Solved

Sharing folders by creating user groups in AD

Posted on 2011-09-05
7
523 Views
Last Modified: 2013-12-07
Hi all,

I have a very stupid question to ask - but never the less, still a question I need to resolve. I am obviouslly missing something stupid...

I need to fine tune filesharing on a server.
1) I created groups in AD, for example, Management, Sales, Technical, etc.
2) I then add the appropriate users to the specisifc groups, for example, John Smith to Management allong with other users.
3) I then go to the folder I want the Management group to have permisions over, and add Management to this group (Under Security, and Advance, by adding the group Management, then give it full permision)

With these three steps, this should (in my mind) give management full access to this specific folder. But it does not! The only way I can share this folder, is by adding the individual users to the (security tab) of the folder. Then the user has access, but I cant get this working with User Groups created in Active Directory. I have added the appropriate users to this User Group, it just does not work. If I try and create any other groups for example (Distrubution group - Domain Local, Distribution Group - Universal, Distribution Group - Global) and add the user to it, I cant add this group to a folder to access it, it does not appear.

My questions is - How do I create a User Group in Active Directory, add users to this group, and share a folder by just giving this User group permisions to access this folder, then so automatically give everyone rights to that folder that belongs to that User Group?

Please help - Also, please let me know If I did not explain well enough, I just read it and it sounds a bit confusing. Thank-you in advance!
0
Comment
Question by:wimpie_asg
  • 3
  • 3
7 Comments
 
LVL 14

Expert Comment

by:Vinchenzo-the-Second
ID: 36483996
On your share permissions remove the everyone group and add in domain users, full control?  Then control the access to the folder via the NTFS permissions.  Do not give users full control on the NTFS permissions.  The users need to log out and back in again.
0
 
LVL 3

Author Comment

by:wimpie_asg
ID: 36484016
Thank-you.

If I understand you correctly:

I have shared the folder (default, the everyone has rights) I should remove the everyone under share, add domain users, and under NTFS (Security, Advance) add the group with full permisions?

0
 
LVL 14

Expert Comment

by:Vinchenzo-the-Second
ID: 36484066
Correct, but on the NTFS permissions only give users Modify, and not full control.  Users should not need full control, only give full control to administrators.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 26

Expert Comment

by:Leon Fester
ID: 36484072
Word of advice....don't give user permissions directly, maintain control by using the groups.
The reason is pretty simple.
If user accounts are deleted but the folder permissions is not updated then you'll be creating orphaned SID's.
This can cause a problem for some backup and archiving software.

You're steps above are correct and should work.
Go have a look at the permission inheritance and the file ownership by clicking the "Advanced" button on the bottom of the security TAB.

Ensure that the option "Include inheritable permissions from this object's parent" is selected.
Also check the ownership tab, if it's assigned to a single user then use the "Edit" button and let the adminstrator take ownership of the file.
0
 
LVL 3

Author Comment

by:wimpie_asg
ID: 36484127
I have done what you said and it works perfect - thank-you. I then tried to create a file under the folder, it gave me an access denied error. I went back to the share, and gave domain users "full access" it all still worked fine, I could then create a fild under my direcory.

1) Under file sharing and permisions, do I give domain users full access? (Read, Change, Full Control, or do I leave it as Read and change?)
2) What is the diffrence between full control and  just enabling the rest and leave out full control, is there something the user cannot do if I leave out full control, I mean if the user is supose to have full control, enabling everything else, and leaving out full control, will they notice a diffrence?

Thank-you for all the help - your solution worked.
0
 
LVL 14

Accepted Solution

by:
Vinchenzo-the-Second earned 500 total points
ID: 36484194
For troubleshooting reasons, I always set the share permission to full control for domain users.  That way if I have to trouble shoot then I look at the NTFS permissions, because I know the share permission has full controll.  Please note that with NTFS and share permissions the one with the least permission will be applied.
With full control, you can do everything with this folder, you don't want your users to start changing permissions, so you would give them Modify.
0
 
LVL 3

Author Comment

by:wimpie_asg
ID: 36485189
Hi again 0 I know this thread is closed - and this solution works 100% on Windows server 2003 ED, but I am also trying this on windows 2008 server, but for some reason it does not work quite the same as the Windoes 2003 sharing of folders:

If I go to sharing under Windows 2008, and I give Domain Users rfull rights to the folder, it realy does not matter what I do under NTFS security, as it seems like the domain users overwrite the NTFS permisions??? I can have domain users in the sharing permisions on Windows 2008 server folder, just like in the example above as on Windows 2003 server folder, the when you go to NTFS permisions to add the group(s) there, everyone still has acccess to the folder regardless. Can the above solution for Windows 2003 server be carried over to a Windows server 2008 box?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

I had to do a bit of research to find the answer to this question so I thought I'd share my results.  Due to our outdated mainframe systems, we need to downgrade IE9 to IE8 in order to stay compatible.  We also needed to downgrade Java.  In order to…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now