Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Steps for sharing, permissions and security

Posted on 2006-07-21
4
Medium Priority
?
268 Views
Last Modified: 2010-04-18
Hi experts
I have read everything I can about setting security on a Windows server 2003, and I think I know what to do; then I try it and it does not work.  We are a fairly simple setup:
shared Drive: data e:
Shared folder: Data
20 folders underneath that everyone can access | subfolders under some that are restricted
Security Groups: everyone (of course), All team members, other department type groups
I want to map the shared folder Data to drive g for all team members in a login script, let them see the list of all the folders underneath, restrict them from some subfolders
I have read about security templates, they sound like something that will work for most of the folders under the shared folder Data
Ok, with all that said, where do I start with the security?
thanks so much
Donna
0
Comment
Question by:TECHDLS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 3

Assisted Solution

by:RA123987
RA123987 earned 1200 total points
ID: 17154910
Start with the top level security permissions.  
After you set the permission to the proper groups, click apply.
Then click on the advance tab. Choose Replace permissions entries on all child objects with entries shown here that apply to child objects.  Choose ok.
That will force all of the folders to have the permissions of the root folder, if they were not already inherting the permissions.
Then go in to the sub folders that need to be modified.
Go in to the advanced feature again and uncheck, Inherit from parent the permission entries that apply to child objects.  Include these entries with entries explicitly defined here.
Choose Copy.  
This will copy the orginial permission to the folder and allow you to make the modification that you need.  Now you can remove the groups that were inherited if need be.  You can also add any groups/users that you need to add as well.

One PC of advice is to remove the everyone group and add authenticated users.  Everyone is EVERYONE.  Anyone in the office whether authenticated to the network or loggen on locally can access those folders and files.  It's always wise to remove that group and use authenticated users instead.  Authenticated users is the same as everyone except they must authenticate to the domain to get access.
0
 
LVL 26

Assisted Solution

by:Pber
Pber earned 800 total points
ID: 17155278
Further to RA123987's excellent advice....

Keep in mind that Share security can be more restrictive than NTFS on the files.  When defining share security if you grant Read and Execute at the share for Authenticated users (as RA123987 mentioned Everyone is a bad security risk), even if you grant Full control or Modify to Authenticated users, the user will receive the most restrictive Share permission.  Thus Authenticated Users would only have Read and Execute.


also look into Access Based Enumeration (ABE).  It hides files/folders that you don't have permissions to see instead of giving the access denied message.

http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx
http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en
0
 
LVL 26

Accepted Solution

by:
Pber earned 800 total points
ID: 17155297
Hmmm, that reads a little confusing.

It should say:

When defining share security if you grant Read and Execute at the share for Authenticated users (as RA123987 mentioned Everyone is a bad security risk), even if you grant Full control or Modify to Authenticated users on the NTFS permissions, the user will receive the most restrictive Share permission.  Thus Authenticated Users would only have Read and Execute.
0
 
LVL 9

Expert Comment

by:rpartington
ID: 17156005
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21862277.html

EXACT same theory to your situation just needs re-arranging to suit your situ.
Login scripts can be used easyily enough via GP
User Config> Windows Settings> Scripts> Logon and point to your script stored in sysvol>domian>policies>etc etc etc
with either a .bat or .vbs
however many companies offer GUI bolt on's to AD as in http://www.desktopstandard.com/PolicyMakerApplicationSecurity.aspx

we have it, was installed before I arrived, does have some nice features for using a GUI to easily set mapped drives etc I suppose but not my cup of tea I must confess, call me old fashioned I prefer to use my login scripts as I know for sure if set correctly they will work time and again and I dont have to worry about third party products bolted onto AD licences expiring and parts of the network dropping off.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Learn about cloud computing and its benefits for small business owners.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question