Solved

Folder permissions in Win2k8

Posted on 2011-03-07
19
1,204 Views
Last Modified: 2013-12-05
I'm setting up a new file server, and rearranging folder / group permissions as part of the project. My problem is that I want to create a top level folder that has departmental folders in it but I'm having permissions problems.
The top level folder is shared so everyone can map a drive letter to it and see inside it for their respective dept. folder, BUT, I don't want them to be able to add or create anything in this top level folder. Also, I want users to have access to their respective departmental folders below, based on their domain group membership.
This seems like it should be easy, but when I set up the top level share as anything but Full Control (sharing properties, not ACL), no matter what I have set up on the next level folder, the users can no longer have full control in the lower level folders.
I've messed with inheritance issues until I'm blue in the face (!) and can't seem to get it right. Seems like Sharing properties keeps trumping ACL properties. Help!
One last thing, this is a Win2k8 member server on a Win2K based AD domain.
0
Comment
Question by:jtdaly
  • 9
  • 6
19 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 125 total points
ID: 35066739
If you want people to have FULL permissions to any of the folders, they need FULL permissions though the share because the most restrictive permissions are enforced. Set the share to have your users have FULL permissions. For the top level folder of the share, give them all READ permissions. Then give each departmental group Modify or Full permissions to their departmental folders. I usually give users only Modify (Change) permissions so that they can't change NTFS file/folder permissions.

In short, it doesn't matter what permissions what NTFS permissions you have if you don't have the permissions at the share level, you don't have the permissions (when working through a share).
0
 

Author Comment

by:jtdaly
ID: 35072474
Right, I knew about the least permission thing.  So..I'll set the share to Everyone has Full Control, and the NTFS rights on the sharing folder will be Everyone has Read rights.  
Should I delete and disconnect any inherited rights that the share folder gets from above it? (That may have been one of my issues)

And on the departmental folders, you're suggesting Modify as the right to apply to the group? I'll have to look carefully at the choices, this one doesn't ring a bell.

Will let you know, but if anything I've said is wrong, give a shout.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35072786
If the rights up above are too generous, then yes remove inheritance and set them the way you want them. That wouldn't be your problem though, because inheritance can only give people too much access, it can never reduce access.

The standard compound NTFS rights are Read, Modify, and Full through the GUI.
0
 

Author Comment

by:jtdaly
ID: 35072974
Ok, I think that almost has done it. Those inherited permissions were also giving me fits. On both folders (share folder and dept folder) I edited permissions and deleted inheriting from the parent folder. Then I added, deleted and adjusted as you described.

One catch I'm seeing is that a user that belongs to a department can modify the department folder name. They cannot create any folders or files in the share level folder that holds the departmental folder, but they can modify the dept folder name itself. Not that I expect that to happen (but one never knows!), but do you think there is a way to protect the folder name? I did assign Modify vs Full control for the departmental group users as you suggested, thanks for that tip.

0
 

Author Comment

by:jtdaly
ID: 35073192
Just read your note about inheritance. Yes, that was one of my counter-problems yesterday.. too little or too much. Now it's just about right. Except the folder name thing, which really doesn't matter I dont think.

Next and last step is that I have to create a share that points directly to one or two of the department folders directly. As I think about it, I suppose all I have to do is add a share name with full control for everyone but the underlying ntfs settings will be restrictive enough that only the department group folks will be able to get in.

lets see how that goes....
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35073713
I suggest that you do all mappings to a domain based DFS root. \\domain.local\dfs\departments\department . You never have to worry about changing file servers, because the path will stay the same as far as clients are concerned.
0
 

Author Comment

by:jtdaly
ID: 35074270
I've heard that before, but I've never gone into DFS much so don't have real world experience with it. We're waiting to migrate from our W2K based domain this year (soon I hope). Will that be necessary in order to take advantage of that type of mapping?
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35076135
I think that it works with Windows 2000 domain controllers. It certainly works with Windows 2003 domain controllers (you need only 1, the other DCs can be W2K (probably))
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 

Author Comment

by:jtdaly
ID: 35086270
Looks like we've about got it on the file sharing config question. I want to move a few things and then if all is good, I'll confirm with you. Appreciate the help.
By the way, are you particularly savvy with FRS? I have another thing going on with another question out there, and I'm not getting any responses. The problem is evolving, for the better I believe, but I am looking for some assistance in that area too.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35086545
No, I would need to research the FRS. I am ditching it as soon as all of my W2K3R2 DCs are replaced.
0
 

Author Comment

by:jtdaly
ID: 35086641
Ok, well let me get back to you after I've done a little file moving and have verified access rights.
Appreciate your help.

jd
0
 

Author Comment

by:jtdaly
ID: 35201557
Hi kevinshieh, I've been busy working on getting things set up and moved, and all has gone well, certainly based on you input. One small thing I've noticed that I'd like to ask your thoughts on regarding the sharing / security setting:
If a folder has a user security right that has propogated down from above, or not for that matter, and is in the form of the group "Users (server\users)", that seems to allow any domain user to have access to what we thought was limited to the specific user group that had been assigned to that folder.  I was thinking that that group which I just described, only referred to users on the local machine account (hence the servername\users designation, as opposed to domainname\users).

Am I misinterpreting this group's meaning and impact?
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 35397303
Comment http:35066739 by kevinhsieh is the correct answer and should be awarded the points.
0
 

Author Comment

by:jtdaly
ID: 35397886
Sounds good to me. Thanks for the help.
0
 

Author Comment

by:jtdaly
ID: 35397891
I am trying to accept kevinhsieh's solution, but system won't let me. Please process this acceptance.
0
 

Expert Comment

by:Modalot
ID: 35422558
Following an Objection by kevinhsieh, and after Moderator review, there seems to be a better  disposition, as recommended by the contributing Expert(s).

Modalot
Community Support Moderator
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now