ntran80
asked on
Windows 2008 R2 Share Permission
I have question regarding how to setup share security. Not sure if this is possible, but I need to setup a share folder. Restrict all first level folders ready only, then all sub folders read/write
For example: the share name is Test
In Test I have thousands folders - client1, client2, etc... --> I like this level to be assign read only to domain users
In "client1, client2, etc... " sub folders and files --> I like to allow users pretty much full access rights (read/delete/modified)
I know I can manually go to each client folders and manually change security access, but obviously not possible due to the folders volume.
Thanks in advanced.
For example: the share name is Test
In Test I have thousands folders - client1, client2, etc... --> I like this level to be assign read only to domain users
In "client1, client2, etc... " sub folders and files --> I like to allow users pretty much full access rights (read/delete/modified)
I know I can manually go to each client folders and manually change security access, but obviously not possible due to the folders volume.
Thanks in advanced.
Yes, you can break the inheritance at Top Level folder and let the inheritance flow from 2nd level folder below.
you can use powershell
get-acl and set-acl command to copy similar acl across multiple folders. However you need to use reference folder whose permissions you want to copy
issue this on powershell console to get examples
get-help get-acl -examples
you can use powershell
get-acl and set-acl command to copy similar acl across multiple folders. However you need to use reference folder whose permissions you want to copy
issue this on powershell console to get examples
get-help get-acl -examples
ASKER
V-2NAS - I am not too familar with powershell so I will attempt to set access using Medfly's sugestion.
Medfly: I am confuse. If I set "Read only" at the share level, what do I set in the "Security" tab? (I assume this is what you meant "NTFS"
Medfly: I am confuse. If I set "Read only" at the share level, what do I set in the "Security" tab? (I assume this is what you meant "NTFS"
Hi,
powershell will able to help you perform bulk task in one shot
Let say you have FolderA > FolderB > FolderC
On Folder A u want read access
Share the folder and from security tab give users/group only Read access
Go to Folder B> Security > Advance > uncheck inherit and do copy permission (will get a warning msg)
now add user/group who wants read + write access
if you try to do it with few test folder you will be able to understand this.
powershell will able to help you perform bulk task in one shot
Let say you have FolderA > FolderB > FolderC
On Folder A u want read access
Share the folder and from security tab give users/group only Read access
Go to Folder B> Security > Advance > uncheck inherit and do copy permission (will get a warning msg)
now add user/group who wants read + write access
if you try to do it with few test folder you will be able to understand this.
If you set 'Read Only' on the share, then that's all anyone will be able to do. Just read the files, they won't be able to modify or add files or folders.
Instead.. set the Share permission to Full Control for Everyone, then go to the Security Tab and set the individual or Group permissions you would like to enforce.
Based on your initial post, you don't want users to be able to add or delete from the Root of the share... in this case... your TEST folder. But you don't mind if they add sub folders or files to any of the client1, client2, etc... folders.
This is easy to do with the security tab..
Open the security tab of the TEST folder,
Ensure you have Administrators Full Control in there.
Click Edit and then Add the 'Authenticate Users' group and give them Modify Rights.
After you click OK and Apply you should be back at the Main Security Tab...
Now Select the Advanced button.
Then Edit.
Highlight the Authenticated users you just added and select Edit again.
You should see an option for APPLY TO:
Change it to Subfolder and Files only .
That should lock it down the way you described.
Instead.. set the Share permission to Full Control for Everyone, then go to the Security Tab and set the individual or Group permissions you would like to enforce.
Based on your initial post, you don't want users to be able to add or delete from the Root of the share... in this case... your TEST folder. But you don't mind if they add sub folders or files to any of the client1, client2, etc... folders.
This is easy to do with the security tab..
Open the security tab of the TEST folder,
Ensure you have Administrators Full Control in there.
Click Edit and then Add the 'Authenticate Users' group and give them Modify Rights.
After you click OK and Apply you should be back at the Main Security Tab...
Now Select the Advanced button.
Then Edit.
Highlight the Authenticated users you just added and select Edit again.
You should see an option for APPLY TO:
Change it to Subfolder and Files only .
