Solved

How Do I Give Permission for a User to Access Only One Folder?

Posted on 2008-06-10
13
197 Views
Last Modified: 2013-12-04
We have a part time employee who only needs access to one folder on our network.  She needs to read, save and edit the contents of the folder.  How do I set permissions on the share to deny access for this user to all other folders and to allow access to this single folder?
0
Comment
Question by:admintsg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
13 Comments
 
LVL 25

Expert Comment

by:slam69
ID: 21753740
you will have to set deny permissions on all the other folders directly and set an allow permission on the one you want them to have access to
0
 

Author Comment

by:admintsg
ID: 21753782
Isn't there an easier way than setting deny permission on 34 folders in order to allow access to 1?
0
 
LVL 25

Expert Comment

by:slam69
ID: 21753804
well i did network permissioning for barclaycard and often had these scenarios and i never found a way around this other than implicity denying access and allowing where required.

The only way i can think of doing it would be removing the user from domain users and adding the user in directly but then you will click inheritence to follow and they will have access to lots more folders, try adding the permissions in one folder at a time, removing them from domain users group and adding their access in one level at a time, gonna be tricky though i would still want to be denying them rights to teh other folders
0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 
LVL 58

Expert Comment

by:tigermatt
ID: 21753823
There is an easier way. To be honest, you probably don't want to use Deny permissions unless you REALLY have to - they cause more problems than they solve.

Add the new user to a separate security group which has no permissions over any of the folders or their structure. If possible, remove the user from any groups which would allow the user to access any other folders. Then, just open the permissions on the folder the user must access and Add a permission for the pre-created security group with the necessary Allow rights. Provided that group is not added elsewhere, the user will have no other access.

When accessing the share, the user will need to use a direct path to that folder. i.e. \\server\share\folder(withpermissions).

-tigermatt
0
 
LVL 25

Expert Comment

by:slam69
ID: 21753849
yup and inheriting will give them access to all the other folders which will have to be removed so i would just put the deny in safest way is securest way its the way i have been taught but sure you can cut corners if needed as i stated by removing them reom domain users just i wouldnt want to do it that way
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21754967
I never mentioned about placing the permission on the main folder at the root of the structure. I simply mentioned about adding the ACL directly to the downlevel folder which the user needs access to. This can be done - even while still using inheritence - and, if necessary, the ACL on the downlevel folder can be configured so it doesn't apply to any subfolders of that folder.

The problem with Deny permissions is that you have to go through and do it on every folder - and if a new subfolder of the main share root is created, you have to remember to add the Deny permission to that folder, too. It's always best to be inclusive - just set the required Allow permissions - rather than try to set lots of Deny permissions, wherever possible. I can't remember the last time I needed to set a Deny permission on a Folder structure.

Please don't take this comment personally - I'm just providing an alternative solution and explaining the benefits of this solution.
0
 

Author Comment

by:admintsg
ID: 21755735
Tigermatt, I like your response, but can you walk me through the steps to do this?  There are a lot of variables involved.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 125 total points
ID: 21757352
OK, here goes:

1. Ensure the new user account is NOT a member of any groups which may inherit some permissions over other folders in the folder structure.
2. Create a new security group - something like "Restricted Directory Access Part-time User" - and make the user a member of it.
3. Now, open the Security tab on the folder the user must manage (NOT the root folder), press Advanced, then Add, locate the security group you created above, press OK then assign the correct permissions.
5. Since you are not adding the permission at the root level, but at the level of the folder the user will be accessing, this does not give the user access elsewhere. Also, you do not need to turn off inheritance before adding the permissions. You CAN add permissions over the top of inherited permissions - that is possible!

-tigermatt
0
 

Author Comment

by:admintsg
ID: 21757689
Thanks!  I'll give it a try tomorrow and let you know how it works.
0
 
LVL 25

Expert Comment

by:slam69
ID: 21758642
@tigermatt-----of course not taken personally bud.. if i did that would be a very angry world... i dont completely disagree with your method just i would do it differently, if we all did things the same life would be dull ;o)

Jay
0
 

Author Comment

by:admintsg
ID: 21764039
Should the security group be Universal, Global or Domain local?  Do I need to remove all other users from the Security tab in the group properties?
0
 
LVL 25

Expert Comment

by:slam69
ID: 21764077
eh? why are you creating a new security group for one user? if you chose to do it that way you really need to gain some knowledge on security groups or you are going to cause yourself a big headache, if you need other people to access then dont take out anyo ther groups, especially the domain admin group or you will have no access or admin rights yourself!!
0
 

Author Closing Comment

by:admintsg
ID: 31465864
Thanks!
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question