?
Solved

Setting Permissions

Posted on 2009-07-16
14
Medium Priority
?
357 Views
Last Modified: 2012-05-07
I am having difficulty assigning permissions. I am sharing a folder with everyone. Within that is another folder shared with everyone and within that folder I only want the creator and the server administrator to see the contents of that last folder. This network has 1 domain controller and it is on the same server that I am working with.

I get the last folder set in the security section with Owner and Administrator the only ones listed but all the other workstations can open the folder.
0
Comment
Question by:kyleboca
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
14 Comments
 
LVL 3

Expert Comment

by:ZuluGr
ID: 24871049
Go to the advanced settings, and see if there are the permissions from the parent folder which are inherited there. Remove those, or block inheritance.
0
 

Author Comment

by:kyleboca
ID: 24871383
I did that.
0
 
LVL 3

Expert Comment

by:ZuluGr
ID: 24871879
Try and see the effective permissions for the last folder for different user accounts as well as everyone, and see what you get. They should not have access rights.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 58

Expert Comment

by:tigermatt
ID: 24873846

You state "all the other workstations can open the folder", but don't include any information on what user accounts you are logging into those workstations with.

NTFS permissions are not applied on a computer-basis, so you cannot lock a folder based on the workstation it is being accessed from. Permissions are user-specific. If you log in to the workstation using the Administrator account, you will have access. This is because the permissions are granted to that account.

Firstly, when you say 'Owner', how are you filtering based on this? Using the 'CREATOR OWNER' placeholder account in the permissions? If so, go to the Advanced button on the folder's security tab and click 'Owner' - who is the current owner displayed as?

-Matt
0
 

Author Comment

by:kyleboca
ID: 24877369
Hi Matt. Thanks for your reply.

If the user logs into his/her local machine as an administrator, that will allow them to access any folder on the server? I did not realize that. Most workstations here are administrator accounts.

How would you recommend securing some folders on the server from all users?
0
 
LVL 3

Expert Comment

by:ZuluGr
ID: 24880152
If they are domain administrators, there is nothing you can do to secure those folders, because even if you create a new administrative account to have access to the shares, a domain administrator can still take ownership and set the permissions to add himself.
If you need the users to be administrators on their local computers, you can assign them a simple domain user account, which will be in the local administrators group on each computer, and allow access to that folder only for domain admins
0
 

Author Comment

by:kyleboca
ID: 24880556
There is only one domain administrator. The rest are just domain users. They are administrators on their local machines but just users on the domain.
0
 
LVL 3

Expert Comment

by:ZuluGr
ID: 24881093
if the file server is a member server, then if the users are not local admins on that server, and just domain users, then if you set the folder permissions to grant access only to the domain admins, group, then they should not be able to access it.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24885633

>> If the user logs into his/her local machine as an administrator

There are two types of Administrator - a Domain Administrator and a Local Administrator of an individual workstation/Member Server. The users would have to be Domain Administrators for their access to the files on the domain to be unrestricted.

As a local administrator but a regular domain user they cannot change the permissions on another machine.

Have you managed to get the permissions working properly now? My policy is to set 'Everyone' with Full Control at Share level and then filter permissions at the more granular NTFS level.

-Matt
0
 

Author Comment

by:kyleboca
ID: 24886497
Tigermatt,

Thanks for your reply.

I haven't had a chance to go back to that project yet. Here is what I am trying to do in detail.

I am relocating every workstaion's My Documents folder to the server which is the only server in the network and functions as the domain controller. Server 2008. I only want the workstation user and the domain administrator (me) to be able to have access to the folder so that the My Documents of each workstation cannot be viewed by other people in the company.

The directory tree is:

C:\
    Volume1---Full access by all.
         Work_Station_My_Documents---full access by all.
               User1---full access to user 1 and domain admin
               User2---full access to user 2 and domain admin
               Etc...

All workstation user's have administrator rights on their individual workstations. None are domain admins and there is only 3 who have Administrator rights on the server.

I don't have a great deal of experience with server OS's so please pardon my ignorance.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24888906

The permissions structure you have described looks correct to me and should only allow User 1 and the Domain Admin access to User1's folder on the server.

I'm a little confused at how this isn't working. Can you explain where this is falling apart?

Thanks!

-Matt
0
 

Author Comment

by:kyleboca
ID: 24891128
Hi Matt,

If I go to another user's workstation under their log on I can see the contents of the other folders.

I will double check some things tomorrow and get back to you but that is how it was operating the last time I tried it.

Kyle
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24919276

>> If I go to another user's workstation under their log on I can see the contents of the other folders.

If you log in as another user (at any machine), you should only be able to access that user's own directory. If permissions are set properly, you shouldn't have access to any other users' folders.

Look forward to hearing back from you. Some screenshots of the permissions screens might be helpful in troubleshooting this further.

-Matt
0
 

Accepted Solution

by:
kyleboca earned 0 total points
ID: 25337470
I am going to close out this thread and start over on this project when I have time to revisit it.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question