Solved

Steps for sharing, permissions and security

Posted on 2006-07-21
4
267 Views
Last Modified: 2010-04-18
Hi experts
I have read everything I can about setting security on a Windows server 2003, and I think I know what to do; then I try it and it does not work.  We are a fairly simple setup:
shared Drive: data e:
Shared folder: Data
20 folders underneath that everyone can access | subfolders under some that are restricted
Security Groups: everyone (of course), All team members, other department type groups
I want to map the shared folder Data to drive g for all team members in a login script, let them see the list of all the folders underneath, restrict them from some subfolders
I have read about security templates, they sound like something that will work for most of the folders under the shared folder Data
Ok, with all that said, where do I start with the security?
thanks so much
Donna
0
Comment
Question by:TECHDLS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 3

Assisted Solution

by:RA123987
RA123987 earned 300 total points
ID: 17154910
Start with the top level security permissions.  
After you set the permission to the proper groups, click apply.
Then click on the advance tab. Choose Replace permissions entries on all child objects with entries shown here that apply to child objects.  Choose ok.
That will force all of the folders to have the permissions of the root folder, if they were not already inherting the permissions.
Then go in to the sub folders that need to be modified.
Go in to the advanced feature again and uncheck, Inherit from parent the permission entries that apply to child objects.  Include these entries with entries explicitly defined here.
Choose Copy.  
This will copy the orginial permission to the folder and allow you to make the modification that you need.  Now you can remove the groups that were inherited if need be.  You can also add any groups/users that you need to add as well.

One PC of advice is to remove the everyone group and add authenticated users.  Everyone is EVERYONE.  Anyone in the office whether authenticated to the network or loggen on locally can access those folders and files.  It's always wise to remove that group and use authenticated users instead.  Authenticated users is the same as everyone except they must authenticate to the domain to get access.
0
 
LVL 26

Assisted Solution

by:Pber
Pber earned 200 total points
ID: 17155278
Further to RA123987's excellent advice....

Keep in mind that Share security can be more restrictive than NTFS on the files.  When defining share security if you grant Read and Execute at the share for Authenticated users (as RA123987 mentioned Everyone is a bad security risk), even if you grant Full control or Modify to Authenticated users, the user will receive the most restrictive Share permission.  Thus Authenticated Users would only have Read and Execute.


also look into Access Based Enumeration (ABE).  It hides files/folders that you don't have permissions to see instead of giving the access denied message.

http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx
http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en
0
 
LVL 26

Accepted Solution

by:
Pber earned 200 total points
ID: 17155297
Hmmm, that reads a little confusing.

It should say:

When defining share security if you grant Read and Execute at the share for Authenticated users (as RA123987 mentioned Everyone is a bad security risk), even if you grant Full control or Modify to Authenticated users on the NTFS permissions, the user will receive the most restrictive Share permission.  Thus Authenticated Users would only have Read and Execute.
0
 
LVL 9

Expert Comment

by:rpartington
ID: 17156005
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21862277.html

EXACT same theory to your situation just needs re-arranging to suit your situ.
Login scripts can be used easyily enough via GP
User Config> Windows Settings> Scripts> Logon and point to your script stored in sysvol>domian>policies>etc etc etc
with either a .bat or .vbs
however many companies offer GUI bolt on's to AD as in http://www.desktopstandard.com/PolicyMakerApplicationSecurity.aspx

we have it, was installed before I arrived, does have some nice features for using a GUI to easily set mapped drives etc I suppose but not my cup of tea I must confess, call me old fashioned I prefer to use my login scripts as I know for sure if set correctly they will work time and again and I dont have to worry about third party products bolted onto AD licences expiring and parts of the network dropping off.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question