Solved

Set Security on File Server Folders for different Groups

Posted on 2009-04-06
6
175 Views
Last Modified: 2012-05-06
We have a domain with a Domain Controller, Terminal Server, and File Server (three different physical machines).  On the File Server is a folder named "Payroll".  Under "Payroll" there are 4 subfolders named "Payroll Chicago", "Payroll Dallas", "Payroll Miami", & "Payroll Memphis". There is a group named "RESTRICTED" who needs access to the "Payroll" folder and all 4 subfolders and files contained therein.  There is a group named "PAYROLL CLERKS" who need access thru the "Payroll" folder and access to ONLY their own city's folder.  The 4 subfolders have data dumped into them from 4 different domain users - one user in each city.  So, each will need access to the main "Payroll" folder and to their own subfolder, i.e., domain user from Memphis needs access to "Payroll Memphis" but must be denied access to the other 3 subfolders, domain user from Miami needs access to "Payroll Miami" but must be denied access to the other 3 subfolders, and so on.  Can this be done by "Security Permissions" on the folders themselves.  Please advise.
0
Comment
Question by:baleman2
  • 2
  • 2
  • 2
6 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility

Yep, it can be done. If I were doing this I would have 6 groups:

ACL - Payroll
  Description: Access to the Payroll share - Contains each of the groups below
ACL - Payroll - All
  Descritpion: Access to all Payroll folders
ACL - Payroll - Chicago
  Description: Access to Payroll for Chicago
ACL - Payroll - Dallas
  Description: Access to Payroll for Dallas
ACL - Payroll - Miami
  Description: Access to Payroll for Miami
ACL - Payroll - Memphis
  Description: Access to Payroll for Memphis

Then I would apply them as follows:

Payroll
  Disable Inheritance (Security / Advanced and untick the Inherit from parent box)
  ACL - Payroll : Read (Must apply to this folder only)
  ACL - Payroll - All : Modify
  Administrators : Full Control
Payroll Chicago
  ACL - Payroll - Chicago : Modify
Payroll Dallas
  ACL - Payroll - Dallas : Modify
Payroll Miami
  ACL - Payroll - Miami : Modify
Payroll Memphis
  ACL - Payroll - Memphis : Modify

The group "ACL - Payroll - All" will gain Modify access to each folder because that right will be inherited from the Payroll folder. Each individual payroll department will only have access to their own folder.

You'll have to use Security / Advanced to change the ACL - Payroll right so it only applies to the current folder and doesn't get inherited.

Chris
0
 
LVL 3

Expert Comment

by:mikey1h
Comment Utility
More easily.... set up a share on all drives, under security on each drive add all the users/groups, and then set each one with specific allow and deny checkboxes.     This way you will be able to modify each user or groups rights without havin to move them from one group to another in the even t of a change
0
 

Author Comment

by:baleman2
Comment Utility
Chris:
I've followed your instructions, implemented as you suggested - voila, perfect solution.  I do have a couple of questions.  If I add a couple of clerks in Chicago, all I've got to do is 1) create their account on the Domain Controller and  2) make those new users "members" of the Payroll - Chicago group???

Also, in setting security on the folders themselves, I've unticked the "inherit from parent" checkbox on both the Payroll group and the Payroll - All group.  Was this correct?  I used Security / Advanced to do this; however, from this window I had only the option to give the Payroll - All group "Full Control" instead of "Modify" rights.  Any problem with that?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 3

Expert Comment

by:mikey1h
Comment Utility
it is ok that way, but you shouldn't have to use the advanced tab, just under security click add, add the user name, and then once you ok it select their name in the box and give the proper rights....       as far as the Chicago clerks, they SHOULD work, depending on how your VPN is set up, if you just used the default router to router VPN, then yes, they should be able to log on and access the domain and receive the permissions set up as in my prior post


I do like Groups though for ease of configuring other options....     in my company I have groups set up as Corporate office, Store Employees, and store managers.....       when I create a new user, I click the member of tab and add them to the appropriate ggroup.   That way if I have to assing a special permission or policy, or a logon scripts, I can assign it to the group and cover everyone in it.    if this is not something you will be doing, then by all means, just add users.... but dont forget to disable or delete their accounts when they terminate employment.   If you choose the groups option, make sure under security AND permissions, you add the group to the box and set permissions there as well, however, will NOT need to add each member of the group individually
0
 

Author Closing Comment

by:baleman2
Comment Utility
Thanks, Chris - exactly what I needed to do.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

> make those new users "members" of the Payroll - Chicago group???

Yep. That's all :)

Full Control is a little more risky than I like because it allows other people to play with permissions. However, it's a limited risk so if you're happy don't worry too much :)

As long as you managed to change the right for the "Payroll" group so it only applied to the current folder then it should be fine. Otherwise everyone can read every folder.

Chris
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now