Permissions on shares

Hi all,

I'm having some issues granting permissions to a share and can't figure out what is going on.

Windows SBS 2003 by the way.

I created a share on this box, granted access to those who needed it.  Those all need "Full Control".  Although I have selected this in everyway I can find, there are still issues.

For example one user can create a folder within the share, the properties says she "Owns" it but when you look at permissions for her, there are none.  This is immediately after creating the folder within the share.  

Then others have had issues where they can get to the share, a folder within the share, a file within that but can't open the file.

Could any of this be due to not correctly setting permissions to begin with, then the first user creating folders within the share before those permissions were properly set?

I guess what I am asking is this.  When creating a share and allowing only certain users to access it, what default setting would allow everyone I give access to that share "Full Control"?

It's like some can get part way through the share while others can get all the way.  Then the perons who created the folder within the share doesn't have access by default for some reason.

macwalker1Asked:
Who is Participating?
 
Glen KnightConnect With a Mentor Commented:
>>On the "Share" part of this I have it set to "Full Control" for the administrator and all three users that need full control

Nope, give Administrators or Domain Admins full controll and then give Everyone or Authenticated users (whichever you prefer) Change.

Then on NTFS apply Domain Admins = Full and then the users you want to have access give them the rights you want to give them ;)

The most restrictive combination will always win.  That's why I open it all up wth shares and then lock it back down with NTFS.
0
 
4runnerfunCommented:
Are you setting just NTFS permissions or Share Permissions or Both? For a share, you should do both.
0
 
Justin OwensITIL Problem ManagerCommented:
Remember that Share permissions do not always match NTFS permissions.  Are you granting permissions from the Share tab or from the Security tab?  Most Admins will go with Authenticated Users Full on the Share and then define NTFS in a more granular fashion.

DrUltima
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
macwalker1Author Commented:
Both.  It's driving me nuts.  I'll get a screen shot if that will help.
0
 
it_saigeDeveloperCommented:
Share permissions and File/Folder permissions are two different animals.  For share permissions, you should give Full Control to All Users, regardless of whether they need access to the share or not.  Then at the File/Folder level you should set the permissions so that users have the appropriate permissions.  I usually recommend using groups as opposed to user specific security permissions as it makes it easier to manage the permissions.  Also, one thing to remember is that as you add security permissions for users (into groups or onto folders/files) those users will need to logout and log back in so that their security token is regenerated to include the new access provided.

HTH,

-saige-
0
 
Justin OwensITIL Problem ManagerCommented:
I respectfully disagree with 4runnerfun.  Setting permissions at both the Share and NTFS level frequently has unintended consequences.  Choose one or the other.  Because NTFS is much more versatile, open up Share level permissions (and I choose generally Authenticated Users rather than Everyone, as saige suggests) and use NTFS to control who gets what...

DrUltima
0
 
Glen KnightCommented:
OK, I think you may be confusing Share Permissions and NTFS (security tab) permissions.

I generally apply Everyone Change as share permission and then use NTFS to ant access to the actual files/folders.
0
 
macwalker1Author Commented:
Ok hang on just a second.  

On the "Share" part of this I have it set to "Full Control" for the administrator and all three users that need full control.

On the "Security" tab all is the same.  

Does "inheritable permissions" apply here?
0
 
Glen KnightCommented:
Think of it like this.

You give everyone access to a museum (share permissions) and then you lock the doors they are not allowed in to (NTFS) or give them the keys (NTFS) to the rooms.
0
 
Justin OwensITIL Problem ManagerCommented:
As a point of clarification....

Domain Admins SHOULD be a member of the local Administrators group on a Member Server.  Because of this, I generally recommend using the local Administrators group have Full control on the NTFS perms rather than specifying Domain Admins....  Inheritance should take care of that for you, but if not done this way, you may not have access to it if it loses connectivity with the domain for some reason.

Other than that, I agree with my esteemed colleague, demazter...