That should lock it down the way you described.
ASKER
Medfly, we are almost there, but I think I missed "spoke"
In the share folder Test, I have thousands folders i.e.. Client1, Client2, Client3...
What I like to happen is "Read only" at Client1, client2, client3... folder level.
There are sub folders and files in each of the client1, client2, client3.. that I want domain users to be able to have full control.
I tried play around with security settings, but somehow can't locked down the clientxxx level.
Thanks again.
In the share folder Test, I have thousands folders i.e.. Client1, Client2, Client3...
What I like to happen is "Read only" at Client1, client2, client3... folder level.
There are sub folders and files in each of the client1, client2, client3.. that I want domain users to be able to have full control.
I tried play around with security settings, but somehow can't locked down the clientxxx level.
Thanks again.
Try this then...
Share permissions = Everyone - Full Control
Security TAB of the TEST folder:
Uncheck inheritance - it will ask you to Copy or Remove inherited permissions: Select COPY.
That will leave existing permissions in place.
Then select any User or Group - such as 'Users' 'Creator Owner' and remove them.
Only thing left ...
Administratrators - Full Control - This folder, Subfolders and files
System - Full Control - This folder, Subfolders and files
Authenticated users - Read/Execute - This folder, Subfolders and files
This will allow everyone to access the share, traverse the folders and read / execute content. But will not allow any changes to any folder or files... except for those in the Administrators group.
To grant greater acces to only the subfolders and files you will need to adjust permissions on each Client_X folder so that Authenticated Users can Modify content within each folder. Since you have thousands of Client folders, you will need to use a tool such as ICACLS or XCACLS to automate this task.
http://support.microsoft.com/kb/919240
http://support.microsoft.com/kb/825751
From the server hosting the share:
run this from the command prompt (F:\test\*) should be the the drive and folder name you are using.
icacls f:\test\* /grant "Authenticated Users":(OI)(CI)M
This will Grant the ability for Auhenticated Users to modify content of all your Client_X folders bt leave the restrictions set first ..in place. I believe this should give you what you are looking for.
If you still feel Full Control is necessay, then just change the M to an F in the command line above.
Share permissions = Everyone - Full Control
Security TAB of the TEST folder:
Uncheck inheritance - it will ask you to Copy or Remove inherited permissions: Select COPY.
That will leave existing permissions in place.
Then select any User or Group - such as 'Users' 'Creator Owner' and remove them.
Only thing left ...
Administratrators - Full Control - This folder, Subfolders and files
System - Full Control - This folder, Subfolders and files
Authenticated users - Read/Execute - This folder, Subfolders and files
This will allow everyone to access the share, traverse the folders and read / execute content. But will not allow any changes to any folder or files... except for those in the Administrators group.
To grant greater acces to only the subfolders and files you will need to adjust permissions on each Client_X folder so that Authenticated Users can Modify content within each folder. Since you have thousands of Client folders, you will need to use a tool such as ICACLS or XCACLS to automate this task.
http://support.microsoft.com/kb/919240
http://support.microsoft.com/kb/825751
From the server hosting the share:
run this from the command prompt (F:\test\*) should be the the drive and folder name you are using.
icacls f:\test\* /grant "Authenticated Users":(OI)(CI)M
This will Grant the ability for Auhenticated Users to modify content of all your Client_X folders bt leave the restrictions set first ..in place. I believe this should give you what you are looking for.
If you still feel Full Control is necessay, then just change the M to an F in the command line above.
Hi,
Do this Properties of Client1, security , advance, remove inheritance first.
Warning message will come, copy the permission, click ok
now go to security, remove the users/groups, now only add those user/groups you want to have read permission, you can use deny permission on set of user/groups but be very careful doing so, deny permission will take precedence over allow
now you need to brk inheritance on subfolder/files do the same think as above, give desired write permissions.
You are done.
Do this Properties of Client1, security , advance, remove inheritance first.
Warning message will come, copy the permission, click ok
now go to security, remove the users/groups, now only add those user/groups you want to have read permission, you can use deny permission on set of user/groups but be very careful doing so, deny permission will take precedence over allow
now you need to brk inheritance on subfolder/files do the same think as above, give desired write permissions.
