Solved

How Do I Give Permission for a User to Access Only One Folder?

Posted on 2008-06-10
13
177 Views
Last Modified: 2013-12-04
We have a part time employee who only needs access to one folder on our network.  She needs to read, save and edit the contents of the folder.  How do I set permissions on the share to deny access for this user to all other folders and to allow access to this single folder?
0
Comment
Question by:admintsg
  • 5
  • 5
  • 3
13 Comments
 
LVL 25

Expert Comment

by:slam69
ID: 21753740
you will have to set deny permissions on all the other folders directly and set an allow permission on the one you want them to have access to
0
 

Author Comment

by:admintsg
ID: 21753782
Isn't there an easier way than setting deny permission on 34 folders in order to allow access to 1?
0
 
LVL 25

Expert Comment

by:slam69
ID: 21753804
well i did network permissioning for barclaycard and often had these scenarios and i never found a way around this other than implicity denying access and allowing where required.

The only way i can think of doing it would be removing the user from domain users and adding the user in directly but then you will click inheritence to follow and they will have access to lots more folders, try adding the permissions in one folder at a time, removing them from domain users group and adding their access in one level at a time, gonna be tricky though i would still want to be denying them rights to teh other folders
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21753823
There is an easier way. To be honest, you probably don't want to use Deny permissions unless you REALLY have to - they cause more problems than they solve.

Add the new user to a separate security group which has no permissions over any of the folders or their structure. If possible, remove the user from any groups which would allow the user to access any other folders. Then, just open the permissions on the folder the user must access and Add a permission for the pre-created security group with the necessary Allow rights. Provided that group is not added elsewhere, the user will have no other access.

When accessing the share, the user will need to use a direct path to that folder. i.e. \\server\share\folder(withpermissions).

-tigermatt
0
 
LVL 25

Expert Comment

by:slam69
ID: 21753849
yup and inheriting will give them access to all the other folders which will have to be removed so i would just put the deny in safest way is securest way its the way i have been taught but sure you can cut corners if needed as i stated by removing them reom domain users just i wouldnt want to do it that way
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21754967
I never mentioned about placing the permission on the main folder at the root of the structure. I simply mentioned about adding the ACL directly to the downlevel folder which the user needs access to. This can be done - even while still using inheritence - and, if necessary, the ACL on the downlevel folder can be configured so it doesn't apply to any subfolders of that folder.

The problem with Deny permissions is that you have to go through and do it on every folder - and if a new subfolder of the main share root is created, you have to remember to add the Deny permission to that folder, too. It's always best to be inclusive - just set the required Allow permissions - rather than try to set lots of Deny permissions, wherever possible. I can't remember the last time I needed to set a Deny permission on a Folder structure.

Please don't take this comment personally - I'm just providing an alternative solution and explaining the benefits of this solution.
0
 

Author Comment

by:admintsg
ID: 21755735
Tigermatt, I like your response, but can you walk me through the steps to do this?  There are a lot of variables involved.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 125 total points
ID: 21757352
OK, here goes:

1. Ensure the new user account is NOT a member of any groups which may inherit some permissions over other folders in the folder structure.
2. Create a new security group - something like "Restricted Directory Access Part-time User" - and make the user a member of it.
3. Now, open the Security tab on the folder the user must manage (NOT the root folder), press Advanced, then Add, locate the security group you created above, press OK then assign the correct permissions.
5. Since you are not adding the permission at the root level, but at the level of the folder the user will be accessing, this does not give the user access elsewhere. Also, you do not need to turn off inheritance before adding the permissions. You CAN add permissions over the top of inherited permissions - that is possible!

-tigermatt
0
 

Author Comment

by:admintsg
ID: 21757689
Thanks!  I'll give it a try tomorrow and let you know how it works.
0
 
LVL 25

Expert Comment

by:slam69
ID: 21758642
@tigermatt-----of course not taken personally bud.. if i did that would be a very angry world... i dont completely disagree with your method just i would do it differently, if we all did things the same life would be dull ;o)

Jay
0
 

Author Comment

by:admintsg
ID: 21764039
Should the security group be Universal, Global or Domain local?  Do I need to remove all other users from the Security tab in the group properties?
0
 
LVL 25

Expert Comment

by:slam69
ID: 21764077
eh? why are you creating a new security group for one user? if you chose to do it that way you really need to gain some knowledge on security groups or you are going to cause yourself a big headache, if you need other people to access then dont take out anyo ther groups, especially the domain admin group or you will have no access or admin rights yourself!!
0
 

Author Closing Comment

by:admintsg
ID: 31465864
Thanks!
0

Join & Write a Comment

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now