DrUltima
0
 
Glen KnightCommented:

Absolutely agree with DrUltima, the only thing I would say is that SBS is a domain controller, so no local administrators ;)
0
 
macwalker1Author Commented:
Ok I have applied all your suggestions, now the users need to log off and back on for this to take effect?
0
 
Glen KnightCommented:
they shouldn't do in theory, but if it's not working then yes that's the first step to take.
0
 
macwalker1Author Commented:
Ok I'm having them do that now.  Ha...forgot to tell them I was in the middle of all this....just got a call: "Hey I'm having problems with my signatures folder!"  lol  Guess I should have told them I was workin'!
0
 
Justin OwensITIL Problem ManagerCommented:
Depends on the client.... New Windows OS will authenticate each time a resource is accessed.  Older ones (Windows XP and older) tend to do an initial handshake with a resource and not let go.  More often than not, they will require a log out/log on.

Forgot it was SBS.  Scratch my comment http:#a35020747, unless dealing with Standard or Enterprise... :)

DrUltima
0
 
Glen KnightCommented:
Yeah, that will do it ;) communication is key when making changes :D
0
 
macwalker1Author Commented:
Well guys that was a big flop.  One user can get into the folder but can't do anything once she gets there and the other cant' even access it:  ACCESS DENIED!
0
 
Glen KnightCommented:
OK, you want to post a screenshot of what you have setup??  Both Share and NTFS tab please.
0
 
macwalker1Author Commented:
0
 
Glen KnightCommented:
On the Share tab if you highlight Authenticated Users and Everyone what check boxes do you have?
0
 
macwalker1Author Commented:
0
 
Justin OwensConnect With a Mentor ITIL Problem ManagerCommented:
Change the Deny to Allow...

In other words, UNCHECK Deny and CHECK Allow....
0
 
macwalker1Author Commented:
When I selected "Change" it selected "Read" in the deny column as well.
0
 
Glen KnightCommented:
There is your problem, they are in the deny box, they need to be in the allow or they wont get access.

Deny ALWAYS wins.
0
 
macwalker1Author Commented:
Both?
0
 
macwalker1Author Commented:
Ok I misunderstood the earlier post.  That didn't make sense to me. lol
0
 
Justin OwensITIL Problem ManagerCommented:
Yes, for both... Never Deny from SHARE permissions.
0
 
Glen KnightCommented:
Doesn't matter what you do if you set DENY it always wins.
0
 
macwalker1Author Commented:
Yeah so I see. lol.  When I read the part way at the first about "Change" etc I clearly muffed that up.

Now should anything about inheritable permissions be messed with?

FYI the users are telling me they are good now.
0
 
Glen KnightCommented:
Inheritable permissions are only really valid if you turn inheritance off or remove the inherited permissions that are already there, by default the permissions cascade down the tree.
0
 
macwalker1Author Commented:
I'm sorry but that can be so freakin' confusing.  I just wanted these three people to be able to read, write, change etc.  Just those three freakin' people.  

So to recap, give "Everyone" access to the share, then decide who gets what on the "Securities" part of it all?
0
 
Glen KnightCommented:
That looks perfect :)
0
 
macwalker1Author Commented:
Ok guys I appreciate it.  Sorry you guys will real IT degrees and oodles of "sperience" have to lugg we hangers on around.  I kinda "fell" into this so I'm trying to make a career out of it!  I don't really have time to go to school full time with a family now.

Why didn't someone tell me about this BEFORE I had kids! I could be making the big bucks like you guys!  At least minimum wage!

I could keep you guys busy by myself let alone the other million folks on here.
0
 
Glen KnightCommented:
We are here to help, and enjoy these types of threads so don't worry about that.

There are some amazing people on these forums and you can get pretty much any question you like answered.

It's a great way to learn.
0
 
Justin OwensITIL Problem ManagerCommented:
Hey... For what it is worth, my degree is Music Education and working on a masters in Pastoral Counseling....  Should give you hope on being able to learn this stuff.  And, like dematzer said, if you struggle, just ask around...  Chances are that someone else has dealt with it before.

