Avatar of dylyluv
dylyluv asked on

Windows share and security permissions confusion?

Hi Experts,

As a caveat to the following, I'm more of a UNIX/Linux administrator, and somewhat new to Windows networking of folder and file share/security/access.

Here's my problem, which I'm hoping is a simple fix.

I have two computing lab workgroups on two separate subnets:

Workgroup A has 15 WinXP PCs on subnet 5.5.104.xxx. There's a generic, non-administrative-rights user account made for the students of this workgroup, called "student". Other than the admin login, this is the only username on Workgroup A.

Workgroup B has a few PCs and a non-domain Windows Server 2003 on subnet 5.5.234.xxx. There's one shared folder accessible (called "CLASS1") on the Win2003 machine that any Workgroup A PC can access using Map Network Drive. CLASS1 has two subfolders, called PRODUCTS and SOURCES. On the Win2003 box, other than the usual admin account, I have a researcher account (BILL) added as a non-admin user (though this user hasn't logged on to the Win2003 machine yet; I'm just using this for testing before I hand the account to him). I want to give BILL read-only access to everything under CLASS1, but read and write access only to the PRODUCTS subdirectory.

I don't want to make BILL a user on Workgroup A's machines, but instead just have him use the already-established "student" account, and just access the share by logging in to \\Win2003\CLASS1 on Workgroup B.

The BILL account is able to map the drive successfully from Workgroup A to CLASS1 share on the 2003 box on Workgroup B, but, as hard as I try and fine-tooth-comb through the folder properties Security permissions, I can only make PRODUCTS writable to BILL (or even the admin account) if I allow Full Control at the CLASS1 level, which then opens everything up, which is what I don't want. Even if I then go to the other subdirectories, and tweak them, the problem persists. In other words, it's either all or nothing, with nothing giving the error at a Workgroup A PC when trying to create a folder in PRODUCTS as BILL:

Unable to create Folder.
"Unable to create the folder 'New Folder'. Access is denied"

The above happens even if I map a drive as administrator to CLASS1 and try to create a directory (though, if I log on as administrator to the C$ default admin share name, I have full access everywhere, as expected, and can create a directory anywhere).

I even went into PRODUCTS and SOURCES individually, and removed the inheritable permissions from CLASS1 as the parent, making sure that BILL is listed in the Security tab with write permissions in PRODUCTS, and not in SOURCES. I even went to CLASS1's properties Advanced and made sure that as a parent, it couldn't propogate its permissions to the child directories. I carefully checked the Effective Permissions in Advanced as a sanity check of CLASS1 and the PRODUCTS and SOURCES subdirectories, and everything reports what I want to happen....but still, no luck!

I'd rather not give BILL ownership of any folder on the Win2003 box.

It doesn't appear to be a firewall issue, or blocking SMB traffic through any switches, and File and Print Sharing is turned on on all machines. Pinging one from the other works. I've also tried removing BILL from the Users group, and back again, with no luck. The fact that BILL can map the network drive and see contents tells me I'm close. Just not sure what I'm missing, here.

Any ideas would be appreciated, or any references to third-party software helpers that demystify Windows permissions.

Thanks!
OS SecurityNetworkingWindows Server 2003

Avatar of undefined
Last Comment
dylyluv

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Brian Pierce

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
dylyluv

THanks KCTS-

All you had to say was the first paragraph; at some point, I removed the "Everyone" group's ability to write or Full Control, as that seemed logical. Thanks for your insight. Microsoft should definitely change either the wording, or bring up a nag box when the "Everyone" group is changed on a share for clarification!

Points awarded. Thanks again.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes