[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Windows 2003 server - file security permission

Posted on 2007-10-08
5
Medium Priority
?
480 Views
Last Modified: 2008-09-29
I created a share folder on my win2k3 server.  I went to security of that folder and grant domain everyone read access.  I then went to a subfolder and granted a particular group read and modify right.  

When someone from that particular group login, he still cannot write to that subfolder.  

Any idea?
0
Comment
Question by:search5354
3 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20035183
When you mix SHARE and NTFS permissions the most restritive apply - so as you only grnated read access on the share then they cannot write to the folder.

When you share a folder it has share permissions. For the most part, if your drives are formatted as NTFS then give the 'Everyone' Group 'Full Control' at the share level (you will need to change the default permission on the Sharing Tab as the Default is 'Everyone' Read). This may seem odd and insecure but it is not as NFTS itself allows you much greater control of permissions. It is usual to allow full control at the share level and then tie down permissions with NTFS.

If you right click on a folder and go to the Security Tab, it will show you the NTFS Permissions. Normally you will want a shared folder not to inherit permissions from its parent folder or drive, So go to the Advanced Tab and clear the 'Inherit from parent...' box and COPY the permissions when prompted.

You can then edit/add/remove groups from the security tab and assign each the required permissions. So if you want the Marketing Group to have full access to a folder, add the Marketing Group and Assign them Full Control. If you want the Sales Group to be able to read the folder and files but not add/delete/change anything, add the Sales group and leave the default permissions, (read, read and execute list folder contents). To stop others accessing the folder remove the Everyone and (domain) Users Groups from the list.

It is enough that groups do not appear on the list to stop them getting access. You do not normally need to DENY. If a user is a member of two or more groups they get the best of their cumulative NTFS Permissions (unless a deny is present, in which case it overrides).

Normally the standard permissions will be sufficient for most purposes; if you want to be more prescriptive you can use the 'Advanced' option and set advanced permissions.

If users have both share and NTFS permissions they get the most restrictive of the combination of the combined NTFS/Share permissions (which is why it is normal to allow Full Control on the share and rely on NTFS permissions)

It is usual to give permissions to groups, not to users as this makes for easier management. If a new person joins the sales team, you just add them to the sales group and they automatically get all the permissions assigned to the Sales Group. If someone moves from Marketing to sales you remove them from the Marketing group and they lose all the Marketing Group Permissions, when you then add them to sales they get all the permissions of the sales group. As already stated a user can be a member of multiple groups.

See http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html for more info

Once a folder is shared with the correct folder and NTFS permissions users can connect to it using the UNC path name, it they can type \\ServerName\ShareName at the run Prompt. Alternatively they can map a drive to the folder. To do this click on Tools, Map Network drive in Windows Explorer and  assign any unused drive letter to the shared folder. The folder will then appear a s Network drive in My Computer

An analogy. Your computer is a house. Your data is in as safe the house. To gain access to the data people from outside have to go through the front door (the share), and then open the safe (NTFS). They need to have both the key to the door (share permissions) and the key to the safe (NTFS permissions) to get at the data - having one key or the other is no good - they must have both.
0
 

Author Comment

by:search5354
ID: 20035302
How about if I have an unshared folder already has 50 sub-folders.  One day we decided to share this folder.  It is easy to go to the root and share it and grant everyone FULL control.  But we need to go to each subfolder and remove everyone from secruity->advance?

This is way too much.  We do not have to do this in WIN2K.  

Thanks.
0
 
LVL 3

Accepted Solution

by:
DPAIT earned 1000 total points
ID: 20043669
Keep in mind that windows 2003 server share permissions are more restrictive by default than w2k.  

By default in 2003 a new share only has READ permissions for everyone instead of full controll like you had in w2k.  

The hierarchy of NTFS and share permissions has not changed in w2003, just the defaults.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question