?
Solved

Clarification of Folder Permissions

Posted on 2008-11-06
7
Medium Priority
?
201 Views
Last Modified: 2012-05-05
I am still having problems with the folder permissions.  My folder setup again is as follows....
Parent Folder
Sharing - Admin = Full Permission, Domain Admin = Full Permission, Domain Users = Read Permissions
Security - Admin = Full Permission, Domain Admin = Full Permission, Domain Users = Read & Execute, List Folder, Read Permissions

Sub Folder
Sharing - Admin = Full Permission, Domain Admin = Full Permission, Group A = Read Permissions
Security - Admin = Full Permission, Domain Admin = Full Permission, Group A = Modify, Read & Execute, List Folder, Read, Write Permissions

When I login as a user in Group A, I can see the subfolder and access the subfolder, however I cannot create a folder, or file - Access Denied.  I had even given Group A full permission for both sharing and security, and still received the Access Denied when I tried to create a folder or file as a user in Group A.

Also, at no level has the deny right been selected.

If anyone can assist me with this, it would be greatly appreciated.
0
Comment
Question by:smastror
7 Comments
 
LVL 1

Expert Comment

by:Tsun4mi7
ID: 22896433
I'd recommend granting full access on the share permissions to the "Group A", then control all of the access through the NTFS security
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22896439
If you are accessing the sub-folder directly then the SHARE permissions of the parent have no effect - you are not accessing via the parent.

If you go directly to the sub-folder share then Group A has only read permissions on the share, and therefore Access is denyed when you attempt to create a new folder.
0
 

Author Comment

by:smastror
ID: 22896698
KCTS, I had previously given Group A full access for both the Share and Security for the subfolder, and still could not create folders or files - Access Denied.  I just tried this again, with Group A having Full Access for Share and Security, still access denied.

0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 1

Expert Comment

by:Tsun4mi7
ID: 22896758
log off then back on as a user in group A, still the same?

Try applying the permissions to a specific user / test account that's not in Group A. Still the same?
0
 
LVL 12

Expert Comment

by:jjmartineziii
ID: 22897221
When changing group membership permissions, you need to log off and log in for changes to take effect. Microsoft best practice is to give authenticated users full share control and use NTFS permissions to lock it down.

NTFS uses the most restrictive set of permissions.
0
 
LVL 18

Accepted Solution

by:
Americom earned 2000 total points
ID: 22900131
If you adjust the permissions for GroupA on the shared folder, no need to logoff and back in. It should be applied immediately.

If you access the share by \\ServerName\MainFolderShareName\SubFolderShareName\, you would have no permission to create folder or file due to the most restrictive of share&NTFS on the shared MainFolder which is READ.

If you access the share by \\ServerName\SubFolderDShareName\, you would still have NO permission to create folder or file due to the most restrictive of share&NTFS on the shared SubFolder which is READ.

So, if you had previously given Group A full access for both the Share and Security for the subfolder, you should be able to create file or folder if you access via \\ServerName\SubFolderDShareName\ but NOT via \\ServerName\MainFolderShareName\SubFolderShareName\.

This means normally you would stay away from Share within a Share unless your main folder already created and has became quite large and the subfolder you only want to share with a different group of user and would not want to pull it out of the main foler. Otherwise, you should create share only on the MainFolder as:
MainFolder
Share--Everyone or Authenticated Users, sometime Domain Users(Full)
Security--Group(s) that manage the filesystem (Full), Domain Users (RX)

SubFolder
Security--Group(s) that manage the filesystem (Full) & Domain Users (RX)[ should be inherited], GroupA (M)

Should never grant permission with individual account. Always use Group, yes even only one account.

0
 

Author Closing Comment

by:smastror
ID: 31513964
Thank  you for all your help.  The shares are setup properly now.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question