Set Security on File Server Folders for different Groups

We have a domain with a Domain Controller, Terminal Server, and File Server (three different physical machines).  On the File Server is a folder named "Payroll".  Under "Payroll" there are 4 subfolders named "Payroll Chicago", "Payroll Dallas", "Payroll Miami", & "Payroll Memphis". There is a group named "RESTRICTED" who needs access to the "Payroll" folder and all 4 subfolders and files contained therein.  There is a group named "PAYROLL CLERKS" who need access thru the "Payroll" folder and access to ONLY their own city's folder.  The 4 subfolders have data dumped into them from 4 different domain users - one user in each city.  So, each will need access to the main "Payroll" folder and to their own subfolder, i.e., domain user from Memphis needs access to "Payroll Memphis" but must be denied access to the other 3 subfolders, domain user from Miami needs access to "Payroll Miami" but must be denied access to the other 3 subfolders, and so on.  Can this be done by "Security Permissions" on the folders themselves.  Please advise.
baleman2Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

Yep, it can be done. If I were doing this I would have 6 groups:

ACL - Payroll
  Description: Access to the Payroll share - Contains each of the groups below
ACL - Payroll - All
  Descritpion: Access to all Payroll folders
ACL - Payroll - Chicago
  Description: Access to Payroll for Chicago
ACL - Payroll - Dallas
  Description: Access to Payroll for Dallas
ACL - Payroll - Miami
  Description: Access to Payroll for Miami
ACL - Payroll - Memphis
  Description: Access to Payroll for Memphis

Then I would apply them as follows:

Payroll
  Disable Inheritance (Security / Advanced and untick the Inherit from parent box)
  ACL - Payroll : Read (Must apply to this folder only)
  ACL - Payroll - All : Modify
  Administrators : Full Control
Payroll Chicago
  ACL - Payroll - Chicago : Modify
Payroll Dallas
  ACL - Payroll - Dallas : Modify
Payroll Miami
  ACL - Payroll - Miami : Modify
Payroll Memphis
  ACL - Payroll - Memphis : Modify

The group "ACL - Payroll - All" will gain Modify access to each folder because that right will be inherited from the Payroll folder. Each individual payroll department will only have access to their own folder.

You'll have to use Security / Advanced to change the ACL - Payroll right so it only applies to the current folder and doesn't get inherited.

Chris
0
 
mikey1hCommented:
More easily.... set up a share on all drives, under security on each drive add all the users/groups, and then set each one with specific allow and deny checkboxes.     This way you will be able to modify each user or groups rights without havin to move them from one group to another in the even t of a change
0
 
baleman2Author Commented:
Chris:
I've followed your instructions, implemented as you suggested - voila, perfect solution.  I do have a couple of questions.  If I add a couple of clerks in Chicago, all I've got to do is 1) create their account on the Domain Controller and  2) make those new users "members" of the Payroll - Chicago group???

Also, in setting security on the folders themselves, I've unticked the "inherit from parent" checkbox on both the Payroll group and the Payroll - All group.  Was this correct?  I used Security / Advanced to do this; however, from this window I had only the option to give the Payroll - All group "Full Control" instead of "Modify" rights.  Any problem with that?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
mikey1hCommented:
it is ok that way, but you shouldn't have to use the advanced tab, just under security click add, add the user name, and then once you ok it select their name in the box and give the proper rights....       as far as the Chicago clerks, they SHOULD work, depending on how your VPN is set up, if you just used the default router to router VPN, then yes, they should be able to log on and access the domain and receive the permissions set up as in my prior post


I do like Groups though for ease of configuring other options....     in my company I have groups set up as Corporate office, Store Employees, and store managers.....       when I create a new user, I click the member of tab and add them to the appropriate ggroup.   That way if I have to assing a special permission or policy, or a logon scripts, I can assign it to the group and cover everyone in it.    if this is not something you will be doing, then by all means, just add users.... but dont forget to disable or delete their accounts when they terminate employment.   If you choose the groups option, make sure under security AND permissions, you add the group to the box and set permissions there as well, however, will NOT need to add each member of the group individually
0
 
baleman2Author Commented:
Thanks, Chris - exactly what I needed to do.
0
 
Chris DentPowerShell DeveloperCommented:

> make those new users "members" of the Payroll - Chicago group???

Yep. That's all :)

Full Control is a little more risky than I like because it allows other people to play with permissions. However, it's a limited risk so if you're happy don't worry too much :)

As long as you managed to change the right for the "Payroll" group so it only applied to the current folder then it should be fine. Otherwise everyone can read every folder.

Chris
0
All Courses

From novice to tech pro — start learning today.