?
Solved

How to correctly assign NTFS permission on Windows 2008 share folder

Posted on 2011-09-18
4
Medium Priority
?
556 Views
Last Modified: 2012-05-12

Hi Experts,

I have a share folder name "Departments" and inside that folder there are several folders with department names.  All folders are configure to have their NTFS security permission assign according to their group. Example: If you are a staff of the HR department then they will be inside the HR security group, and that group is assign to the HR folder with full permission.

The problem I am having is that users can copy and paste other folders they are not allow, to the Folder they have permission.
Example:  HR Folder is only accessible to users that are in the HR group, but users from another Departments like "Administration" can copy the HR folder and pasted it on their Administration folder.  

The users from "Administration Group" cannot access the HR folder when they double click.  This is happening to every folder.  Users do not have access to a particular folder but they can copy the folder and have access.

Folder permissions are as follow:

Share folder -- Departments -- shared permission  "Everyone Full control"
                      NTFS Permission-- "creators owner full control" - "Admins full control" - "Authenticated user- Read only"

ALL folders inside Department folders have "creators owner -Full control"  "admin -full control" and Full control to the group the folder belown to.

Thanks,
0
Comment
Question by:kiquee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 1

Expert Comment

by:MwaZone
ID: 36557605
Hallo,

In the "Departments" folder (containing your departments folders) have you granted "your default users or everyone" group more then [Traverse folder / execute file], [List folder / read data], [Read attributes], [read extended attributes], [read permissions] to [This Foler...] ?

The share "Departments" only have to have this permissions:
Group                                 Permissions                      Applied on
Default Users Group              Listed above                     This Folder only
SYSTEM                                 All                                      This Folder, Subfolders and Files
Administrators                        All                                      This Folder, Subfolders and Files

Default users group being the group your using today ex. Everyone / Auth.Users / Domain Users
Administrators being the group your admins are members of

Being some thing like the attached image, but your departments subfolders need to have the Auth.users replaced with the departm.group and the permissions needed....
If other groups is used for some other purpose this may still be needed, but be sure that it is not taking effect / overlapping.

Hope this is useful!
ntfs-permissions.png
0
 

Author Comment

by:kiquee
ID: 36560907
Hi,

I have the "Department" folder as you specify and the result is the same.  I did notices if I remove   "[Traverse folder / execute file], [Read attributes], [read extended attributes]," [read permissions] AND NOT [List folder / read data], .  Then the result is what I want, that the user cannot copy whats inside a folder that they dont have permission to access.

The only thing is that when they try to copy and paste a folder they dont have access ,they can copy just the main folder ONLY( ex, LIKE HR Administration), , but nothing inside. Which that's GOOD!  This only happens with WIndows XP and not Windows 7.


Also, I will like to know if there is a way to prevent users that have access to a folder inside the "deparment folder" to not be able to delete from the main deparment folder?

Ex.  A user can access the HR folder, delete folders and files and modify without any issues, I will like that user to not be able to delete from the HR folder. because if they do everything inside the HR folder will be delete.  So to make it clear, I will not like the user to go under the HR folder and rigth click the mice and hit delete, because everything inside the HR folder will be delete.

I have deselected the delete permission in the advance option, but this only prevent the HR folder to be delete but not documents or folders inside the HR folder.

Any ideas?

0
 
LVL 1

Accepted Solution

by:
MwaZone earned 1500 total points
ID: 36563741
Hi,

To prevent deletetion of both the HR folder it self and sub folders and files (ex. documents etc.) your will have to be sure that all NTFS permissions that relate to the users don't have [Delete subfolders and files] and the [Delete] and that it is applied to [This folder, subfolders and files] in the permissions.

And be sure that you cover all the groups etc. that have effect on the users.
0
 

Author Closing Comment

by:kiquee
ID: 37216426
I had to change the permission on other folders too.  the answer was partially correct.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question