Solved

Setting up restricted folders in Win 2008 Server

Posted on 2010-08-19
5
604 Views
Last Modified: 2013-12-04
Folks,

I have a generic share on Win2008 server where all users save documents that they would like backed up every night. In one of the folders on that share, I would like to restrict it so that only 3 users have the ability to see/change any of the items in that folder (HR stuff).

How do I set this up? I thought it should be obvious, but there is sharing AND security, and the security seems to not let me revoke permissions to the whole AD user group ("Users") and grant permissions to the 3 who need access to it.

In other words:

G drive is shared with all authenticated AD users.
    inside the G drive, I have a Human Resources folder. I only want the HR director, the owner, and the admin to have access to this folder.

How do I do this?

Thanks!

Brian
0
Comment
Question by:tinklerb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 33477889
For simplicity's sake it may be better to set up a new directory ( not inside the one you have ) and do permission from scratch, as well as have your backup system make sure it is backed up seperately.

Other option is to turn off inherited permissions and do it inside the present share


0
 
LVL 41

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 33477908
Right click on the folder and select properties. Click the security tab, then click advanced. Click change permissions, then remove the check mark from the "Include inheritable permissions from this object's parent" box. Click apply. A box will come up telling you if you proceed that inheritable permissions will no longer propagate. Click the Remove button and that will clear all the inherited permissions on the folder. Once that's done, add the users/groups that you want to allow access to the folder. Do not list the groups that you don't want to have access, and do not use Deny permissions on any groups that the users you want to have access to the folder belong to. Deny permissions will over-ride any allow permissions you have in place.
0
 
LVL 6

Expert Comment

by:nettek0300
ID: 33478070
In addition to the above, if you are using a shared folder, you need to verify that everyone has read/write access to the share.  By default, users will only have read access which will deny them access to actually put a file in the shared folder.  The most restrictive permission wins.  I usually give everyone full control in the share permissions and then restrict it with the NTFS permissions (security tab).
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 33478098
The recommended best practice is to set Share permissions so the Authenticated Users Group (And Domain Computers, if computer accounts need access to the share) has full access to the share. There are some security concerns with setting share permissions to allow Everyone.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question