Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1212
  • Last Modified:

Folder permissions in Win2k8

I'm setting up a new file server, and rearranging folder / group permissions as part of the project. My problem is that I want to create a top level folder that has departmental folders in it but I'm having permissions problems.
The top level folder is shared so everyone can map a drive letter to it and see inside it for their respective dept. folder, BUT, I don't want them to be able to add or create anything in this top level folder. Also, I want users to have access to their respective departmental folders below, based on their domain group membership.
This seems like it should be easy, but when I set up the top level share as anything but Full Control (sharing properties, not ACL), no matter what I have set up on the next level folder, the users can no longer have full control in the lower level folders.
I've messed with inheritance issues until I'm blue in the face (!) and can't seem to get it right. Seems like Sharing properties keeps trumping ACL properties. Help!
One last thing, this is a Win2k8 member server on a Win2K based AD domain.
0
jtdaly
Asked:
jtdaly
  • 9
  • 6
1 Solution
 
kevinhsiehCommented:
If you want people to have FULL permissions to any of the folders, they need FULL permissions though the share because the most restrictive permissions are enforced. Set the share to have your users have FULL permissions. For the top level folder of the share, give them all READ permissions. Then give each departmental group Modify or Full permissions to their departmental folders. I usually give users only Modify (Change) permissions so that they can't change NTFS file/folder permissions.

In short, it doesn't matter what permissions what NTFS permissions you have if you don't have the permissions at the share level, you don't have the permissions (when working through a share).
0
 
jtdalyAuthor Commented:
Right, I knew about the least permission thing.  So..I'll set the share to Everyone has Full Control, and the NTFS rights on the sharing folder will be Everyone has Read rights.  
Should I delete and disconnect any inherited rights that the share folder gets from above it? (That may have been one of my issues)

And on the departmental folders, you're suggesting Modify as the right to apply to the group? I'll have to look carefully at the choices, this one doesn't ring a bell.

Will let you know, but if anything I've said is wrong, give a shout.
0
 
kevinhsiehCommented:
If the rights up above are too generous, then yes remove inheritance and set them the way you want them. That wouldn't be your problem though, because inheritance can only give people too much access, it can never reduce access.

The standard compound NTFS rights are Read, Modify, and Full through the GUI.
0
Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
jtdalyAuthor Commented:
Ok, I think that almost has done it. Those inherited permissions were also giving me fits. On both folders (share folder and dept folder) I edited permissions and deleted inheriting from the parent folder. Then I added, deleted and adjusted as you described.

One catch I'm seeing is that a user that belongs to a department can modify the department folder name. They cannot create any folders or files in the share level folder that holds the departmental folder, but they can modify the dept folder name itself. Not that I expect that to happen (but one never knows!), but do you think there is a way to protect the folder name? I did assign Modify vs Full control for the departmental group users as you suggested, thanks for that tip.

0
 
jtdalyAuthor Commented:
Just read your note about inheritance. Yes, that was one of my counter-problems yesterday.. too little or too much. Now it's just about right. Except the folder name thing, which really doesn't matter I dont think.

Next and last step is that I have to create a share that points directly to one or two of the department folders directly. As I think about it, I suppose all I have to do is add a share name with full control for everyone but the underlying ntfs settings will be restrictive enough that only the department group folks will be able to get in.

lets see how that goes....
0
 
kevinhsiehCommented:
I suggest that you do all mappings to a domain based DFS root. \\domain.local\dfs\departments\department . You never have to worry about changing file servers, because the path will stay the same as far as clients are concerned.
0
 
jtdalyAuthor Commented:
I've heard that before, but I've never gone into DFS much so don't have real world experience with it. We're waiting to migrate from our W2K based domain this year (soon I hope). Will that be necessary in order to take advantage of that type of mapping?
0
 
kevinhsiehCommented:
I think that it works with Windows 2000 domain controllers. It certainly works with Windows 2003 domain controllers (you need only 1, the other DCs can be W2K (probably))
0
 
jtdalyAuthor Commented:
Looks like we've about got it on the file sharing config question. I want to move a few things and then if all is good, I'll confirm with you. Appreciate the help.
By the way, are you particularly savvy with FRS? I have another thing going on with another question out there, and I'm not getting any responses. The problem is evolving, for the better I believe, but I am looking for some assistance in that area too.
0
 
kevinhsiehCommented:
No, I would need to research the FRS. I am ditching it as soon as all of my W2K3R2 DCs are replaced.
0
 
jtdalyAuthor Commented:
Ok, well let me get back to you after I've done a little file moving and have verified access rights.
Appreciate your help.

jd
0
 
jtdalyAuthor Commented:
Hi kevinshieh, I've been busy working on getting things set up and moved, and all has gone well, certainly based on you input. One small thing I've noticed that I'd like to ask your thoughts on regarding the sharing / security setting:
If a folder has a user security right that has propogated down from above, or not for that matter, and is in the form of the group "Users (server\users)", that seems to allow any domain user to have access to what we thought was limited to the specific user group that had been assigned to that folder.  I was thinking that that group which I just described, only referred to users on the local machine account (hence the servername\users designation, as opposed to domainname\users).

Am I misinterpreting this group's meaning and impact?
0
 
kevinhsiehCommented:
Comment http:35066739 by kevinhsieh is the correct answer and should be awarded the points.
0
 
jtdalyAuthor Commented:
Sounds good to me. Thanks for the help.
0
 
jtdalyAuthor Commented:
I am trying to accept kevinhsieh's solution, but system won't let me. Please process this acceptance.
0
 
ModalotEE ModeratorCommented:
Following an Objection by kevinhsieh, and after Moderator review, there seems to be a better  disposition, as recommended by the contributing Expert(s).

Modalot
Community Support Moderator
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 9
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now