Windows 2003 Folder Permissions Problems  - - - Urgent

Posted on 2008-10-28
Medium Priority
Last Modified: 2009-01-21
I'm in the process of move share from my old file server to my new one using Secure Copy 4.11. Anyway my share structure on my new server is as follows:
All of the users home directories go under the "Home" direcotory folder. Anyway my newly migratied shares have not only the domain user listed but the following groups as well: USERS, Creator, SYStem and of course Administrators. Is it ok for me to remove the USERS, CREATOR & SYSTEM groups from the parents folders? What are the downsides of doing this? What is the purposes of these groups? How do share and ntfs permissions differ??

Thanks Again.
Question by:compdigit44
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 32

Expert Comment

ID: 22821099
The share permissons allow you to share a folder or a drive.  The NTFS permissions allow you to control the permissions to a specific file or directory within a share.

The way I work(and probably many others too) you give full control with your share permissions and then control file and directory access with the NTFS permissions.  Here is one of may links wth further information.

LVL 20

Author Comment

ID: 22821170
Thanks for the reply nappy_d: I'm still confused though...What is the purpose of the follow local group though: server\Creator Owner, server\System & server\Users. Is it ok for me to remove these group from the parent directory so these extra group do no propogate to the child folders? What are the purposes of these groups???????/
LVL 32

Expert Comment

ID: 22821208
Before removing any permissions, make sure you have sound understanding of what is being done.

Those permissions are the defaulted permissions added by your system.  The only one I may suggest you look at removing is users.


Users are generally people who are not admins but need access to the computer or files.

Creator Owner, is the person who created the directory and thus becomes the owner

You should draw outon paper how you want your permissions setup before you start making changes.
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

LVL 20

Author Comment

ID: 22821304
Does Microsoft or any other website out there list what the purpose of these defaults groups in Windows 2003 do??
LVL 32

Expert Comment

ID: 22821355
Yes they do.

As mentioned the defaults are exactly that, they are the basic building blocks provided.  It would then be up to you or the admin(if you are not he/she) to modify them as you see fit.

The defaults do show what they do.  Every group can have different levels of permissions; Read, Write, Modify, Full Control, Read/Execute, List Folder contents13.  On top of that there are an additional 13 or so advanced permissions.

Take a look here...  http://www.windowsitlibrary.com/Content/592/toc.html
LVL 20

Author Comment

ID: 22825045
Thank for the reply I guess I'm just not understanding the purpose of the Creator Owner & System groups>...

LVL 32

Accepted Solution

nappy_d earned 2000 total points
ID: 22825236
Once you start reading thru that last link I posted, it will all make sense.

Think of it as this analogy:

You have a house with several rooms:

Anyone can enter the house(this is your share)

But, inside the house you only want certain people to enter the different rooms(This is where your NTFS permissions take over).

Does that make sense?

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question