Solved

Restricted access to folders for some users using NTFS

Posted on 2006-11-22
8
338 Views
Last Modified: 2010-04-18
We have a network share containing 50+ folders on a Windows 2003 server accessed by Windows XP clients, for general shared use. Share permissions are Full Control for Everyone, and NTFS permissions set to Read & Execute, List Folder Contents, and Read for the Users group. Sub Folders have the modify right set for the users group, so that users can create, read and delete files.

I need to restrict access to this share by a certain set of users (members of a single group) so that they can only read files from one folder.

How is this best achieved using NTFS permissions?
0
Comment
Question by:sustrans
  • 4
  • 2
8 Comments
 
LVL 5

Expert Comment

by:TheMetrix
ID: 17995688
Change the NTFS Permissions to:

Administrators: Full Control
Users: Read Only
Add the other groups to have Modify Access

It might seem like a bit too much work for something so easy but it will give you more granular control.
0
 

Author Comment

by:sustrans
ID: 17995893
I'm not sure I explained myself too well. I need users in a certain group to only see FolderX and none of the other folders on the share.

The others users are (generally) not in specific groups, and I do not want to have to modify the rights on all the other folders (or remember to do so on any new folders in the future).
0
 
LVL 5

Expert Comment

by:TheMetrix
ID: 17995994
More clearity is good.

If the folder you wish to change permissions for is below the root share - Open up the Security Tab for NTFS Permissions. Click on Advance Button, on the advance tab remove the check mark from "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicityly defince here"

You will a pop-up asking if you want to remove or copy all of the groups/users permissions from the parent. Click on Copy, after you click on Copy you will be taken back to the Properties page, Remove Users/Everyone group and add the Group you want to explicit permissions to that folder. Login as a test users for that Group to test the permissions.
0
[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

 
LVL 5

Expert Comment

by:TheMetrix
ID: 17996007
Also, have you thought of using Organizational Units (OU's) to manage you users? You might find it to be much easier to manager your domain this way.
0
 

Author Comment

by:sustrans
ID: 17996451
The problem with the above solution is that it restricts the folder to the specific group, but that group can see all the other folders by virtue of its members being in the users group. What I need is for the specific group to be denied access to all folders other than the one I nominate.
0
 
LVL 5

Accepted Solution

by:
TheMetrix earned 250 total points
ID: 17998187
You keep adding more and more requirements and complexity with each comment. Make up your mind here and be specific.

1st You have the Everyone Group which is EVERYONE to include the group you want to restrict. And you have Group 1 (The restricted Group)

If you do not want the Everyone Group to see a folder that only Group 1 is to have access to then Move the Folder out of the Common Share. Share the Restricted Folder and Allow only Group 1 Access both by Share Permission and NTFS Permission. Meaning Remove the Everyone Group. Then with the Common Share you will need to Add Group 1 and Deny them permission to the Common Share.

2nd you need to split your users up by group and or OU to give yourself more versatility. To try and restrict users when the majority of your users belong to Only the Everyone Group can be confusing and difficult as you have already noticed.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now