEB WORKPLACE USERS. I'd also suggest that you add the Domain's Distribution Group when you get to it on that screen.  This makes it easy to send an office email message to everyone.  Then, on the SharePoint Screen, select "Contributor".  

After you complete the template wizard, go back and open the properties of the template and click on the Member of TAB.  You will then see the following group memberships:

Remote Web Workplace Users
Domain Users
Outside Contractors
Power Users Template
Administrators Template
<domainname>Group -- if you chose to add the distribution group

The template entries are only there to allow members of those groups to have the right to add this type of user.

Then, create a NEW template for your inside users but don't add any Security Groups to this one.  Again add the distribution group if you like. On the SharePoint screen, select "Contributor" .  Finish out the wizard to create a template that has all of the above except RWW and OC groups.

You can then add your users with the Add-User Wizard and apply the appropriate template.  If you want to add multiple users, just select that wizard instaead.

I'm not sure why you chose to use the Domain Power Users group for your inside users, but you don't want to do that.  The Power Users group is actually quite restricted.  It's designed for granting SERVER access to people that you don't want to access any other place.  Was there a reason that you wanted additional rights for these users?

Now... just to clarify your Terminology... so that people don't get confused.  I don't think you want the My Documents folder to be shared.  You would instead want a COMPANY folder and then you can just make the My Documents folders disappear from the desktops through Group Policy.  The reason for this is that My Documents is one of those special folders that has certain characteristics based on each user because a hidden .ini file is created for each My Documents folder which provides such information as the folder's unique name.  Since you don't want individual characteristics, you shouldn't use the My Documents folder.

Now for your Outside Contractors... While they will be entering via RWW, they would then connect to the Terminal Server (Labeled Connect to my Company's Application Server in RWW).  Do you want these users to have a full Windows Desktop when they log in to the TS?  Or are they just needing to run the Access Database?  Because if they only need to run that program you don't need to do a different configuration on the folder permissions issue because you can lock the users out of the Windows Explorer all together by funneling them right into the application and back out when they exit the application.

I would still highly recommend that you use the preconfigured "General Documents on Companyweb" for your Shared Document folder.  This can either be accessed through SharePoint http://companyweb and then clicking on the "General Documents" link on the left side Quick Launch menu.   Since this is a URL Link to General Documents, it can easily be added to Favorites, or a shortcut can be put on the desktop.  (per GPO if you like as we've discussed).

The advantage of this interface is then your Outside Contractors can access whatever folders you want to make accessible to them through the "Connect to my Company's Internal Website".  Then can then easily upload or download any documents you want them to have.  They can also use an InfoPath internace to enter information if you require that.  

Alternatively, if you don't want to use the IE interface to the document libreary, you can access it through My Network Places just like any other windows file system folder.  A shortcut to this location can easily be added to the desktop.  However the downside of using it this way is the necessity of allowing remote users access to the TS desktop.  Otherwise, you can map the sharepoint Library as a network drive the same way any other network drive would be.
http://www.microsoft.com/technet/prodtechnol/sppt/wss/fsdoclib.mspx has more info on this.

Finally, if for some strange reason you STILL want to create a new share in the windows file structure for this, you need to have the following permissions set in order for it to work:

On your share, you should actually use the following SHARE permisisons
Domain Users -- FULL
Domain Admins -- FULL
Outside Contractors -- FULL
Folder Operators -- FULL

On the Security TAB grant the following permissions
Domain Admins -- FULL  -- This FOlder, Sub Folders & Files
Folder OPerators -- FULL -- This Folder, Sub Folders & Files
SYSTEM -- FULL -- This Folder Sub Folders & Files
Domain Users --  change to This Folder & Files  with the following SIX boxes checked in the Advanced Settings
  Traverse Folder/Execute File
  List Folder/Read Data
  Read Attributes
  Read Extended Attributes
  Create Folders/Append Data
  Read Permissions

(You would also add the Outside Contractors to the Folders you want them to have access to with the same permission set used by Domain Users -- This Folder & Files).

All other permissions entries should be removed.

I think that covers it.


LVL 30

Expert Comment

by:Irwin Santos
ID: 16601895
@Techsoeasy...felt like I was reading a book...I bow down to you ;-)

@thenelson...Techsoeasy kindly DETAILED the ENTIRE procedure for you. :-)
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16625070

I'll let you know when these and many other words are available in print... :-)

LVL 30

Expert Comment

by:Irwin Santos
ID: 16674466
@thenelson....did you forget us?

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question