Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Sharing folders by creating user groups in AD

Posted on 2011-09-05
7
Medium Priority
?
551 Views
Last Modified: 2013-12-07
Hi all,

I have a very stupid question to ask - but never the less, still a question I need to resolve. I am obviouslly missing something stupid...

I need to fine tune filesharing on a server.
1) I created groups in AD, for example, Management, Sales, Technical, etc.
2) I then add the appropriate users to the specisifc groups, for example, John Smith to Management allong with other users.
3) I then go to the folder I want the Management group to have permisions over, and add Management to this group (Under Security, and Advance, by adding the group Management, then give it full permision)

With these three steps, this should (in my mind) give management full access to this specific folder. But it does not! The only way I can share this folder, is by adding the individual users to the (security tab) of the folder. Then the user has access, but I cant get this working with User Groups created in Active Directory. I have added the appropriate users to this User Group, it just does not work. If I try and create any other groups for example (Distrubution group - Domain Local, Distribution Group - Universal, Distribution Group - Global) and add the user to it, I cant add this group to a folder to access it, it does not appear.

My questions is - How do I create a User Group in Active Directory, add users to this group, and share a folder by just giving this User group permisions to access this folder, then so automatically give everyone rights to that folder that belongs to that User Group?

Please help - Also, please let me know If I did not explain well enough, I just read it and it sounds a bit confusing. Thank-you in advance!
0
Comment
Question by:wimpie_asg
  • 3
  • 3
7 Comments
 
LVL 14

Expert Comment

by:Vinchenzo-the-Second
ID: 36483996
On your share permissions remove the everyone group and add in domain users, full control?  Then control the access to the folder via the NTFS permissions.  Do not give users full control on the NTFS permissions.  The users need to log out and back in again.
0
 
LVL 3

Author Comment

by:wimpie_asg
ID: 36484016
Thank-you.

If I understand you correctly:

I have shared the folder (default, the everyone has rights) I should remove the everyone under share, add domain users, and under NTFS (Security, Advance) add the group with full permisions?

0
 
LVL 14

Expert Comment

by:Vinchenzo-the-Second
ID: 36484066
Correct, but on the NTFS permissions only give users Modify, and not full control.  Users should not need full control, only give full control to administrators.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 26

Expert Comment

by:Leon Fester
ID: 36484072
Word of advice....don't give user permissions directly, maintain control by using the groups.
The reason is pretty simple.
If user accounts are deleted but the folder permissions is not updated then you'll be creating orphaned SID's.
This can cause a problem for some backup and archiving software.

You're steps above are correct and should work.
Go have a look at the permission inheritance and the file ownership by clicking the "Advanced" button on the bottom of the security TAB.

Ensure that the option "Include inheritable permissions from this object's parent" is selected.
Also check the ownership tab, if it's assigned to a single user then use the "Edit" button and let the adminstrator take ownership of the file.
0
 
LVL 3

Author Comment

by:wimpie_asg
ID: 36484127
I have done what you said and it works perfect - thank-you. I then tried to create a file under the folder, it gave me an access denied error. I went back to the share, and gave domain users "full access" it all still worked fine, I could then create a fild under my direcory.

1) Under file sharing and permisions, do I give domain users full access? (Read, Change, Full Control, or do I leave it as Read and change?)
2) What is the diffrence between full control and  just enabling the rest and leave out full control, is there something the user cannot do if I leave out full control, I mean if the user is supose to have full control, enabling everything else, and leaving out full control, will they notice a diffrence?

Thank-you for all the help - your solution worked.
0
 
LVL 14

Accepted Solution

by:
Vinchenzo-the-Second earned 2000 total points
ID: 36484194
For troubleshooting reasons, I always set the share permission to full control for domain users.  That way if I have to trouble shoot then I look at the NTFS permissions, because I know the share permission has full controll.  Please note that with NTFS and share permissions the one with the least permission will be applied.
With full control, you can do everything with this folder, you don't want your users to start changing permissions, so you would give them Modify.
0
 
LVL 3

Author Comment

by:wimpie_asg
ID: 36485189
Hi again 0 I know this thread is closed - and this solution works 100% on Windows server 2003 ED, but I am also trying this on windows 2008 server, but for some reason it does not work quite the same as the Windoes 2003 sharing of folders:

If I go to sharing under Windows 2008, and I give Domain Users rfull rights to the folder, it realy does not matter what I do under NTFS security, as it seems like the domain users overwrite the NTFS permisions??? I can have domain users in the sharing permisions on Windows 2008 server folder, just like in the example above as on Windows 2003 server folder, the when you go to NTFS permisions to add the group(s) there, everyone still has acccess to the folder regardless. Can the above solution for Windows 2003 server be carried over to a Windows server 2008 box?
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question