Improve company productivity with a Business Account.Sign Up

x
?
Solved

SBS 2008 - NTFS Permissions too liberal by default

Posted on 2010-08-27
4
Medium Priority
?
1,056 Views
Last Modified: 2012-05-10
1. The complaint I have seems odd to me but our data drive has default NTFS permissions that allow more access to files and folders that I believe our SBS users should have. We are trying to make sure that only people from the Accounting Security Group can access files inside the Accounting folder but by default, SBS 2008 has applied quite liberal permissions to the root of our drive using the "Users" group, and those permissions are inherited by all subfolders.

I think it's a  simple thing to go into this drive and change these permissions but I'm trying to figure out if Microsoft knows something that I don't about what permissions are likely needed on our shared data drive.

2. There is one more caveat with this "liberal permissions" and I've posted a separate question about that. When a user copies a file or folder into one of these "public shares" they are the owner of the file or folder and it appears I can take ownership of that file or folder but I'm unable to remove the original owner from the permissions. I really don't want the original owner to retain their ownership and custom permissions when they copy a file or folder into a public share. Is there some way to turn this "feature" off?
0
Comment
Question by:HKComputer
  • 2
4 Comments
 
LVL 5

Accepted Solution

by:
piji earned 1000 total points
ID: 33544454
1. You can remove the inheritable permission for any directory that you want and then it will ask you "copy" or "Remove". I suggest you do "copy". Then, leave administrator and system permission and remove users and add what ever group you want to have access and the click on replace the permission to child which spread this permission to all the rest of its child.

2. You can change the ownership of folder as well. You can set it up as administrator.
0
 
LVL 97

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 1000 total points
ID: 33544570
I would suggest that a GROUP folder does NOT belong int the USERS share.  Create a GROUP share.  What I usually do is something like this:

d:\Users
------joe
------mary
------harry
------jill
------etc
d:\Groups
------Accounting
------Sales
------Support
------Marketing
------etc

In the users folders, permissions are set as:
Full Control to:
---User
---Domain Admins
---System

In the groups folders, permissions are set as:
Full Control to:
---Group
---Domain Admins
---System
Read-Only to:
---IF APPLICABLE, other groups
0
 
LVL 4

Author Comment

by:HKComputer
ID: 33544628
leew,

1. Do you use the SBS wizard to get this type of granularity? I'm guessing not. It appears that the wizard, in reality, opens the same NTFS permissions dialogue boxes that you get by going straight to the file system.

2. You didn't mention if you use inherited permissions or not and what permissions are set on the drive at the very root. Your solution looks good to me but I would be interested in knowing whether or not you use inheritance and starting/ending at what level.
0
 
LVL 4

Author Comment

by:HKComputer
ID: 33716569
The solution we settled on is this:

1. At the root of our Data drive we removed all inheritance and set the Administrators group as the owner.
2. We created a data folder and then put departmental folders inside it like Sales, Service, Accounting, Public, etc.
3. In the SBS 2008 console we created groups for our different departments and assigned each user to the correct group(s).
4. All of our departmental folders now have permissions assigned using the groups. Our Administrator account is set as the owner and inheritance for subfolders is enabled.

I think we used a combination of the answers given above but I just wanted to clarify our scheme here in case someone else is trying to figure out a good way to do this.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
There are literally thousands of Exchange recovery applications out there. So how do you end up picking one that’s ideal for your business & purpose? By carefully scouting the product’s features, the benefits it offers you, & reading ample reviews f…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question