Solved

Folder / File Permission settings - SBS2008

Posted on 2011-02-25
2
535 Views
Last Modified: 2012-05-11
Hello,

i have a rather simple question regarding assigning Sharing and Security permissions. Here is the scenario:

I have a main folder on the server drive, let call it:  WORK, 5 user need access to this folder including all sub folders and files in it.

Two of the user should be able to do anything they want, delete, change, create, etc.
The other three user should only be able to do changes on files within the folder, they should not be able to move or delete any files or sub folders within the WORK folder.

One of the user keep trying to create shortcuts of files withing the share and keeps moving them to his local machine. I am sure you guys know what i am talking about.

Thanks for your help!


0
Comment
Question by:Martin Gerlach
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 15

Accepted Solution

by:
markdmac earned 250 total points
ID: 34986733
Use groups to set permissions. Create groups, one for full control and the other for restricted access.

Modify the NTFS permissions of the folder by assigning the groups. Use the advanced settings to get granular.

You will not be able to do all that you are asking. A deletion is nothing more than a modify. So the restricted group can be given the right to create new files, but giving them modify will also let them move and delete.

Make sure you have ShadowCopy enabled so you can quickly revert the folder to a previous state if necessary.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points
ID: 34990386
Ideally, the users are grouped into their work and privilege workgroup in AD hence the security can be applied as a group and ease the management (esp if user will to leave the organisation and the folder is EFS protected). But if the folder is temporary, and user access is only a small group and you intent to go granular per user basic, go for user names instead of group - but advisable not since it cannot be scalable for administration.

For the 2 users, give Full Control  
For the other 3 users, give Write, which is same as Read, plus the ability to change file content and attributes

If you want to go into granularity, it is under the special permission. But if to prevent copy (with still the given "Write" permission), it is not possible using only NTFS permission. But you can check out this link - http://www.instantfundas.com/2009/04/how-to-prevent-file-copying-deletion.html

Other note for considerations
- suggest turning on audit setting (object access) -  http://support.microsoft.com/kb/310399. There is equivalent at group policy level. In the event of breach, this may come in handy
- also if the permission is ported from NTFS to FAT the permission would break
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question