Sharing folders by creating user groups in AD
Hi all,
I have a very stupid question to ask - but never the less, still a question I need to resolve. I am obviouslly missing something stupid...
I need to fine tune filesharing on a server.
1) I created groups in AD, for example, Management, Sales, Technical, etc.
2) I then add the appropriate users to the specisifc groups, for example, John Smith to Management allong with other users.
3) I then go to the folder I want the Management group to have permisions over, and add Management to this group (Under Security, and Advance, by adding the group Management, then give it full permision)
With these three steps, this should (in my mind) give management full access to this specific folder. But it does not! The only way I can share this folder, is by adding the individual users to the (security tab) of the folder. Then the user has access, but I cant get this working with User Groups created in Active Directory. I have added the appropriate users to this User Group, it just does not work. If I try and create any other groups for example (Distrubution group - Domain Local, Distribution Group - Universal, Distribution Group - Global) and add the user to it, I cant add this group to a folder to access it, it does not appear.
My questions is - How do I create a User Group in Active Directory, add users to this group, and share a folder by just giving this User group permisions to access this folder, then so automatically give everyone rights to that folder that belongs to that User Group?
Please help - Also, please let me know If I did not explain well enough, I just read it and it sounds a bit confusing. Thank-you in advance!
I have a very stupid question to ask - but never the less, still a question I need to resolve. I am obviouslly missing something stupid...
I need to fine tune filesharing on a server.
1) I created groups in AD, for example, Management, Sales, Technical, etc.
2) I then add the appropriate users to the specisifc groups, for example, John Smith to Management allong with other users.
3) I then go to the folder I want the Management group to have permisions over, and add Management to this group (Under Security, and Advance, by adding the group Management, then give it full permision)
With these three steps, this should (in my mind) give management full access to this specific folder. But it does not! The only way I can share this folder, is by adding the individual users to the (security tab) of the folder. Then the user has access, but I cant get this working with User Groups created in Active Directory. I have added the appropriate users to this User Group, it just does not work. If I try and create any other groups for example (Distrubution group - Domain Local, Distribution Group - Universal, Distribution Group - Global) and add the user to it, I cant add this group to a folder to access it, it does not appear.
My questions is - How do I create a User Group in Active Directory, add users to this group, and share a folder by just giving this User group permisions to access this folder, then so automatically give everyone rights to that folder that belongs to that User Group?
Please help - Also, please let me know If I did not explain well enough, I just read it and it sounds a bit confusing. Thank-you in advance!
Vinchenzo-the-Second
On your share permissions remove the everyone group and add in domain users, full control? Then control the access to the folder via the NTFS permissions. Do not give users full control on the NTFS permissions. The users need to log out and back in again.
ASKER
Thank-you.
If I understand you correctly:
I have shared the folder (default, the everyone has rights) I should remove the everyone under share, add domain users, and under NTFS (Security, Advance) add the group with full permisions?
If I understand you correctly:
I have shared the folder (default, the everyone has rights) I should remove the everyone under share, add domain users, and under NTFS (Security, Advance) add the group with full permisions?
Correct, but on the NTFS permissions only give users Modify, and not full control. Users should not need full control, only give full control to administrators.
Word of advice....don't give user permissions directly, maintain control by using the groups.
The reason is pretty simple.
If user accounts are deleted but the folder permissions is not updated then you'll be creating orphaned SID's.
This can cause a problem for some backup and archiving software.
You're steps above are correct and should work.
Go have a look at the permission inheritance and the file ownership by clicking the "Advanced" button on the bottom of the security TAB.
Ensure that the option "Include inheritable permissions from this object's parent" is selected.
Also check the ownership tab, if it's assigned to a single user then use the "Edit" button and let the adminstrator take ownership of the file.
The reason is pretty simple.
If user accounts are deleted but the folder permissions is not updated then you'll be creating orphaned SID's.
This can cause a problem for some backup and archiving software.
You're steps above are correct and should work.
Go have a look at the permission inheritance and the file ownership by clicking the "Advanced" button on the bottom of the security TAB.
Ensure that the option "Include inheritable permissions from this object's parent" is selected.
Also check the ownership tab, if it's assigned to a single user then use the "Edit" button and let the adminstrator take ownership of the file.
ASKER
I have done what you said and it works perfect - thank-you. I then tried to create a file under the folder, it gave me an access denied error. I went back to the share, and gave domain users "full access" it all still worked fine, I could then create a fild under my direcory.
1) Under file sharing and permisions, do I give domain users full access? (Read, Change, Full Control, or do I leave it as Read and change?)
2) What is the diffrence between full control and just enabling the rest and leave out full control, is there something the user cannot do if I leave out full control, I mean if the user is supose to have full control, enabling everything else, and leaving out full control, will they notice a diffrence?
Thank-you for all the help - your solution worked.
1) Under file sharing and permisions, do I give domain users full access? (Read, Change, Full Control, or do I leave it as Read and change?)
2) What is the diffrence between full control and just enabling the rest and leave out full control, is there something the user cannot do if I leave out full control, I mean if the user is supose to have full control, enabling everything else, and leaving out full control, will they notice a diffrence?
Thank-you for all the help - your solution worked.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi again 0 I know this thread is closed - and this solution works 100% on Windows server 2003 ED, but I am also trying this on windows 2008 server, but for some reason it does not work quite the same as the Windoes 2003 sharing of folders:
If I go to sharing under Windows 2008, and I give Domain Users rfull rights to the folder, it realy does not matter what I do under NTFS security, as it seems like the domain users overwrite the NTFS permisions??? I can have domain users in the sharing permisions on Windows 2008 server folder, just like in the example above as on Windows 2003 server folder, the when you go to NTFS permisions to add the group(s) there, everyone still has acccess to the folder regardless. Can the above solution for Windows 2003 server be carried over to a Windows server 2008 box?
If I go to sharing under Windows 2008, and I give Domain Users rfull rights to the folder, it realy does not matter what I do under NTFS security, as it seems like the domain users overwrite the NTFS permisions??? I can have domain users in the sharing permisions on Windows 2008 server folder, just like in the example above as on Windows 2003 server folder, the when you go to NTFS permisions to add the group(s) there, everyone still has acccess to the folder regardless. Can the above solution for Windows 2003 server be carried over to a Windows server 2008 box?