Solved

Set Security on File Server Folders for different Groups

Posted on 2009-04-06
6
179 Views
Last Modified: 2012-05-06
We have a domain with a Domain Controller, Terminal Server, and File Server (three different physical machines).  On the File Server is a folder named "Payroll".  Under "Payroll" there are 4 subfolders named "Payroll Chicago", "Payroll Dallas", "Payroll Miami", & "Payroll Memphis". There is a group named "RESTRICTED" who needs access to the "Payroll" folder and all 4 subfolders and files contained therein.  There is a group named "PAYROLL CLERKS" who need access thru the "Payroll" folder and access to ONLY their own city's folder.  The 4 subfolders have data dumped into them from 4 different domain users - one user in each city.  So, each will need access to the main "Payroll" folder and to their own subfolder, i.e., domain user from Memphis needs access to "Payroll Memphis" but must be denied access to the other 3 subfolders, domain user from Miami needs access to "Payroll Miami" but must be denied access to the other 3 subfolders, and so on.  Can this be done by "Security Permissions" on the folders themselves.  Please advise.
0
Comment
Question by:baleman2
  • 2
  • 2
  • 2
6 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24085455

Yep, it can be done. If I were doing this I would have 6 groups:

ACL - Payroll
  Description: Access to the Payroll share - Contains each of the groups below
ACL - Payroll - All
  Descritpion: Access to all Payroll folders
ACL - Payroll - Chicago
  Description: Access to Payroll for Chicago
ACL - Payroll - Dallas
  Description: Access to Payroll for Dallas
ACL - Payroll - Miami
  Description: Access to Payroll for Miami
ACL - Payroll - Memphis
  Description: Access to Payroll for Memphis

Then I would apply them as follows:

Payroll
  Disable Inheritance (Security / Advanced and untick the Inherit from parent box)
  ACL - Payroll : Read (Must apply to this folder only)
  ACL - Payroll - All : Modify
  Administrators : Full Control
Payroll Chicago
  ACL - Payroll - Chicago : Modify
Payroll Dallas
  ACL - Payroll - Dallas : Modify
Payroll Miami
  ACL - Payroll - Miami : Modify
Payroll Memphis
  ACL - Payroll - Memphis : Modify

The group "ACL - Payroll - All" will gain Modify access to each folder because that right will be inherited from the Payroll folder. Each individual payroll department will only have access to their own folder.

You'll have to use Security / Advanced to change the ACL - Payroll right so it only applies to the current folder and doesn't get inherited.

Chris
0
 
LVL 3

Expert Comment

by:mikey1h
ID: 24092323
More easily.... set up a share on all drives, under security on each drive add all the users/groups, and then set each one with specific allow and deny checkboxes.     This way you will be able to modify each user or groups rights without havin to move them from one group to another in the even t of a change
0
 

Author Comment

by:baleman2
ID: 24092358
Chris:
I've followed your instructions, implemented as you suggested - voila, perfect solution.  I do have a couple of questions.  If I add a couple of clerks in Chicago, all I've got to do is 1) create their account on the Domain Controller and  2) make those new users "members" of the Payroll - Chicago group???

Also, in setting security on the folders themselves, I've unticked the "inherit from parent" checkbox on both the Payroll group and the Payroll - All group.  Was this correct?  I used Security / Advanced to do this; however, from this window I had only the option to give the Payroll - All group "Full Control" instead of "Modify" rights.  Any problem with that?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 3

Expert Comment

by:mikey1h
ID: 24092620
it is ok that way, but you shouldn't have to use the advanced tab, just under security click add, add the user name, and then once you ok it select their name in the box and give the proper rights....       as far as the Chicago clerks, they SHOULD work, depending on how your VPN is set up, if you just used the default router to router VPN, then yes, they should be able to log on and access the domain and receive the permissions set up as in my prior post


I do like Groups though for ease of configuring other options....     in my company I have groups set up as Corporate office, Store Employees, and store managers.....       when I create a new user, I click the member of tab and add them to the appropriate ggroup.   That way if I have to assing a special permission or policy, or a logon scripts, I can assign it to the group and cover everyone in it.    if this is not something you will be doing, then by all means, just add users.... but dont forget to disable or delete their accounts when they terminate employment.   If you choose the groups option, make sure under security AND permissions, you add the group to the box and set permissions there as well, however, will NOT need to add each member of the group individually
0
 

Author Closing Comment

by:baleman2
ID: 31567343
Thanks, Chris - exactly what I needed to do.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24094645

> make those new users "members" of the Payroll - Chicago group???

Yep. That's all :)

Full Control is a little more risky than I like because it allows other people to play with permissions. However, it's a limited risk so if you're happy don't worry too much :)

As long as you managed to change the right for the "Payroll" group so it only applied to the current folder then it should be fine. Otherwise everyone can read every folder.

Chris
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question