admintsg
asked on
How Do I Give Permission for a User to Access Only One Folder?
We have a part time employee who only needs access to one folder on our network. She needs to read, save and edit the contents of the folder. How do I set permissions on the share to deny access for this user to all other folders and to allow access to this single folder?
you will have to set deny permissions on all the other folders directly and set an allow permission on the one you want them to have access to
ASKER
Isn't there an easier way than setting deny permission on 34 folders in order to allow access to 1?
well i did network permissioning for barclaycard and often had these scenarios and i never found a way around this other than implicity denying access and allowing where required.
The only way i can think of doing it would be removing the user from domain users and adding the user in directly but then you will click inheritence to follow and they will have access to lots more folders, try adding the permissions in one folder at a time, removing them from domain users group and adding their access in one level at a time, gonna be tricky though i would still want to be denying them rights to teh other folders
The only way i can think of doing it would be removing the user from domain users and adding the user in directly but then you will click inheritence to follow and they will have access to lots more folders, try adding the permissions in one folder at a time, removing them from domain users group and adding their access in one level at a time, gonna be tricky though i would still want to be denying them rights to teh other folders
There is an easier way. To be honest, you probably don't want to use Deny permissions unless you REALLY have to - they cause more problems than they solve.
Add the new user to a separate security group which has no permissions over any of the folders or their structure. If possible, remove the user from any groups which would allow the user to access any other folders. Then, just open the permissions on the folder the user must access and Add a permission for the pre-created security group with the necessary Allow rights. Provided that group is not added elsewhere, the user will have no other access.
When accessing the share, the user will need to use a direct path to that folder. i.e. \\server\share\folder(with permission s).
-tigermatt
Add the new user to a separate security group which has no permissions over any of the folders or their structure. If possible, remove the user from any groups which would allow the user to access any other folders. Then, just open the permissions on the folder the user must access and Add a permission for the pre-created security group with the necessary Allow rights. Provided that group is not added elsewhere, the user will have no other access.
When accessing the share, the user will need to use a direct path to that folder. i.e. \\server\share\folder(with
-tigermatt
yup and inheriting will give them access to all the other folders which will have to be removed so i would just put the deny in safest way is securest way its the way i have been taught but sure you can cut corners if needed as i stated by removing them reom domain users just i wouldnt want to do it that way
I never mentioned about placing the permission on the main folder at the root of the structure. I simply mentioned about adding the ACL directly to the downlevel folder which the user needs access to. This can be done - even while still using inheritence - and, if necessary, the ACL on the downlevel folder can be configured so it doesn't apply to any subfolders of that folder.
The problem with Deny permissions is that you have to go through and do it on every folder - and if a new subfolder of the main share root is created, you have to remember to add the Deny permission to that folder, too. It's always best to be inclusive - just set the required Allow permissions - rather than try to set lots of Deny permissions, wherever possible. I can't remember the last time I needed to set a Deny permission on a Folder structure.
Please don't take this comment personally - I'm just providing an alternative solution and explaining the benefits of this solution.
The problem with Deny permissions is that you have to go through and do it on every folder - and if a new subfolder of the main share root is created, you have to remember to add the Deny permission to that folder, too. It's always best to be inclusive - just set the required Allow permissions - rather than try to set lots of Deny permissions, wherever possible. I can't remember the last time I needed to set a Deny permission on a Folder structure.
Please don't take this comment personally - I'm just providing an alternative solution and explaining the benefits of this solution.
ASKER
Tigermatt, I like your response, but can you walk me through the steps to do this? There are a lot of variables involved.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks! I'll give it a try tomorrow and let you know how it works.
@tigermatt-----of course not taken personally bud.. if i did that would be a very angry world... i dont completely disagree with your method just i would do it differently, if we all did things the same life would be dull ;o)
Jay
Jay
ASKER
Should the security group be Universal, Global or Domain local? Do I need to remove all other users from the Security tab in the group properties?
eh? why are you creating a new security group for one user? if you chose to do it that way you really need to gain some knowledge on security groups or you are going to cause yourself a big headache, if you need other people to access then dont take out anyo ther groups, especially the domain admin group or you will have no access or admin rights yourself!!
ASKER
Thanks!