Solved

Set Security on File Server Folders for different Groups

Posted on 2009-04-06
6
177 Views
Last Modified: 2012-05-06
We have a domain with a Domain Controller, Terminal Server, and File Server (three different physical machines).  On the File Server is a folder named "Payroll".  Under "Payroll" there are 4 subfolders named "Payroll Chicago", "Payroll Dallas", "Payroll Miami", & "Payroll Memphis". There is a group named "RESTRICTED" who needs access to the "Payroll" folder and all 4 subfolders and files contained therein.  There is a group named "PAYROLL CLERKS" who need access thru the "Payroll" folder and access to ONLY their own city's folder.  The 4 subfolders have data dumped into them from 4 different domain users - one user in each city.  So, each will need access to the main "Payroll" folder and to their own subfolder, i.e., domain user from Memphis needs access to "Payroll Memphis" but must be denied access to the other 3 subfolders, domain user from Miami needs access to "Payroll Miami" but must be denied access to the other 3 subfolders, and so on.  Can this be done by "Security Permissions" on the folders themselves.  Please advise.
0
Comment
Question by:baleman2
  • 2
  • 2
  • 2
6 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24085455

Yep, it can be done. If I were doing this I would have 6 groups:

ACL - Payroll
  Description: Access to the Payroll share - Contains each of the groups below
ACL - Payroll - All
  Descritpion: Access to all Payroll folders
ACL - Payroll - Chicago
  Description: Access to Payroll for Chicago
ACL - Payroll - Dallas
  Description: Access to Payroll for Dallas
ACL - Payroll - Miami
  Description: Access to Payroll for Miami
ACL - Payroll - Memphis
  Description: Access to Payroll for Memphis

Then I would apply them as follows:

Payroll
  Disable Inheritance (Security / Advanced and untick the Inherit from parent box)
  ACL - Payroll : Read (Must apply to this folder only)
  ACL - Payroll - All : Modify
  Administrators : Full Control
Payroll Chicago
  ACL - Payroll - Chicago : Modify
Payroll Dallas
  ACL - Payroll - Dallas : Modify
Payroll Miami
  ACL - Payroll - Miami : Modify
Payroll Memphis
  ACL - Payroll - Memphis : Modify

The group "ACL - Payroll - All" will gain Modify access to each folder because that right will be inherited from the Payroll folder. Each individual payroll department will only have access to their own folder.

You'll have to use Security / Advanced to change the ACL - Payroll right so it only applies to the current folder and doesn't get inherited.

Chris
0
 
LVL 3

Expert Comment

by:mikey1h
ID: 24092323
More easily.... set up a share on all drives, under security on each drive add all the users/groups, and then set each one with specific allow and deny checkboxes.     This way you will be able to modify each user or groups rights without havin to move them from one group to another in the even t of a change
0
 

Author Comment

by:baleman2
ID: 24092358
Chris:
I've followed your instructions, implemented as you suggested - voila, perfect solution.  I do have a couple of questions.  If I add a couple of clerks in Chicago, all I've got to do is 1) create their account on the Domain Controller and  2) make those new users "members" of the Payroll - Chicago group???

Also, in setting security on the folders themselves, I've unticked the "inherit from parent" checkbox on both the Payroll group and the Payroll - All group.  Was this correct?  I used Security / Advanced to do this; however, from this window I had only the option to give the Payroll - All group "Full Control" instead of "Modify" rights.  Any problem with that?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Expert Comment

by:mikey1h
ID: 24092620
it is ok that way, but you shouldn't have to use the advanced tab, just under security click add, add the user name, and then once you ok it select their name in the box and give the proper rights....       as far as the Chicago clerks, they SHOULD work, depending on how your VPN is set up, if you just used the default router to router VPN, then yes, they should be able to log on and access the domain and receive the permissions set up as in my prior post


I do like Groups though for ease of configuring other options....     in my company I have groups set up as Corporate office, Store Employees, and store managers.....       when I create a new user, I click the member of tab and add them to the appropriate ggroup.   That way if I have to assing a special permission or policy, or a logon scripts, I can assign it to the group and cover everyone in it.    if this is not something you will be doing, then by all means, just add users.... but dont forget to disable or delete their accounts when they terminate employment.   If you choose the groups option, make sure under security AND permissions, you add the group to the box and set permissions there as well, however, will NOT need to add each member of the group individually
0
 

Author Closing Comment

by:baleman2
ID: 31567343
Thanks, Chris - exactly what I needed to do.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24094645

> make those new users "members" of the Payroll - Chicago group???

Yep. That's all :)

Full Control is a little more risky than I like because it allows other people to play with permissions. However, it's a limited risk so if you're happy don't worry too much :)

As long as you managed to change the right for the "Payroll" group so it only applied to the current folder then it should be fine. Otherwise everyone can read every folder.

Chris
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question