how to make a public folder read only to everyone but full control to certain users

Posted on 2006-06-29
Medium Priority
Last Modified: 2010-04-11
We have  a drive in one of our server that is shared and we call it Public Folder where in all users can share their data to everyone that needed it.  Unfortunately, due to everyone having full control there are some folders (ex. estimating)in Public Folder that everyone can have read only permissions and only certain users can have full control of that folder.

How can I restrict everyone to have full control and give certain users full control to a particular folder that is in our Public Folder?

Please help,  I tried to share that folder, gave everyone read only and certain user a full control but it did not work.  Please help me how to accomplish this task.  Please give me detail instructions of to do this.  

Please email me at niorpar@yahoo.com

Question by:3jmj

Expert Comment

ID: 17014245
Permissions always apply the most restrictive policy. You need to set up seperate groups that have real only and full access. Also make sure subdirectories are inheriting permissions like you want.
LVL 32

Expert Comment

ID: 17014370
Your problem is that the "Estimating" folder is inheriting permissions from the main Public folder.

To fix this, right-click on the Estimating folder, click on "Properties", then "Security" then "Advanced", and un-check the box that reads "inherit from parent..." and click "Copy" in the next dialog.

After that you'll be able to manipulate permissions on the "Estimating" folder separately from the main folder.

If you have lots of users then do create groups as suggested above, it will simplify the job. If you have few users then you can assign permissions for usernames directly.

Author Comment

ID: 17070597
I had done what you had written above, when I tried it, it did not work.  I am having one of the user this mondayy to try it then I will let  you know if it worked or now.  Thank you... 3jmj
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.


Accepted Solution

DaMaestro earned 1000 total points
ID: 17077074
This illustration is for example only based on the info provided. I myself would only give list permissions for the users in the domain, and only read/change permissions to those who’s job actually requires the data in the subfolders. I prefer file/folder level permissions; it’s easier to troubleshoot permissions issues this way. Share level permissions require connections to the server to troubleshoot.

Example: Domain: NA  ;  Server: FS1  ; Share: Public   ; Subfolder1: Estimating   ;  Subfolder2: HR

You may need to reset permissions on all child objects from the parent to all subfolders before going to each subfolder and adding the Full permissions for those groups. It would also help if you have one group defined in AD for the permissions on that folder in that share, that way you don’t end up adding individual people to each folder on individual servers. It will also be faster when you change all the ACLS. Plan out which users will be added to the subfolders and create groups and memberships based on that before modifying the permissions on the actual server.

If you want to start restricting most folders to read only for a higher percentage of the population then go to the main folder \\FS1\Public and change its permissions for all domain users to be read only. After the main folder permissions have been set, go to the subfolder and add permissions for the group who should have access to the subfolder.  People in the Estimating department would be members of an Estimating group that has access to \\FS1\Public\Estimating . People in HR would be members of the HR group that has access to \\FS1\Public\HR and etc.  

Sometimes file groups may be different than departments in the orgnization. For this reason, you may want to have a special OU or name prefix. For example, if you start application deployment via AD, you might want to prefix each group software group as SW so people will know that group is authorized people for that software (SW Peoplesoft HR) as opposed to (Peoplesoft HR) department.


Author Comment

ID: 17077262

Let me try your point of view from public folder let me see if my users will complain, then I will let you know...

thank you,

Author Comment

ID: 17312487
Please be advised that I am still waiting for the user to confirm if the steps taken above were successful at all.

Thank you,

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
A discussion about Penetration Testing and the Tools used to help achieve this important task.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question