Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How to set permissions for shares mapped at boot time on Windows XP/WIndows Server ?

Posted on 2007-11-13
Medium Priority
Last Modified: 2010-04-10
We are consolidating our data from hard drives on multiple client
systems onto a single high performance file server. We want to make the
data move transparent to the client systems on which we are replacing
local disk with a share from the server (call it "bigserver").

We are using Windows XP on the clients and Windows 2003 on the server.  We are running Active Directory.

For example, on client system "A", there is a 300GB local disk known as
E:. We copy the data to a share on the file server, being careful to
preserve permissions, etc., and putting it into a share called
"a-edrive". We create a GPO for client system A that includes a startup
script. The startup script looks like this:
net use e: \\bigserver\a-edrive

 The drive mappings are updated on client system A so that we can use e:
for the network share. We reboot client system A, and E: is now mapped
to the share on bigserver. However, some things don't work right.
Services that start at boot time see the data, but don't seem to have
the right credentials to get full access.
What do we need to set up to make sure the client system has the same
access rights to the mapped E: as it did to the local disk?

We'd also like to preserve permission checking so that other users or
systems on the network don't have full access to the share unless there
are permissions that entitle them to such access.
Each of the client systems will end up with a dedicated share that is
used by that client system to replace one or more local disks.

This change needs to be transparent to any installed applications, as we
don't want to reconfigure application settings.
Question by:Sasupport
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 70

Accepted Solution

KCTS earned 500 total points
ID: 20276691
You need to make sure that when you set up the share you set the correct SHARE and NTFS permissions

When you share a folder it has share permissions. For the most part, if your drives are formatted as NTFS then give the 'Everyone' Group 'Full Control' at the share level (you will need to change the default permission on the Sharing Tab as the Default is 'Everyone' Read). This may seem odd and insecure but it is not as NFTS itself allows you much greater control of permissions. It is usual to allow full control at the share level and then tie down permissions with NTFS.

If you right click on a folder and go to the Security Tab, it will show you the NTFS Permissions. Normally you will want a shared folder not to inherit permissions from its parent folder or drive, So go to the Advanced Tab and clear the 'Inherit from parent...' box and COPY the permissions when prompted.

You can then edit/add/remove groups from the security tab and assign each the required permissions. So if you want the Marketing Group to have full access to a folder, add the Marketing Group and Assign them Full Control. If you want the Sales Group to be able to read the folder and files but not add/delete/change anything, add the Sales group and leave the default permissions, (read, read and execute list folder contents). To stop others accessing the folder remove the Everyone and (domain) Users Groups from the list.

It is enough that groups do not appear on the list to stop them getting access. You do not normally need to DENY. If a user is a member of two or more groups they get the best of their cumulative NTFS Permissions (unless a deny is present, in which case it overrides).

Normally the standard permissions will be sufficient for most purposes; if you want to be more prescriptive you can use the 'Advanced' option and set advanced permissions.

If users have both share and NTFS permissions they get the most restrictive of the combination of the combined NTFS/Share permissions (which is why it is normal to allow Full Control on the share and rely on NTFS permissions)

It is usual to give permissions to groups, not to users as this makes for easier management. If a new person joins the sales team, you just add them to the sales group and they automatically get all the permissions assigned to the Sales Group. If someone moves from Marketing to sales you remove them from the Marketing group and they lose all the Marketing Group Permissions, when you then add them to sales they get all the permissions of the sales group. As already stated a user can be a member of multiple groups.

See for more info

Once a folder is shared with the correct folder and NTFS permissions users can connect to it using the UNC path name, it they can type \\ServerName\ShareName at the run Prompt. Alternatively they can map a drive to the folder. To do this click on Tools, Map Network drive in Windows Explorer and  assign any unused drive letter to the shared folder. The folder will then appear a s Network drive in My Computer

An analogy. Your computer is a house. Your data is in as safe the house. To gain access to the data people from outside have to go through the front door (the share), and then open the safe (NTFS). They need to have both the key to the door (share permissions) and the key to the safe (NTFS permissions) to get at the data - having one key or the other is no good - they must have both.


Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question