DrUltima
0
 
macwalker1Author Commented:
I second that.  I can learn a ton just by poking around but when there's so many folks been there before I don't see a point in banging my head against a wall too long.  I love to figure something out but man there's some things that you just have to know the base things before you can do the others.

Feels like Algebra....10th grade..."F"....after making a "B" I never knew what I missed but it was certainly "key" lol.  

So I'm applying what I have learned here to another share that I just created with an Excel file in it that 5 people need to access, add to and change etc.  So all that I  learned here should apply there as well, correct?
0
 
macwalker1Author Commented:
Ohh by the way, does the "owner" of the object matter here?  If user one creates a folder within this share, does everyone else automatically have the permission needed here?  Or does she have to create the folder then give permissions?
0
 
Glen KnightCommented:
yes it should, with the exception........

Me, personally, and DrU may or may not agree....

Create one share. and give everyone access to it, don't create any security permissions.

Then create folders under that shared folder and apply the appropriate NTFS permissions there.

This way you only have one share, or as I like to refer to it, a single point of entry.

And you can say, "oh yeah, go to the J Drive and then such and such a folder"
it's always the J Drive, it's not a different share for each resource.

Makes it much tidier and easier to manage.  Plus if you look at museums, they only have one front door, there's a reason for that ;)
0
 
Justin OwensITIL Problem ManagerCommented:
Sounds good... I will say this, and it was mentioned earlier by it_saige, the more you do this, the more you will find value in creating groups and managing permissions that way.  If a user needs access to that Excel file in the future, all you have to do is add them to that group, rather than to in and modify the permissions again.  If they change jobs and should not have access to that Excel file, then you just remove them from the group, rather than going in and changing permissions.  It is easier to maintain group memberships, normally, than it is to maintain multiple permission sets for shares.

DrUltima
0
 
Glen KnightCommented:
The OWNER permission only really comes in to effect if you have CREATOR OWNER type drop boxes where only the person who DROPS the file can see/read/change it.
0
 
Justin OwensITIL Problem ManagerCommented:
In a small environment, I agree with the single share approach, and since SBS is almost always a small environment, I will agree here. :)
0
 
it_saigeDeveloperCommented:
Also remember (I sorta skimmed once I saw this no-no).  Denying a permission take precedence over allowing a permission.  

In this sense, denying says "no, never, always" no matter how much you say "yes, do it now, always".  If you simply leave a permission (whether a share/NTFS/AD, etc.) uncheck, the system just simply says you don't have access to this, but if you deny a permission, that permission is denied by way of your inheritance structure, even if you explicitly say to allow it later on in the share/NTFS/AD structure.

As dmazter stated earlier (which I really liked his analogy).  You set All Users/Authenticated Users/Everyone with (Full Share Access or Change Access) to let them in the door of the museum.  But then use NTFS to decide what doors in the museum are accessible - i.e.:
Bathrooms [NTFS <Everyone - Full Control>]
Archives [NTFS <Everyone - No Control (not denied)>, <Archive Group - Full Control>]
Exhibit 1 [NTFS <Everyone - Read Access>, <School Group - Modify Access>, <Exibit Maintenance Group - Full Control>]

HTH,

-saige-
0
 
macwalker1Author Commented:
There's hope then if you're coming from the Pastoral Counseling angle.  I have an Assoc. Degree in Arts...yep I was going to be a "Rock Star" artist of some kind.  Man I didnt even own a computer in'95 when I go that degree!  

The groups thing has always puzzled me.  I can see it in theory but the last time I did a group thing I applied it domain wide and screwed all kinds of stuff up that even the admin couldn't fix ad first!
0
 
Glen KnightCommented:
Groups work in the same way as permissions.

If you look back at the Museum analogy.

You have Curators, Security, Visitors

Curators always get the same set of keys
Security always get the same set of keys
Visitors always get the same set of keys

Then you just tell the system what those keys can get in to ;)
0
 
Glen KnightCommented:
Forgot to say that if a Curator changes their job to a security guard for a week then you can either add them to both groups to give them access to the combined rooms or move them from the curators group to the security group to give them only access to the security guards rooms.
0
 
macwalker1Author Commented:
That analogy was great.  It really helped me understand the "flow" of it all.  I'm always weary here that something that was done before I came on the scene is undoing or affecting something I am doing now.

That analogy is somewhat like the one I used with the mgr here about how doing anything other than a full back up meant that at some point you had to have a full to apply the diff or incremental to.  

The only way I could get them to understand is by saying the full was like having the whole house,  the diff was like making a copy of the top floor at a certain point in time.  That top half didn't do you any good if you didn't have the bottom half to stick the top onto if the top half got knocked off at some point.  Not as eloquent as the museum analogy but it got the point through to the mgmnt. lol
0
 
macwalker1Author Commented:
What is the most effective approach to take in creating a "Group Policy" in SBS.  For instance if I wanted to create a "Group" that has access to the Excel file I mentoned earlier, how would I best accomplish that?  I have those 5 people that need to access, read, write, change, save and all such as that.
0
 
Glen KnightCommented:
>>The only way I could get them to understand is by saying the full was like having the whole house

You can actually use the museum here too.

Imagine, you have an empty museum on Monday, you've loaned all the art out, so you take a backup.

On Wednesday you take a differential backup after a delivery of some famour artifacts.

The museum burns down on Thursday, to get it back you have to rebuild the museum with Monday's full backup then apply Wednesdays differential backup, you won't get all the artifacts back unless you apply both.  And the artifacts will have nowhere to go if you don't apply Mondays backup first.
0
 
Glen KnightCommented:
I am not sure you mean Group Policy here?  What exactly are you refering to when you say "Group Policy"?
0
 
macwalker1Author Commented:
Sorry DrUltima.  Will do.  

damazler and all else thanks for your help.  I'll award and close.
0
 
Justin OwensITIL Problem ManagerCommented:
You create a group called "ExcelFileAccess" or something which matches your own naming convention.  You add those five members to the group from ADUC (Active Directory Users and Computers).  You give that group, rather than the five individuals, the access to the Excel file.  It is an extra step in the setup (creating the group and adding the members), but in the long run it should be easier to maintain.  To use the Museum analogy...

You have a new wing of Modern Art (the file)...  You create a new key for that wing (the group).  You give the key to your give modern art admins (the members of the group).  Now, instead of changing the lock to the exhibit when Bob switch from Modern Art to Cave Drawings, all you do is take his key (remove him from the group).
0
 
Glen KnightCommented:
ahem.......SBS......Please use the wizards to create Groups and Users........
0
 
Justin OwensITIL Problem ManagerCommented:
Disregard my comment about closing due to group policy... Group Policy is actually a different technology in Active Directory, and I jumped there when I should not have.  Once I re-read your question and realized you were talking about share permissions, I deleted the admin comment.

DrUltima
0
 
macwalker1Author Commented:
DrUltima where can i move this part to?
0
 
Glen KnightCommented:
you can carry on here if you wish, myself and DrUltima will be sticking around ;)

Once it deviates too far away from the original question one or both of us will hint that a new question needs to be opened ;)
0
 
Justin OwensITIL Problem ManagerCommented:
"DrUltima where can i move this part to?"

I am not sure I understand what you are asking.
0
 
macwalker1Author Commented:
well I just want to follow the rules here. Thanks for understanding.

 I'm creating that group now.  ADUC>Right Click>New Group> then "Group Scope" "Group Type" and what should those settings be?
0
 
Justin OwensITIL Problem ManagerCommented:
Global Security

My memory is not good enough to tell you how to do it from the SBS Wizard, and demazter reminded me.... :)

DrUltima
0
 
Glen KnightCommented:
Ahem! Use the Serverf Manager wizards to create the groups!
0
 
macwalker1Author Commented:
Then I want to add the members to the group through the "Properties" tab, correct?
0
 
