We help IT Professionals succeed at work.

restricting access to NTFS shared folders

king daddy
king daddy asked
on
Greetings experts,

Not sure where to post this.

On a win 2003 server in my domain, I had to move an entire shared folder containing about 70 user folders. Before the move only the logged in user and the admin had access, now everyone has access to everyone's folder. How can I restrict access to all except the logged on user without having to explicitly add all other users in the domain and give them deny rights?

thanks in advance
Comment
Watch Question

Commented:
You are going to need to use CACLS.EXE to reset some permissions.  I don't have time to figure out the script right now, but maybe another expert can help out?
Paul MacDonaldDirector, Information Systems

Commented:
Share the containing folder with Everyone (or Domain Users); then give Full Control to Creator Owner (or the specific user) and Domain Admins on the individual folders.
Paul MacDonaldDirector, Information Systems
Commented:
That should read:
"Share the containing folder with Everyone (or Domain Users); then set the NTFS permissions to give Full Control to Creator Owner (or the specific user) and Domain Admins on the individual folders."
If it's not too late, you can use RoboCopy to re-copy the folders/files to the new location, keeping all the NTFS permissions intact.

Author

Commented:
paulmacd - unfortunately it's too late. the containing folder has permissions set to everyone full control, change, and read under the sharing tab > permissions button. Under the security tab, creator owner has nothing checked and domain users has all checked, except special permissions. On any given individual user folder, creator owner has nothing checked and domain users has all checked but grayed out. should I add each individual user to their own folder, give them full control (admins too), then remove the domain users group completely from the security tab?
Director, Information Systems
Commented:
"should I add each individual user to their own folder, give them full control (admins too), then remove the domain users group completely from the security tab?"
Yes, exactly.  You'll likely have to go into the Advanced settings on the Security tab, Change Permissions, and clear the "Inherit permissions" checkbox.  You can add the new permissions in this same place; delete the old ones and make a point of checking the "Replace old permissions" checkbox.  This will reset the permissions on items already in the folder.
Make a copy of an existing folder and practice on it so you get the hang of it.

Author

Commented:
paulmacd - thanks. while I was waiting I tried and noticed I had to do exactly that (inherit permissions issue). OK, tried it out. but when I went to the UNC path through win explorer (\\server\users) it stated it couldn't be found. So I typed \\server and all other shares were listed except users. is that correct? I checked the permissions and security tab on the containing folder (users) and it was the same (domain users and admins full control) and it was still showing shared as users. I can still hit my user folder from the mapped drive (through login script). again, is it correct that I shouldn't be able to see the users share, and all user folders from a unc path now? I thought i'd be able to see all folders just not have access to open them.
Commented:
Paste the script below into a text file with a .cmd extension.  Customize the value of the folder variable on line 4 with the location of the folder containing the users' folders.  Place subinacl.exe in the same directory as the script or in a location in the system path, e.g. C:\WINDOWS.

Running the script will reset NTFS permissions on each folder so that the appropriate user and the Administrators group have Full Control.  It will also make each user the owner of his folder and all files under it.

Test this carefully before running it in a production environment.


@echo off
setlocal

set folder=c:\Home Directories
set log=errorlog.txt

for /F "tokens=*" %%G in ('dir "%folder%" /A:D /B') do (
 echo Y|cacls "%folder%\%%G" /T /C /G "%%G":F administrators:F > NUL 2>>"%log%"
 subinacl /errorlog="%log%" /file "%folder%\%%G" /setowner="%%G" > NUL 2>&1
 subinacl /errorlog="%log%" /subdirectories "%folder%\%%G\*" /setowner="%%G" > NUL 2>&1
)

Open in new window

Author

Commented:
paulmacd - NEVERMIND! as much as I hate to admit it, I typed in the UNC for the server the folders used to be on. TGIF!

Shift-3 - thanks for posting that script. I may use it depending on how tired I get doing them individually this evening.