Avatar of Lorenzo Cricchio
Lorenzo Cricchio
Flag for United States of America asked on

Folder Permissions.. Inherited / Exclusive

 I hope I am not missing anything, but please tell me if I am doing something incorrectly.

I've inherited a SBS2003 and am consolidating user folders which were all over the  place.
 I put them all under a "d:\users" folder, shared the folder, and gave everyone full control under permissions.  Now, in the individual subfolders, I want to limit access to who has access to what.
 so, on the server, I go to  d:\users\jennifer, rt click, security, and then advanced, then remove all permissions, only adding the user and the respective rights.  This should would on all items and sub folders, shouldnt it?  Does the user need to logout and log back in?  do I need to do a GPUPDATE /Force?
  if I add users later, they get some rights, (not all) by default, and then when I tell it to propogate to child object, the orginal people I added wing up getting NO rights, which then it has to be set back manually.  Seems like the rights dont flow down to the sub folders.  Ive even went so far as to take permission (as administrator) to confirm I have the rights, then assign them accordingly.  
 Are they any OTHER users that need to have rights, such as SYSTEM / CreaterOwner?
 What the heck am I missing?!?!

 Thanks in advance!
OS SecuritySBSActive Directory

Avatar of undefined
Last Comment
Lorenzo Cricchio

8/22/2022 - Mon

I do something somewhat different with our shares.  I do have a root "users" folder, but it is not shared.  Instead I create subfolders within it for each user, and create them as their own share in the form of %username%$ so if the user name is user then the share name would be user$.  The $ makes it a hidden share, then I set permissions so that that user, or the specific security group associate w/ that user, and the security group associate w/ administrative full file access, are the only items listed in permissions, with Full Control enabled for both, then under security, I ensure that only their group, the administrative full file access group, and system are listed, again with Full rights.
Lorenzo Cricchio

Thats the way I was going to do it initially, however, the username is not equal to the folder name, plus some of the users would need to see other users documents, etc, in other user folders, so mapping was going to be an issue if I mapped rooted it.  By going up one level, even though users can see other peoples names, they wouldnt have access to what was inside.
  I dont want to hide the folders, merely give some users access to certain folders.  When I do that, the rights dont seem to filter downward even if I select "replace properties on child, etc etc.."
 I will advise there are many many security groups which were created before I came onboard to this company.
  I am assuming (correctly?) that once the inherited user rights are removed from a folder, any group rights no matter what they are, and IF they were in effect for that or the parent folder, are no longer there, and access to the folder is granted explicitely once I select a user, add them, and give them specific rights.  Is that right?
 Is there a service or function that needs to be running in order for this to work? perhaps a server restart?  Never had this issue before with rights.

 Thanks again.

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Lorenzo Cricchio

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck