Solved

Sharing folders by creating user groups in AD

Posted on 2011-09-05
7
539 Views
Last Modified: 2013-12-07
Hi all,

I have a very stupid question to ask - but never the less, still a question I need to resolve. I am obviouslly missing something stupid...

I need to fine tune filesharing on a server.
1) I created groups in AD, for example, Management, Sales, Technical, etc.
2) I then add the appropriate users to the specisifc groups, for example, John Smith to Management allong with other users.
3) I then go to the folder I want the Management group to have permisions over, and add Management to this group (Under Security, and Advance, by adding the group Management, then give it full permision)

With these three steps, this should (in my mind) give management full access to this specific folder. But it does not! The only way I can share this folder, is by adding the individual users to the (security tab) of the folder. Then the user has access, but I cant get this working with User Groups created in Active Directory. I have added the appropriate users to this User Group, it just does not work. If I try and create any other groups for example (Distrubution group - Domain Local, Distribution Group - Universal, Distribution Group - Global) and add the user to it, I cant add this group to a folder to access it, it does not appear.

My questions is - How do I create a User Group in Active Directory, add users to this group, and share a folder by just giving this User group permisions to access this folder, then so automatically give everyone rights to that folder that belongs to that User Group?

Please help - Also, please let me know If I did not explain well enough, I just read it and it sounds a bit confusing. Thank-you in advance!
0
Comment
Question by:wimpie_asg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 14

Expert Comment

by:Vinchenzo-the-Second
ID: 36483996
On your share permissions remove the everyone group and add in domain users, full control?  Then control the access to the folder via the NTFS permissions.  Do not give users full control on the NTFS permissions.  The users need to log out and back in again.
0
 
LVL 3

Author Comment

by:wimpie_asg
ID: 36484016
Thank-you.

If I understand you correctly:

I have shared the folder (default, the everyone has rights) I should remove the everyone under share, add domain users, and under NTFS (Security, Advance) add the group with full permisions?

0
 
LVL 14

Expert Comment

by:Vinchenzo-the-Second
ID: 36484066
Correct, but on the NTFS permissions only give users Modify, and not full control.  Users should not need full control, only give full control to administrators.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 26

Expert Comment

by:Leon Fester
ID: 36484072
Word of advice....don't give user permissions directly, maintain control by using the groups.
The reason is pretty simple.
If user accounts are deleted but the folder permissions is not updated then you'll be creating orphaned SID's.
This can cause a problem for some backup and archiving software.

You're steps above are correct and should work.
Go have a look at the permission inheritance and the file ownership by clicking the "Advanced" button on the bottom of the security TAB.

Ensure that the option "Include inheritable permissions from this object's parent" is selected.
Also check the ownership tab, if it's assigned to a single user then use the "Edit" button and let the adminstrator take ownership of the file.
0
 
LVL 3

Author Comment

by:wimpie_asg
ID: 36484127
I have done what you said and it works perfect - thank-you. I then tried to create a file under the folder, it gave me an access denied error. I went back to the share, and gave domain users "full access" it all still worked fine, I could then create a fild under my direcory.

1) Under file sharing and permisions, do I give domain users full access? (Read, Change, Full Control, or do I leave it as Read and change?)
2) What is the diffrence between full control and  just enabling the rest and leave out full control, is there something the user cannot do if I leave out full control, I mean if the user is supose to have full control, enabling everything else, and leaving out full control, will they notice a diffrence?

Thank-you for all the help - your solution worked.
0
 
LVL 14

Accepted Solution

by:
Vinchenzo-the-Second earned 500 total points
ID: 36484194
For troubleshooting reasons, I always set the share permission to full control for domain users.  That way if I have to trouble shoot then I look at the NTFS permissions, because I know the share permission has full controll.  Please note that with NTFS and share permissions the one with the least permission will be applied.
With full control, you can do everything with this folder, you don't want your users to start changing permissions, so you would give them Modify.
0
 
LVL 3

Author Comment

by:wimpie_asg
ID: 36485189
Hi again 0 I know this thread is closed - and this solution works 100% on Windows server 2003 ED, but I am also trying this on windows 2008 server, but for some reason it does not work quite the same as the Windoes 2003 sharing of folders:

If I go to sharing under Windows 2008, and I give Domain Users rfull rights to the folder, it realy does not matter what I do under NTFS security, as it seems like the domain users overwrite the NTFS permisions??? I can have domain users in the sharing permisions on Windows 2008 server folder, just like in the example above as on Windows 2003 server folder, the when you go to NTFS permisions to add the group(s) there, everyone still has acccess to the folder regardless. Can the above solution for Windows 2003 server be carried over to a Windows server 2008 box?
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question