You are done.
Sorry ...
this is the correct command:
icacls f:\test\* /grant "Authenticated Users":(OI)(CI)(IO)M
This one only applies the permissions to the child objects of the Client_X folders... the first one pinned them to the Client folders and would allow users to delete a Client_X folder. (I am assuming that all subfolders and files are inheriting permissions from the parent. This is why I've recommended the course of action described. It minimizes the number of permission changes that need to be made while still leveraging the existing inheritance.
I would refrain from using explicit DENY permissions if at all possible. It will save you some headaches down the road.
Let us know how it goes.
this is the correct command:
icacls f:\test\* /grant "Authenticated Users":(OI)(CI)(IO)M
This one only applies the permissions to the child objects of the Client_X folders... the first one pinned them to the Client folders and would allow users to delete a Client_X folder. (I am assuming that all subfolders and files are inheriting permissions from the parent. This is why I've recommended the course of action described. It minimizes the number of permission changes that need to be made while still leveraging the existing inheritance.
I would refrain from using explicit DENY permissions if at all possible. It will save you some headaches down the road.
Let us know how it goes.
ASKER
Medfly, thank you for all your time walking me thru these process. I will give it a try tonight.
I was thinking about another option. Is it possible to allow domain users to make changes (add/edit/modify) to client1,client2, client3... and its sub folders/files but NO DELETE at any level?
I was thinking about another option. Is it possible to allow domain users to make changes (add/edit/modify) to client1,client2, client3... and its sub folders/files but NO DELETE at any level?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank You!!!
My pleasre... Good luck!
ASKER
Medfly, sorry - I spoke with my boss. He wants to keep everything simple. Here is what we like to get accomplish:
Share name: Test
All folders: client1,client2,client3 and sub folders/files ... -> give domain users create/read/write/modify but remove delete
(I know in order to be able to rename, they need delete access so there is no rename)
This is what I did and somehow it's not working:
Open the security tab of the TEST folder,
Ensure you have Administrators Full Control in there.
Click Edit and then Add the 'Authenticate Users' group and give them Modify Rights.
After you click OK and Apply you should be back at the Main Security Tab...
Now Select the Advanced button.
Then Edit.
Highlight the Authenticated users you just added and select Edit again.
You should see an option for APPLY TO:
Change it to Subfolder and Files only .
I thought "most restriction wins" but the authencate users group is still able to delete.
Share name: Test
All folders: client1,client2,client3 and sub folders/files ... -> give domain users create/read/write/modify but remove delete
(I know in order to be able to rename, they need delete access so there is no rename)
This is what I did and somehow it's not working:
Open the security tab of the TEST folder,
Ensure you have Administrators Full Control in there.
Click Edit and then Add the 'Authenticate Users' group and give them Modify Rights.
After you click OK and Apply you should be back at the Main Security Tab...
Now Select the Advanced button.
Then Edit.
Highlight the Authenticated users you just added and select Edit again.
You should see an option for APPLY TO:
Change it to Subfolder and Files only .
I thought "most restriction wins" but the authencate users group is still able to delete.
ASKER
Medfly, I went to Security tab and set deny to "delete" and that did it.
Thanks
Thanks
Most restrictive applies when there is a conflict between SHARE perissions and NTFS (Security Tab) permissions. (That's why I recommended you set the Share permissions to Everyone Full Control and use the Security tab to define who can do what.)
In the case of conflicting NTFS permissons, they are cumulative. So in essense, least restrictive wins... unless you use and explicit DENY... like you did with Deny Delete... that takes precedence.
Cheers!
In the case of conflicting NTFS permissons, they are cumulative. So in essense, least restrictive wins... unless you use and explicit DENY... like you did with Deny Delete... that takes precedence.
Cheers!
ASKER
Yes. That seems to be the case.
Thanks.
Thanks.
If you put Read only on the Share, then that will be the highest level of permissions anyone will get on any subfolder in the share.
Share vs NTFS permissions (most restrictive wins).