• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 178
  • Last Modified:

Good Old Permissions issue.

I have an HR folder that I want only HR and Administration Employee's to be able to access and all the Directors to be able to WRITE and READ there own documents.

Inside this HR Folder there is something called E-Documents "Word forums that you can ALT + S (Signs them) and ALT + E will save them to the folder Automatically.  

This is what Directors use for Post_Pos. Authorization, Status Changes on employees, New Employee request ect...

The Directors HAVE TO be able to see the status of the document, such as who has signed and how far it has made it up the heircy.

-----------------------------------------------------------
What I did was went
#1 added the Directors group with list folder contents and write permissions.
#2 Added HR Group with Modify permissions
#3 Added the Creator Owner group as modify permissions.
#4 Added Administration with Modify permissions
Sounds like it works right?
-------------------------------------------------------------

Well on some of the documents when they are signed by say the CFO, CNO or a VP they take ownership of the file.  
That means the director and no longer look at the file.

Could someone explain this please?
I know if I create a file and ask you to add a line to the bottom that says EE is a great place.  You then are not the owner unless you (Take Ownership) which is a option in the permissions menu.   So why is this happening?

Thank you so much for your time!
Klint T.
A+, Network+, Security+, MCSA / MCSE: 2003
0
Klint_turney
Asked:
Klint_turney
  • 11
  • 10
1 Solution
 
CSTNCommented:
When they sign the documents (and thus save) does they become new files? If so, most likely removing the Creator Owner group entirely will clear this up.
0
 
Klint_turneyAuthor Commented:
How would deleting the Creator owner group give the people that create the file permissions?  I do not think they do become new files I will have to test it today.
0
 
Kevin HaysIT AnalystCommented:
Why not modify the ntfs permissions and remove everyone (this means all groups listed) and then start adding the groups explicitely that you wish to have access to.
Example would be:

administrators:->full control
hr:->read
administration:->read
directors:->read, write

And any sub folders under the main folder just inherit from parent.

0
Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

 
Klint_turneyAuthor Commented:
Yes but then Directors can still edit and read others documents.  They can't be allowed to do that.
0
 
Kevin HaysIT AnalystCommented:
So you are saying the directors should not be able to read their staff members documents that they create for HR?

Well hmm.  I would probably structure my folders a little different then.

EX:
HR
- Staff
- Directors

Set the ntfs permissions with those groups accordingly.  That's just a simple and easy solution.  I could be wrong but I don't think you can achieve what you are wanting to do with a single folder.  Have you looked at the advanced permissions in the ntfs tab yet?

0
 
Klint_turneyAuthor Commented:
No, alright,
The staff should not be able to access teh folder at all..
The directors can ONLY read the documents they create.
0
 
Kevin HaysIT AnalystCommented:
I thought you wanted the hr and administration to be able to read though?  Can you provide a folde structure hiearchy so we can get a better feel of what groups you want access and not?

regards,

kshays
0
 
Klint_turneyAuthor Commented:
Just 1 folder "HR"  
Administration should have full access to ALL folders
HR should have full access to all folders
and Directors should only be able to access tehre files.
0
 
Kevin HaysIT AnalystCommented:
Ok, here is what i've done.  Here are the ntfs permissions.

folder
- administrator:->full control
- authenticated users:->list folder contents, write
- creator owner:->full control

I tested this scenerio out by using the admin account on the server and using an account that was a basic user from another machine to access the folder.  The basic user was able to create files but could not read the other files that were created by the admin account.

Let us know if that works.

0
 
Klint_turneyAuthor Commented:
please read my questin in full I have already done that.
0
 
Kevin HaysIT AnalystCommented:
You have stated in the first post that the directors have to be able to see the status of the document, but then later you state that they cannot view or edit these documents.  How are they going to see the status of the files if they are not suppose to be able to access the files?  Which one is it?

From what I gave you above which is pretty much what you did to begin with I see no reason why it shouldn't work.  I still don't see why you want the directors to not be able to view the files inside the HR Folder though.  Maybe you should think about restructuring your folders?

Folder Hiearchy:

Directors (directors)
HR ( hr, administration)
HR Status( hr, administration, directors)

In HR Status this is where I guess the directors would check the status on the files.

I'm just trying to get a clear understanding of what you really want here

0
 
Klint_turneyAuthor Commented:
trying to figure out why when someone edits a file it automaticly takes ownership of the file.
0
 
Kevin HaysIT AnalystCommented:
Ok, I only had that problem on a linux fileserver that I didn't have the privileges to see what was going on.  Have you tried to go into the advanced properties and edit each group and uncheck the "take ownership" box yet?

0
 
Kevin HaysIT AnalystCommented:
I've tried again quite a few times and I am unable to reproduce someone else taking ownership of the file by just editing/saving the file.  Quite puzzling to say the least.

0
 
Klint_turneyAuthor Commented:
No let me try that, very good idea!
0
 
Kevin HaysIT AnalystCommented:
Ok, man, hopefully that does work :)
0
 
Klint_turneyAuthor Commented:
I do not see a "take Ownership" in the Security > Advanced
0
 
Kevin HaysIT AnalystCommented:
click on the name of the group and click on "view/edit" then scroll down, should be the last option.
0
 
Klint_turneyAuthor Commented:
thank you sir
0
 
Kevin HaysIT AnalystCommented:
Anytime, it took a little bit longer to get it resolved than normal, but we did it though :)

Have a good day :)

kshays
0
 
Klint_turneyAuthor Commented:
thank you sir I am glad you thought of that :)
0
 
Kevin HaysIT AnalystCommented:
No problem :)  and thanks for the points...

kshays
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 11
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now