?
Solved

Windows 2003 server permissions

Posted on 2007-03-27
8
Medium Priority
?
224 Views
Last Modified: 2013-12-04
I have applied the following Permission structure(yes this has been posted several times before).
As *share* permissons, give the Everyone group Full Access.
For the time being, create four local groups on the file server hosting the share (if your domain is running in Windows 2000 native mode or higher, you can create domain local groups as well):
* L-WHC-C
* L-WBAL-Fin-C
* L-FBAL-Fin-C
* L-SAL-Fin-C
Change the permissions, first the WHC folder:
In this folder, give (local) Administrators and the System account Full permissions, and give the L-WHC-C group Change permissions; replace the permissions on child objects.
On the "Finance" subfolders of each folder, go the Advanced security tab, uncheck "Inherit permissions", check "Replace permissions", and copy the current permissions when asked. Remove the L-WHC-C group, add the L-xxxx-Fin-C group with Change permissions, leave Administrators and System with Full Access.
Create two global groups, G-Role1 and G-Role; Role1 for users with no access to the Finance folder, Role2 for users with access to all folders; you can use existing groups if they contain the correct users, and you can of course name them according to the roles the users have.
Add the G-Role1 group to the L-WHC-C group only.
Add the G-Role2 group to the L-WHC-C group and the L-xxxx-Fin groups.
Finally, add all users with no access to the finance group to the G-Role1 group, add all users with access to the finance folder as well to the G-Role2 folder.
From then on, you only need to add users to the respective global groups to give them permissions on the folders they need.

My problem is I have 3 users in the G-Role2, 1 user can open the files in Financial folder, the other 2 are still Read-Only Access, Why?
1) How or why is that all 3 are in the same group, but only 1 has access?
2) When this FINALLY works, how do you set the Financial folder so that restricted users have NO access, so they can not even VIEW files? Right now they have Read-Only. I want them BLOCKED.


0
Comment
Question by:Harold
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 18801338
The final question first. If you want some people to have no access to the folder make sure the groups to which they belong do not appear in the security list. make sure that you remove the 'Everyone' and/or Users groups and any others that have no access rights.

As for the first bit, if all three are in the same group but only one has access he must be getting the permissions from sonewhere else. Check this with effective permissions option
0
 
LVL 22

Expert Comment

by:65td
ID: 18801401
User added to global groups need to log off and then back in to get group group changes.
Local groups, user only have to disconnect then reconnect to changes applied.
0
 
LVL 1

Author Comment

by:Harold
ID: 18801869
"effective permissions option" where do I see this? I looked at the user profile and Member of <tab> they are members of the same groups.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:Harold
ID: 18802091
OK, I found Effective Permissions and went through the Driectory Structure down to the restricted folder and the 3 users have the same Permissions down to the restricted folder. The folder that only the 3 users should have access and the 1 user has Read and Change, the other 2 users, just Read.

I removed Domain Users, so to blocked all other users from Read-only. How do I figure where they are dropping the Read permission, like the working user has?
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1000 total points
ID: 18803382
Hm? Seems like you didn't follow the directions; how did the Domain Users ever get permissions?
Anyway, save this script as testenvironment.cmd or whatever.cmd, and run it on your DC (assuming your AD is in Windows 2000 native mode or later, and that you're using an English Windows version). It will create a test folder structure, the according test groups as described, and set the permissions as described. All groups and the root folder created will start with "Test-".
You can change the target folder to another one (UNC is possible, too, \\SomeServer\D$ \Test-WHC or whatever) at the beginning of the script, leave the rest as it is.
Share the folder created, give the Everyone group Full access in the *share* permissions.
Add the users you have to the Test-G-Role1 and Test-G-Role2 groups and test access. This should give you enough to correct the permissions on your production folders.

@echo off
setlocal
:: *** Define the root folder of the directory structure:
set Root=C:\Test-WHC

:: *** Create the global groups to define the roles:
net group Test-G-Role1 /add /domain
net group Test-G-Role2 /add /domain

:: *** Create the domain local groups to control resource access:
net localgroup Test-L-WHC-C /add /domain
net localgroup Test-L-WBAL-Fin-C /add /domain
net localgroup Test-L-FBAL-Fin-C /add /domain
net localgroup Test-L-SAL-Fin-C /add /domain

:: *** Add the role groups to the necessary resource groups:
net localgroup Test-L-WHC-C Test-G-Role1 Test-G-Role2 /add /domain
net localgroup Test-L-WBAL-Fin-C Test-G-Role2 /add /domain
net localgroup Test-L-FBAL-Fin-C Test-G-Role2 /add /domain
net localgroup Test-L-SAL-Fin-C Test-G-Role2 /add /domain

:: *** Create the directory tree:
md "%Root%"
md "%Root%\WBAL\Financial"
md "%Root%\FBAL\Financial"
md "%Root%\SAL\Financial"

:: *** Set the permissions:
echo y|cacls "%Root%" /t /g Administrators:F SYSTEM:F Test-L-WHC-C:C
echo y|cacls "%Root%\WBAL\Financial" /t /g Administrators:F SYSTEM:F Test-L-WBAL-Fin-C:C
echo y|cacls "%Root%\FBAL\Financial" /t /g Administrators:F SYSTEM:F Test-L-FBAL-Fin-C:C
echo y|cacls "%Root%\SAL\Financial" /t /g Administrators:F SYSTEM:F Test-L-SAL-Fin-C:C

echo Done.
0
 
LVL 1

Author Comment

by:Harold
ID: 18804050
Sorry, it was just Users, not Domain Users. I was trying to stop the general users from Viewing the restricted folder and content. I will run this and test it.
0
 
LVL 11

Expert Comment

by:AnthonyP9618
ID: 18812056
Are you removing these groups (Users, Domain Users, etc..) from the ACLs or are you checking deny?
0
 
LVL 1

Author Comment

by:Harold
ID: 18819517
OMG!!! I have been working on this for a 9 months and it is FINALLY right!!  oBdA, that was what I needed. Anthony, no I was not removing these groups. After I ran the .cmd and it created everything in the Test environment, I saw exactly what it was.
1) I had not removed the other Groups, as questioned.
2) I just left the L-xxx-Fin-C Groups with Special Permissions. So after checking the Modify permission, it was done.
I logged in as the Administrative users,  perfect. I logged in as restricted Users, perfect.

oBdA, I can not THANK YOU enough!
Muchos Gracias mi amigo!
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses
Course of the Month14 days, 1 hour left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question