Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
SBS 2003 security group permissions not working for folder
Posted on 2006-06-15
Inherited SBS 2003.
Created own OU's not using 'My Business'.... ones created by default.
Have one folder with a couple of excel files in it. I want to restrict the folder so only 5 users can read/write and all other users read-only.
Folder name: ABC
Group 1: Global Read Only Group
Group 2; Global Write Group
5 users in Group2 and all other users in Group1
Security Permissions: Administrators - full, Group1 - Read, Deny Write , Group 2 - Read/write
Any user I add to either Group does absolutely nothing. Example, I add User1 to Group1 and I can still open, write, delete, create, everything. If I remove all groups from security permissions and only leave Administrators, anyone can access the folder and open/read/write/delete.
If add User1 explicitly to the security permissions, it works.
I have removed setting Inherite Permissions from parent folder. I have tried 4 different user accounts. Owner of file is administrator.
Created own OU's not using 'My Business'.... ones created by default.
Have one folder with a couple of excel files in it. I want to restrict the folder so only 5 users can read/write and all other users read-only.
Folder name: ABC
Group 1: Global Read Only Group
Group 2; Global Write Group
5 users in Group2 and all other users in Group1
Security Permissions: Administrators - full, Group1 - Read, Deny Write , Group 2 - Read/write
Any user I add to either Group does absolutely nothing. Example, I add User1 to Group1 and I can still open, write, delete, create, everything. If I remove all groups from security permissions and only leave Administrators, anyone can access the folder and open/read/write/delete.
If add User1 explicitly to the security permissions, it works.
I have removed setting Inherite Permissions from parent folder. I have tried 4 different user accounts. Owner of file is administrator.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3
2-
2
7 Comments
Active today
OUs do NOTHING for file security - you need to create Security Groups and add users to the SECURITY groups. Also, put the users back in the My Business OU - Do NOT do things without the wizards if you can do them with the wizards. SBS EXPECTS to be managed a certain way and if you don't manage it appropriately, you'll create problems now and later.
I'll second that! See http://sbsurl.com/itpro for an overview of this.
Also, all users should be created using the Add-User wizard and the SBS user templates. There are too many functions that need to be configured simulataneoulsly to do this manually. Because SBS is a preconfigured server that has numerous services running together on the same machine that would never be running together on a standard server, you need to use the wizards in order to not break anything.
So, first move all users back into MyBusiness\Users\SBSUsers
There are wizards for Security Groups as well. I would suggest that you create a new User Template for those that you want in Group 1 and another for those that you want in Group 2 (actually you should COPY the default USER template to start with).
Then, create two Security Groups (1 & 2) and add it to each new template accordingly.
Next, add those Security Groups to your NTFS permissions for the folders you are looking to protect.
Finally, if you've already created these users, run the Change User Permissions wizard to apply the appropriate template to whichever users you like. If you haven't created a user yet, then use the add-user wizard and select the appropriate template to create your user.
Obviously this is quite a different procedure than what you would do on a standard Server 2003... but by following this method, you will not only get the permissions set the way you want, but you will also be able to keep the assigned quotas in place, the appropriate SharePoint user accounts, etc.
I might mention however, that what you are doing is handled by SharePoint quite well... and you may want to look into using SharePoint instead of standard NTFS files/folders. There are preconfigured SharePoint roles which address what you are seeking to do... by default standard users are granted the "Contributor" role appropriate for your Group 2, but you could certainly make a separate User Template for Group 1 that would grant them the "reader" role.
Files stored in SharePoint are actually in SQL server (MSDE if you have SBS Standard, SQL Server if SBS Premium -- which allows for full text search). Document libraries in SharePoint are accessed easily via http://companyweb.
Jeff
TechSoEasy
Also, all users should be created using the Add-User wizard and the SBS user templates. There are too many functions that need to be configured simulataneoulsly to do this manually. Because SBS is a preconfigured server that has numerous services running together on the same machine that would never be running together on a standard server, you need to use the wizards in order to not break anything.
So, first move all users back into MyBusiness\Users\SBSUsers
There are wizards for Security Groups as well. I would suggest that you create a new User Template for those that you want in Group 1 and another for those that you want in Group 2 (actually you should COPY the default USER template to start with).
Then, create two Security Groups (1 & 2) and add it to each new template accordingly.
