Solved

Steps for sharing, permissions and security

Posted on 2006-07-21
4
264 Views
Last Modified: 2010-04-18
Hi experts
I have read everything I can about setting security on a Windows server 2003, and I think I know what to do; then I try it and it does not work.  We are a fairly simple setup:
shared Drive: data e:
Shared folder: Data
20 folders underneath that everyone can access | subfolders under some that are restricted
Security Groups: everyone (of course), All team members, other department type groups
I want to map the shared folder Data to drive g for all team members in a login script, let them see the list of all the folders underneath, restrict them from some subfolders
I have read about security templates, they sound like something that will work for most of the folders under the shared folder Data
Ok, with all that said, where do I start with the security?
thanks so much
Donna
0
Comment
Question by:TECHDLS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 3

Assisted Solution

by:RA123987
RA123987 earned 300 total points
ID: 17154910
Start with the top level security permissions.  
After you set the permission to the proper groups, click apply.
Then click on the advance tab. Choose Replace permissions entries on all child objects with entries shown here that apply to child objects.  Choose ok.
That will force all of the folders to have the permissions of the root folder, if they were not already inherting the permissions.
Then go in to the sub folders that need to be modified.
Go in to the advanced feature again and uncheck, Inherit from parent the permission entries that apply to child objects.  Include these entries with entries explicitly defined here.
Choose Copy.  
This will copy the orginial permission to the folder and allow you to make the modification that you need.  Now you can remove the groups that were inherited if need be.  You can also add any groups/users that you need to add as well.

One PC of advice is to remove the everyone group and add authenticated users.  Everyone is EVERYONE.  Anyone in the office whether authenticated to the network or loggen on locally can access those folders and files.  It's always wise to remove that group and use authenticated users instead.  Authenticated users is the same as everyone except they must authenticate to the domain to get access.
0
 
LVL 26

Assisted Solution

by:Pber
Pber earned 200 total points
ID: 17155278
Further to RA123987's excellent advice....

Keep in mind that Share security can be more restrictive than NTFS on the files.  When defining share security if you grant Read and Execute at the share for Authenticated users (as RA123987 mentioned Everyone is a bad security risk), even if you grant Full control or Modify to Authenticated users, the user will receive the most restrictive Share permission.  Thus Authenticated Users would only have Read and Execute.


also look into Access Based Enumeration (ABE).  It hides files/folders that you don't have permissions to see instead of giving the access denied message.

http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx
http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en
0
 
LVL 26

Accepted Solution

by:
Pber earned 200 total points
ID: 17155297
Hmmm, that reads a little confusing.

It should say:

When defining share security if you grant Read and Execute at the share for Authenticated users (as RA123987 mentioned Everyone is a bad security risk), even if you grant Full control or Modify to Authenticated users on the NTFS permissions, the user will receive the most restrictive Share permission.  Thus Authenticated Users would only have Read and Execute.
0
 
LVL 9

Expert Comment

by:rpartington
ID: 17156005
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21862277.html

EXACT same theory to your situation just needs re-arranging to suit your situ.
Login scripts can be used easyily enough via GP
User Config> Windows Settings> Scripts> Logon and point to your script stored in sysvol>domian>policies>etc etc etc
with either a .bat or .vbs
however many companies offer GUI bolt on's to AD as in http://www.desktopstandard.com/PolicyMakerApplicationSecurity.aspx

we have it, was installed before I arrived, does have some nice features for using a GUI to easily set mapped drives etc I suppose but not my cup of tea I must confess, call me old fashioned I prefer to use my login scripts as I know for sure if set correctly they will work time and again and I dont have to worry about third party products bolted onto AD licences expiring and parts of the network dropping off.
0

Featured Post

Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question