Folder permissions in Win2k8

I'm setting up a new file server, and rearranging folder / group permissions as part of the project. My problem is that I want to create a top level folder that has departmental folders in it but I'm having permissions problems.
The top level folder is shared so everyone can map a drive letter to it and see inside it for their respective dept. folder, BUT, I don't want them to be able to add or create anything in this top level folder. Also, I want users to have access to their respective departmental folders below, based on their domain group membership.
This seems like it should be easy, but when I set up the top level share as anything but Full Control (sharing properties, not ACL), no matter what I have set up on the next level folder, the users can no longer have full control in the lower level folders.
I've messed with inheritance issues until I'm blue in the face (!) and can't seem to get it right. Seems like Sharing properties keeps trumping ACL properties. Help!
One last thing, this is a Win2k8 member server on a Win2K based AD domain.
jtdalyAsked:
Who is Participating?
 
kevinhsiehConnect With a Mentor Commented:
If you want people to have FULL permissions to any of the folders, they need FULL permissions though the share because the most restrictive permissions are enforced. Set the share to have your users have FULL permissions. For the top level folder of the share, give them all READ permissions. Then give each departmental group Modify or Full permissions to their departmental folders. I usually give users only Modify (Change) permissions so that they can't change NTFS file/folder permissions.

In short, it doesn't matter what permissions what NTFS permissions you have if you don't have the permissions at the share level, you don't have the permissions (when working through a share).
0
 
jtdalyAuthor Commented:
Right, I knew about the least permission thing.  So..I'll set the share to Everyone has Full Control, and the NTFS rights on the sharing folder will be Everyone has Read rights.  
Should I delete and disconnect any inherited rights that the share folder gets from above it? (That may have been one of my issues)

And on the departmental folders, you're suggesting Modify as the right to apply to the group? I'll have to look carefully at the choices, this one doesn't ring a bell.

Will let you know, but if anything I've said is wrong, give a shout.
0
 
kevinhsiehCommented:
If the rights up above are too generous, then yes remove inheritance and set them the way you want them. That wouldn't be your problem though, because inheritance can only give people too much access, it can never reduce access.

The standard compound NTFS rights are Read, Modify, and Full through the GUI.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
jtdalyAuthor Commented:
Ok, I think that almost has done it. Those inherited permissions were also giving me fits. On both folders (share folder and dept folder) I edited permissions and deleted inheriting from the parent folder. Then I added, deleted and adjusted as you described.

One catch I'm seeing is that a user that belongs to a department can modify the department folder name. They cannot create any folders or files in the share level folder that holds the departmental folder, but they can modify the dept folder name itself. Not that I expect that to happen (but one never knows!), but do you think there is a way to protect the folder name? I did assign Modify vs Full control for the departmental group users as you suggested, thanks for that tip.

0
 
jtdalyAuthor Commented:
Just read your note about inheritance. Yes, that was one of my counter-problems yesterday.. too little or too much. Now it's just about right. Except the folder name thing, which really doesn't matter I dont think.

Next and last step is that I have to create a share that points directly to one or two of the department folders directly. As I think about it, I suppose all I have to do is add a share name with full control for everyone but the underlying ntfs settings will be restrictive enough that only the department group folks will be able to get in.

lets see how that goes....
0
 
kevinhsiehCommented:
I suggest that you do all mappings to a domain based DFS root. \\domain.local\dfs\departments\department . You never have to worry about changing file servers, because the path will stay the same as far as clients are concerned.
0
 
jtdalyAuthor Commented:
I've heard that before, but I've never gone into DFS much so don't have real world experience with it. We're waiting to migrate from our W2K based domain this year (soon I hope). Will that be necessary in order to take advantage of that type of mapping?
0
 
kevinhsiehCommented:
I think that it works with Windows 2000 domain controllers. It certainly works with Windows 2003 domain controllers (you need only 1, the other DCs can be W2K (probably))
0
 
jtdalyAuthor Commented:
Looks like we've about got it on the file sharing config question. I want to move a few things and then if all is good, I'll confirm with you. Appreciate the help.
By the way, are you particularly savvy with FRS? I have another thing going on with another question out there, and I'm not getting any responses. The problem is evolving, for the better I believe, but I am looking for some assistance in that area too.
0
 
kevinhsiehCommented:
No, I would need to research the FRS. I am ditching it as soon as all of my W2K3R2 DCs are replaced.
0
 
jtdalyAuthor Commented:
Ok, well let me get back to you after I've done a little file moving and have verified access rights.
Appreciate your help.

jd
0
 
jtdalyAuthor Commented:
Hi kevinshieh, I've been busy working on getting things set up and moved, and all has gone well, certainly based on you input. One small thing I've noticed that I'd like to ask your thoughts on regarding the sharing / security setting:
If a folder has a user security right that has propogated down from above, or not for that matter, and is in the form of the group "Users (server\users)", that seems to allow any domain user to have access to what we thought was limited to the specific user group that had been assigned to that folder.  I was thinking that that group which I just described, only referred to users on the local machine account (hence the servername\users designation, as opposed to domainname\users).

Am I misinterpreting this group's meaning and impact?
0
 
kevinhsiehCommented:
Comment http:35066739 by kevinhsieh is the correct answer and should be awarded the points.
0
 
jtdalyAuthor Commented:
Sounds good to me. Thanks for the help.
0
 
jtdalyAuthor Commented:
I am trying to accept kevinhsieh's solution, but system won't let me. Please process this acceptance.
0
 
ModalotEE ModeratorCommented:
Following an Objection by kevinhsieh, and after Moderator review, there seems to be a better  disposition, as recommended by the contributing Expert(s).

Modalot
Community Support Moderator
0
All Courses

From novice to tech pro — start learning today.