Next, add those Security Groups to your NTFS permissions for the folders you are looking to protect.
Finally, if you've already created these users, run the Change User Permissions wizard to apply the appropriate template to whichever users you like. If you haven't created a user yet, then use the add-user wizard and select the appropriate template to create your user.
Obviously this is quite a different procedure than what you would do on a standard Server 2003... but by following this method, you will not only get the permissions set the way you want, but you will also be able to keep the assigned quotas in place, the appropriate SharePoint user accounts, etc.
I might mention however, that what you are doing is handled by SharePoint quite well... and you may want to look into using SharePoint instead of standard NTFS files/folders. There are preconfigured SharePoint roles which address what you are seeking to do... by default standard users are granted the "Contributor" role appropriate for your Group 2, but you could certainly make a separate User Template for Group 1 that would grant them the "reader" role.
Files stored in SharePoint are actually in SQL server (MSDE if you have SBS Standard, SQL Server if SBS Premium -- which allows for full text search). Document libraries in SharePoint are accessed easily via http://companyweb.
Jeff
TechSoEasy
Active today
Why does SBS blow? You think you could do this with Standard server? You can't you know.
I know. I like using Standard 10 times better. I like having control over what I do. I don't like wizards. Although the template feature seems ok.
SBS is not horrible, I just don't like it. Haven't used it enough to appreciate it I guess.
SBS is not horrible, I just don't like it. Haven't used it enough to appreciate it I guess.
Active today
Exactly. That I can understand. I prefer the control as well - I prefer KNOWING HOW the system does things then the "sit back and relax, I'll take care of it" attitude - if I wanted that kind of computer, I'd have switched to a Mac LONG ago. I've come to accept that for it's purpose, SBS is well done - it's introduction to the IT specialist was quite poor because, as near as I can tell, unless you specifically looked for training in it, you would unintentially screw it up. And when you work in an enterprise environment, I don't think its unreasonable for an admin to think they know how it should work. Problem is, that's what screws SBS up.
Microsoft really needs to make the wizards smarter so that admins with enterprise experience can't screw things up if they want to manage it like an enterprise system. With luck, it will be one soon, afterall.
Microsoft really needs to make the wizards smarter so that admins with enterprise experience can't screw things up if they want to manage it like an enterprise system. With luck, it will be one soon, afterall.
If you want to know what the wizards do (and they are just GUI scripts by the way) all you have to do is look at the very last screen of each one and it will detail you what's what. You can also look at the logs. Feel free to explore C:\Program Files\Microsoft Windows Small Business Server\Support and other directories in C:\Program Files\Microsoft Windows Small Business Server.
The main issue is this though... with a standard server you would NEVER put all of those services and components into one box. But, by doing so you can save a TON of money for the company. The wizards allow you to manage the server by helping to ensure that you don't break one service while fixing another. Of course they aren't perfect... but they are certainly better than NOT using them.
leew summed it up fairly well... and the problems I encounter are generally created by very experienced, well intentioned MCSE's who just weren't given the heads up on what NOT to do with SBS. Since my consulting practice is exclusively SBS based, the tools that SBS has allows me to handle MANY MORE clients than if I were having to do this stuff manually... so there are adavantages for IT Professionals as well.
Jeff
TechSoEasy
The main issue is this though... with a standard server you would NEVER put all of those services and components into one box. But, by doing so you can save a TON of money for the company. The wizards allow you to manage the server by helping to ensure that you don't break one service while fixing another. Of course they aren't perfect... but they are certainly better than NOT using them.
leew summed it up fairly well... and the problems I encounter are generally created by very experienced, well intentioned MCSE's who just weren't given the heads up on what NOT to do with SBS. Since my consulting practice is exclusively SBS based, the tools that SBS has allows me to handle MANY MORE clients than if I were having to do this stuff manually... so there are adavantages for IT Professionals as well.
Jeff
TechSoEasy
Featured Post
Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place. There are several solutions to this, including adding additional drive space or using third party uti…
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special.
It's completely agentless, but does let you create an agent, if you desire.
It offers powerful scalability …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash"
After Shake : http://www.videocopilot.net/presets/after_shake/
All lightning effects with instructions : http://www.mediaf…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month6 days, 19 hours left to enroll
623 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.