• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 553
  • Last Modified:

Sharing folders by creating user groups in AD

Hi all,

I have a very stupid question to ask - but never the less, still a question I need to resolve. I am obviouslly missing something stupid...

I need to fine tune filesharing on a server.
1) I created groups in AD, for example, Management, Sales, Technical, etc.
2) I then add the appropriate users to the specisifc groups, for example, John Smith to Management allong with other users.
3) I then go to the folder I want the Management group to have permisions over, and add Management to this group (Under Security, and Advance, by adding the group Management, then give it full permision)

With these three steps, this should (in my mind) give management full access to this specific folder. But it does not! The only way I can share this folder, is by adding the individual users to the (security tab) of the folder. Then the user has access, but I cant get this working with User Groups created in Active Directory. I have added the appropriate users to this User Group, it just does not work. If I try and create any other groups for example (Distrubution group - Domain Local, Distribution Group - Universal, Distribution Group - Global) and add the user to it, I cant add this group to a folder to access it, it does not appear.

My questions is - How do I create a User Group in Active Directory, add users to this group, and share a folder by just giving this User group permisions to access this folder, then so automatically give everyone rights to that folder that belongs to that User Group?

Please help - Also, please let me know If I did not explain well enough, I just read it and it sounds a bit confusing. Thank-you in advance!
0
wimpie_asg
Asked:
wimpie_asg
  • 3
  • 3
1 Solution
 
Vinchenzo-the-SecondCommented:
On your share permissions remove the everyone group and add in domain users, full control?  Then control the access to the folder via the NTFS permissions.  Do not give users full control on the NTFS permissions.  The users need to log out and back in again.
0
 
wimpie_asgAuthor Commented:
Thank-you.

If I understand you correctly:

I have shared the folder (default, the everyone has rights) I should remove the everyone under share, add domain users, and under NTFS (Security, Advance) add the group with full permisions?

0
 
Vinchenzo-the-SecondCommented:
Correct, but on the NTFS permissions only give users Modify, and not full control.  Users should not need full control, only give full control to administrators.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Leon FesterIT Project Change ManagerCommented:
Word of advice....don't give user permissions directly, maintain control by using the groups.
The reason is pretty simple.
If user accounts are deleted but the folder permissions is not updated then you'll be creating orphaned SID's.
This can cause a problem for some backup and archiving software.

You're steps above are correct and should work.
Go have a look at the permission inheritance and the file ownership by clicking the "Advanced" button on the bottom of the security TAB.

Ensure that the option "Include inheritable permissions from this object's parent" is selected.
Also check the ownership tab, if it's assigned to a single user then use the "Edit" button and let the adminstrator take ownership of the file.
0
 
wimpie_asgAuthor Commented:
I have done what you said and it works perfect - thank-you. I then tried to create a file under the folder, it gave me an access denied error. I went back to the share, and gave domain users "full access" it all still worked fine, I could then create a fild under my direcory.

1) Under file sharing and permisions, do I give domain users full access? (Read, Change, Full Control, or do I leave it as Read and change?)
2) What is the diffrence between full control and  just enabling the rest and leave out full control, is there something the user cannot do if I leave out full control, I mean if the user is supose to have full control, enabling everything else, and leaving out full control, will they notice a diffrence?

Thank-you for all the help - your solution worked.
0
 
Vinchenzo-the-SecondCommented:
For troubleshooting reasons, I always set the share permission to full control for domain users.  That way if I have to trouble shoot then I look at the NTFS permissions, because I know the share permission has full controll.  Please note that with NTFS and share permissions the one with the least permission will be applied.
With full control, you can do everything with this folder, you don't want your users to start changing permissions, so you would give them Modify.
0
 
wimpie_asgAuthor Commented:
Hi again 0 I know this thread is closed - and this solution works 100% on Windows server 2003 ED, but I am also trying this on windows 2008 server, but for some reason it does not work quite the same as the Windoes 2003 sharing of folders:

If I go to sharing under Windows 2008, and I give Domain Users rfull rights to the folder, it realy does not matter what I do under NTFS security, as it seems like the domain users overwrite the NTFS permisions??? I can have domain users in the sharing permisions on Windows 2008 server folder, just like in the example above as on Windows 2003 server folder, the when you go to NTFS permisions to add the group(s) there, everyone still has acccess to the folder regardless. Can the above solution for Windows 2003 server be carried over to a Windows server 2008 box?
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now