Good Old Permissions issue.

I have an HR folder that I want only HR and Administration Employee's to be able to access and all the Directors to be able to WRITE and READ there own documents.

Inside this HR Folder there is something called E-Documents "Word forums that you can ALT + S (Signs them) and ALT + E will save them to the folder Automatically.  

This is what Directors use for Post_Pos. Authorization, Status Changes on employees, New Employee request ect...

The Directors HAVE TO be able to see the status of the document, such as who has signed and how far it has made it up the heircy.

-----------------------------------------------------------
What I did was went
#1 added the Directors group with list folder contents and write permissions.
#2 Added HR Group with Modify permissions
#3 Added the Creator Owner group as modify permissions.
#4 Added Administration with Modify permissions
Sounds like it works right?
-------------------------------------------------------------

Well on some of the documents when they are signed by say the CFO, CNO or a VP they take ownership of the file.  
That means the director and no longer look at the file.

Could someone explain this please?
I know if I create a file and ask you to add a line to the bottom that says EE is a great place.  You then are not the owner unless you (Take Ownership) which is a option in the permissions menu.   So why is this happening?

Thank you so much for your time!
Klint T.
A+, Network+, Security+, MCSA / MCSE: 2003
LVL 2
Klint_turneyAsked:
Who is Participating?
 
Kevin HaysConnect With a Mentor IT AnalystCommented:
I've tried again quite a few times and I am unable to reproduce someone else taking ownership of the file by just editing/saving the file.  Quite puzzling to say the least.

0
 
CSTNCommented:
When they sign the documents (and thus save) does they become new files? If so, most likely removing the Creator Owner group entirely will clear this up.
0
 
Klint_turneyAuthor Commented:
How would deleting the Creator owner group give the people that create the file permissions?  I do not think they do become new files I will have to test it today.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Kevin HaysIT AnalystCommented:
Why not modify the ntfs permissions and remove everyone (this means all groups listed) and then start adding the groups explicitely that you wish to have access to.
Example would be:

administrators:->full control
hr:->read
administration:->read
directors:->read, write

And any sub folders under the main folder just inherit from parent.

0
 
Klint_turneyAuthor Commented:
Yes but then Directors can still edit and read others documents.  They can't be allowed to do that.
0
 
Kevin HaysIT AnalystCommented:
So you are saying the directors should not be able to read their staff members documents that they create for HR?

Well hmm.  I would probably structure my folders a little different then.

EX:
HR
- Staff
- Directors

Set the ntfs permissions with those groups accordingly.  That's just a simple and easy solution.  I could be wrong but I don't think you can achieve what you are wanting to do with a single folder.  Have you looked at the advanced permissions in the ntfs tab yet?

0
 
Klint_turneyAuthor Commented:
No, alright,
The staff should not be able to access teh folder at all..
The directors can ONLY read the documents they create.
0
 
Kevin HaysIT AnalystCommented:
I thought you wanted the hr and administration to be able to read though?  Can you provide a folde structure hiearchy so we can get a better feel of what groups you want access and not?

regards,

kshays
0
 
Klint_turneyAuthor Commented:
Just 1 folder "HR"  
Administration should have full access to ALL folders
HR should have full access to all folders
and Directors should only be able to access tehre files.
0
 
Kevin HaysIT AnalystCommented:
Ok, here is what i've done.  Here are the ntfs permissions.

folder
- administrator:->full control
- authenticated users:->list folder contents, write
- creator owner:->full control

I tested this scenerio out by using the admin account on the server and using an account that was a basic user from another machine to access the folder.  The basic user was able to create files but could not read the other files that were created by the admin account.

Let us know if that works.

0
 
Klint_turneyAuthor Commented:
please read my questin in full I have already done that.
0
 
Kevin HaysIT AnalystCommented:
You have stated in the first post that the directors have to be able to see the status of the document, but then later you state that they cannot view or edit these documents.  How are they going to see the status of the files if they are not suppose to be able to access the files?  Which one is it?

From what I gave you above which is pretty much what you did to begin with I see no reason why it shouldn't work.  I still don't see why you want the directors to not be able to view the files inside the HR Folder though.  Maybe you should think about restructuring your folders?

Folder Hiearchy:

Directors (directors)
HR ( hr, administration)
HR Status( hr, administration, directors)

In HR Status this is where I guess the directors would check the status on the files.

I'm just trying to get a clear understanding of what you really want here

0
 
Klint_turneyAuthor Commented:
trying to figure out why when someone edits a file it automaticly takes ownership of the file.
0
 
Kevin HaysIT AnalystCommented:
Ok, I only had that problem on a linux fileserver that I didn't have the privileges to see what was going on.  Have you tried to go into the advanced properties and edit each group and uncheck the "take ownership" box yet?

0
 
Klint_turneyAuthor Commented:
No let me try that, very good idea!
0
 
Kevin HaysIT AnalystCommented:
Ok, man, hopefully that does work :)
0
 
Klint_turneyAuthor Commented:
I do not see a "take Ownership" in the Security > Advanced
0
 
Kevin HaysIT AnalystCommented:
click on the name of the group and click on "view/edit" then scroll down, should be the last option.
0
 
Klint_turneyAuthor Commented:
thank you sir
0
 
Kevin HaysIT AnalystCommented:
Anytime, it took a little bit longer to get it resolved than normal, but we did it though :)

Have a good day :)

kshays
0
 
Klint_turneyAuthor Commented:
thank you sir I am glad you thought of that :)
0
 
Kevin HaysIT AnalystCommented:
No problem :)  and thanks for the points...

kshays
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.