Glen KnightCommented:
correct, under Members.
0
 
macwalker1Author Commented:
The who manager?
0
 
Glen KnightCommented:
Server Manager (SHould be on the top of the Start button menu)
0
 
macwalker1Author Commented:
Ok got my members in there and there are several other tabs to choose from.  Security tab next?
0
 
it_saigeDeveloperCommented:
The Scope determines where in the AD tree you want this group to be accessible:

http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

Type signifies whether it will be a Security Group (NTFS) or distribution group (mainly for Exchange):

http://technet.microsoft.com/en-us/library/cc781446(WS.10).aspx

In general, you will want either Global or Domain Local as your scope (Universal would really be used in cases where you deal with multiple AD trees via Trust Relationships and such) and your type set to Security.  Distribution will only be used if you want to create an Exchange Distribution Group.

HTH,

-saige-
0
 
Glen KnightCommented:
you don't need to do anything else with that group.

Make sure it's in the SBS Organisational Unit in Active Directory Users and Computers though MyBusiness > 
Security Groups if you didn't use the wizard.
0
 
it_saigeDeveloperCommented:
Either I'm typing to slow or you guys are just typing too fast...  LOL...  I think I can safely bow out of this question now...

-saige-
0
 
macwalker1Author Commented:
lol i think i'm slow!  

Ok it's in the SBS\MyBusiness\SecurityGroup....now how do I apply that to the "share"  that I want only this group to have access to?
0
 
Glen KnightCommented:
you right click the folder or share and under the security tab add the group  and assign the permissions.
0
 
macwalker1Author Commented:
Ok just like an individual user.  I just did that.  Now I can remove the members that I previously entered individually, correct?  As they are now covered by the "Group".
0
 
Justin OwensITIL Problem ManagerCommented:
You apply the permissions to the shared folder just like you did the other one, only use the group instead of the five individual users' accounts.
0
 
Glen KnightCommented:
correct :)
0
 
Justin OwensITIL Problem ManagerCommented:
Refresh... Sorry.
0
 
it_saigeDeveloperCommented:
You could go through the same process as before when you assigned the users to the resource, via the Security Tab of the resource.  Do not add the group to the Share permissions as those are already set (again it comes down to inheritance).  [The users are members of groups, on of those groups is called Authenticated Users/All Users/Everyone.  One (or all) of these groups are already defined in the current share permissions.]

-saige-
0
 
macwalker1Author Commented:
I think I have the gist of it now.  I am going to remove the individual entries and leave just the group and see if one can access it.
0
 
it_saigeDeveloperCommented:
@demazter - Hey, I'm just here to help, I never try to be a point monger, just try to ensure that the correct information is deciminated.  :)

-saige-
0
 
it_saigeDeveloperCommented:
Don't forget.  If they cannot, have them log out and then log back in, again this is to refresh the security token as their group membership has changed.

-saige-
0
 
it_saigeDeveloperCommented:
@demazter - I took it the way it was intended.  I did indeed take it as a compliment.  Now if only I could get to the point of setting that cool orange color against the heading...  ;)

-saige-
0
 
macwalker1Author Commented:
Ok I realize I've dragged this dog through the mud enough lol.  My last attempt didn't work.  I removed the user individually and they are NOT a member of this new group I created but they can still access the share after a log off.  

I'll keep twiddling with it till I figure it out.  Kudos to all that have went through the mud along with me. lol
0
 
Glen KnightCommented:
they will be able to access the share but they shouldn't be able to access any of the data.  Remember, museum door, office door.
0
 
macwalker1Author Commented:
)(*#(*@*(&$@#*@{#_@  Hang on!
0
 
Glen KnightCommented:
don't leave me here too long.......
 hanging on.
0
 
macwalker1Author Commented:
They can still access the Excel file.  But tell me if this matters...this user is a member of the administrators group, will that play a role in this given domain admins etc earlier, last WEEK in this post I gave "domainadmins" "Full Control" on the share?
0
 
macwalker1Author Commented:
LOL LOL LOL  
0
 
Glen KnightCommented:
ahhh.......if they are a member of the Administrators group and you have given administrators full control then they will have access to the files.
0
 
macwalker1Author Commented:
Ok..see how I can complicate the foooool out of something!?  I need to have someone that isn't a member of the admin group to try this.  
0
 
macwalker1Author Commented:
DONE DONE DONE DONE.  
I got it.  That user being a member of the admin group through me.


