Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Set Security on File Server Folders for different Groups

Posted on 2009-04-06
6
Medium Priority
?
184 Views
Last Modified: 2012-05-06
We have a domain with a Domain Controller, Terminal Server, and File Server (three different physical machines).  On the File Server is a folder named "Payroll".  Under "Payroll" there are 4 subfolders named "Payroll Chicago", "Payroll Dallas", "Payroll Miami", & "Payroll Memphis". There is a group named "RESTRICTED" who needs access to the "Payroll" folder and all 4 subfolders and files contained therein.  There is a group named "PAYROLL CLERKS" who need access thru the "Payroll" folder and access to ONLY their own city's folder.  The 4 subfolders have data dumped into them from 4 different domain users - one user in each city.  So, each will need access to the main "Payroll" folder and to their own subfolder, i.e., domain user from Memphis needs access to "Payroll Memphis" but must be denied access to the other 3 subfolders, domain user from Miami needs access to "Payroll Miami" but must be denied access to the other 3 subfolders, and so on.  Can this be done by "Security Permissions" on the folders themselves.  Please advise.
0
Comment
Question by:baleman2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 24085455

Yep, it can be done. If I were doing this I would have 6 groups:

ACL - Payroll
  Description: Access to the Payroll share - Contains each of the groups below
ACL - Payroll - All
  Descritpion: Access to all Payroll folders
ACL - Payroll - Chicago
  Description: Access to Payroll for Chicago
ACL - Payroll - Dallas
  Description: Access to Payroll for Dallas
ACL - Payroll - Miami
  Description: Access to Payroll for Miami
ACL - Payroll - Memphis
  Description: Access to Payroll for Memphis

Then I would apply them as follows:

Payroll
  Disable Inheritance (Security / Advanced and untick the Inherit from parent box)
  ACL - Payroll : Read (Must apply to this folder only)
  ACL - Payroll - All : Modify
  Administrators : Full Control
Payroll Chicago
  ACL - Payroll - Chicago : Modify
Payroll Dallas
  ACL - Payroll - Dallas : Modify
Payroll Miami
  ACL - Payroll - Miami : Modify
Payroll Memphis
  ACL - Payroll - Memphis : Modify

The group "ACL - Payroll - All" will gain Modify access to each folder because that right will be inherited from the Payroll folder. Each individual payroll department will only have access to their own folder.

You'll have to use Security / Advanced to change the ACL - Payroll right so it only applies to the current folder and doesn't get inherited.

Chris
0
 
LVL 3

Expert Comment

by:mikey1h
ID: 24092323
More easily.... set up a share on all drives, under security on each drive add all the users/groups, and then set each one with specific allow and deny checkboxes.     This way you will be able to modify each user or groups rights without havin to move them from one group to another in the even t of a change
0
 

Author Comment

by:baleman2
ID: 24092358
Chris:
I've followed your instructions, implemented as you suggested - voila, perfect solution.  I do have a couple of questions.  If I add a couple of clerks in Chicago, all I've got to do is 1) create their account on the Domain Controller and  2) make those new users "members" of the Payroll - Chicago group???

Also, in setting security on the folders themselves, I've unticked the "inherit from parent" checkbox on both the Payroll group and the Payroll - All group.  Was this correct?  I used Security / Advanced to do this; however, from this window I had only the option to give the Payroll - All group "Full Control" instead of "Modify" rights.  Any problem with that?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 3

Expert Comment

by:mikey1h
ID: 24092620
it is ok that way, but you shouldn't have to use the advanced tab, just under security click add, add the user name, and then once you ok it select their name in the box and give the proper rights....       as far as the Chicago clerks, they SHOULD work, depending on how your VPN is set up, if you just used the default router to router VPN, then yes, they should be able to log on and access the domain and receive the permissions set up as in my prior post


I do like Groups though for ease of configuring other options....     in my company I have groups set up as Corporate office, Store Employees, and store managers.....       when I create a new user, I click the member of tab and add them to the appropriate ggroup.   That way if I have to assing a special permission or policy, or a logon scripts, I can assign it to the group and cover everyone in it.    if this is not something you will be doing, then by all means, just add users.... but dont forget to disable or delete their accounts when they terminate employment.   If you choose the groups option, make sure under security AND permissions, you add the group to the box and set permissions there as well, however, will NOT need to add each member of the group individually
0
 

Author Closing Comment

by:baleman2
ID: 31567343
Thanks, Chris - exactly what I needed to do.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24094645

> make those new users "members" of the Payroll - Chicago group???

Yep. That's all :)

Full Control is a little more risky than I like because it allows other people to play with permissions. However, it's a limited risk so if you're happy don't worry too much :)

As long as you managed to change the right for the "Payroll" group so it only applied to the current folder then it should be fine. Otherwise everyone can read every folder.

Chris
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question