Thanks guys.  I will be back at some point with another episode of "Complicate This" (How to complicate MS even more).  lol

Have a great evening guys and hope to poke your 6 figure brains again soon!  lol

0
 
macwalker1Author Commented:
I know this is closed but I've got an issue, please help!!!!!!!

Came in the office this morning only to find that the main primary user can access all the folders but many of the files within those folders he is "Denied Access" as the pop up says.

I've checked the properties and it says he has full control even on the file he's trying to open.  He's a member of the administrators group as well, the new group you guys helped me create yesterday etc.  He's the ONLY one having an issue.  He's rebooted the workstation he's on.  

He's getting REALLY MAD can someone help me out here?  I can't figure this out for the life of me.  Everything matches up with others that have no issues.
0
 
Justin OwensITIL Problem ManagerCommented:
OK...

1) Make sure you don't have any explicit DENYs, either in the SHARE or the NTFS permissions.  Deny ALWAYS wins over Grant, so even if an Admin, if he is in some group that is Denied, he will be Denied.

2) Make sure permission inheritance is working correctly.

If you could, please post a screencast (link below) of you going through:

1) Your user's group memberships
2) Your file folder's share permissions (all of them)
3) Your file folder's NTFS permissions (all of them)
4) The individual file's NTFS permissions (all of them)

If you can't do a screencast (video of your onscreen actions), then provide pictures of each of what was requested above.

DrUltima

PS, this is probably worth opening a new Question, but until you can do so, I will continue to monitor here.  I am going to be tied up all afternoon, though, so a new question which is not closed will generate more Expert traffic that this one. -DrU
0
 
macwalker1Author Commented:
DrU

Thanks I'll work on this.  What I just did was checked the box "Replace the permission entries on all child objects with entries shown here that apply to child objects."  

Although this didn't "stick", meaning the box isn't checked, it appears to affected the situation.  When I checked that box a smaller box popped up that seemed as if it were processing something....I had to click twice in that box as it prompted that I had to in order to continue.  It was so fast that I don't know what it said.  But it seems he can open everything he needs to now.

As for "Deny", there's not one "Deny" box checked either on Share or NTFS.  He's a member of the admin group as well.

Could there by any issue with a file being created and placed in this file BEFORE I got all this done in a more appropriate fashion that caused him this issue?

The reason I ask this is that he's not creating these Word Docs, two transcriptionists are doing it.  When I found one that he couldn't open the properties only had "administrator" as having access.  No one else.  On that single file.  Once I added him individually to just that file he couldn't open, he could open it.  

It's like when the file was created, that the person creating it by defualt only allowed access to the admin and no one else.  Still perplexing thought, as he's a member of the admin group.  He's the owner for Pete's sake!

DrU do you have a suggestion for the best way to create the screencast?  I've only needed to do this once and don't remember what I used.

Thanks again for all the help.

=Mac
0
 
Justin OwensITIL Problem ManagerCommented:
If you have it resolved, there is no need for the screencast.... Replacing sub-folder and file inheritance should have resolved your problem.  You were probably being prompted to take ownership of a file so that you could modify its permissions.

Again, I suggest opening a new Related Question to further dive into proper file and folder permissions, inheritance, and scripts which can be implemented to correct actions such as files being placed with incorrectly modified permissions.

I will only be available for the next two hours.  After that, I cannot help today.

DrUltima
0
 
macwalker1Author Commented:
Thanks DrU.  I'll open up elsewhere.  At this point it seems to be resolved.  But he is the king of "If it can happen, it will."
0
 
Justin OwensITIL Problem ManagerCommented:
Just checking in... Are things going well for you now?

DrUltima
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.