Whats the best practice for user permissions on a shared folder on a file server?

Posted on 2011-09-28
Last Modified: 2012-05-12
I have decided not to use the default permissions on my shared folder structure on my file share server.

Using Microsoft Server 2008 R2 and Windows 7 SP1 workstations:
What default security groups should i use?
I currently have:
Administrators: Full control

System: Full Control

Creator Owner: Full control

Group of Supervisors who aren't Domain admins: Full Control

User group A: Modify/ Read & Execute /List Folder contents / Read /Write

Authenticated Users: Read & Execute / List folder contents / Read

I assume authenticated users is everyone with a user name and password. I'm ok with this group perusing contents but not being able to delete or change anything
User Group A are people who require the ability to modify create and manage files. I don't want them to take ownership of the folder or have the ability to change permissions

Do i even need to list the "System" security group? Why?
Is it a good practice to list creator owner with full control?
Is there going to be a permissions issue/conflict  due to the authenticated users group having less permissions than User Group A?
What's a good set of groups to set for inheritable permissions at the root share? I don't want to use the everybody group.
Question by:Fureio
  • 4
  • 2
  • 2

Accepted Solution

knwarrior74 earned 500 total points
ID: 36720107
Best practices
Assign permissions to groups, not user accounts.
Assigning permissions to groups simplifies management of shared resources, because you can then add users to or remove them from the groups without having to reassign permissions. To deny all access to a shared resource, deny the Full Control permission.

Assign the most restrictive permissions that still allow users to perform required tasks.
For example, if users need only to read information in a folder, and they will never delete, create, or change files, assign the Read permission.

If users log on locally to access shared resources, such as on a terminal server, set permissions by using NTFS file system permissions or access control.
Share permissions apply only to users who access shared resources over the network; they do not apply to users who log on locally. For this situation, use NTFS and access control. For more information, see Set, view, change, or remove permissions on files and folders.

Organize resources so that objects with the same security requirements are located in the same folder.
For example, if users require the Read permission for several application folders, store the application folders in the same parent folder. Then, share the parent folder, rather than sharing each individual application folder. Note that if you need to change the location of an application, you may need to reinstall it.

When you share applications, organize all shared applications in one folder.
Organizing all applications in one shared folder simplifies administration, because there is only one location for installing and upgrading software.

To prevent problems with accessing network resources, do not deny permissions to the Everyone group.
The Everyone group includes anyone who has access to network resources, including the Guest account, with the exception of the Anonymous Logon group. For more information, see Default security settings for groups and Differences in default security settings.

Avoid explicitly denying permissions to a shared resource.
It is usually necessary to explicitly deny permissions only when you want to override specific permissions that are already assigned.

Limit membership in, and assign the Full Control permission to, the Administrators group.
This enables administrators to manage application software and to control user rights.

In most cases, do not change the default permission (Read) for the Everyone group.
The Everyone group includes anyone who has access to network resources, including the Guest account. In most cases, do not change this default unless you want users to be able to make changes to the files and objects in the shared resource. For more information about share permissions, see Share permissions.

Grant access to users by using domain user accounts.
On computers running Windows XP Professional that are connected to a domain, grant access to shared resources through domain user accounts, rather than through local user accounts. This centralizes the administration of share permissions.

Use centralized data folders.
With centralized data folders, you can manage resources and back up data easily.

Use intuitive, short labels for shared resources.
This ensures that the shared resources can be easily recognized and accessed by users and all client operating systems.

Use a firewall.
A firewall protects shared resources from access through the Internet. In Windows XP and in the Windows Server 2003 family, you can take advantage of new firewall capabilities. For more information, see Internet Connection Firewall. Instead of Internet Connection Firewall, computers running Windows XP with Service Pack 2 (SP2) and computers running Windows Server 2003 with Service Pack 1 (SP1), use Windows Firewall. For more information, see Help: Windows Firewall.

Author Comment

ID: 36814128
Thanks for your elaborate answer. However, this broad answer doesn't really apply to the questions i have asked since i am already working with user groups and not individuals.
You mention:
"Best practices
Assign permissions to groups, not user accounts.
Assigning permissions to groups simplifies management of shared resources, because you can then add users to or remove them from the groups without having to reassign permissions. To deny all access to a shared resource, deny the Full Control permission

Did you mean, create a group of  users together in AD DS and delegate permissions to the group? What about the actual folder itself, what default set of groups should i list in my shared folder?

What about the permissions listed in folder properties\Security tab? Reading your advice on Best Practices, i will have to restructure the way my entire file share is structured permission wise. The default groups in a folder are
Creator Owner: Full Control
System: Full Control
Domain\Administrators: Full Control
Domain\Users: Read & Execute / List folder contents / Read

How do i modify the folder security permissions to fit with user groups that have permissions?
My confusion comes from the following:
A certain group will only have read & exe / list / read at tier 1 and 2 of a folder structure but have modify and write at tier 3 and forward.

Another question here that went unanswered, should i keep the creator owner and system permissions in place for a file share that won't host programs?

Author Comment

ID: 36814645
I have figured out answers to a lot of the questions i posed here. Thanks for pointing me in the right direction.

My core question is:
Should i keep the "system" permissions in place for a file share that won't host programs?
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 36892459
yes because even OS shouldn't be able to work with data.

Expert Comment

ID: 36892798
I agree yes the OS shouldn't have security permissions set for it.  

Author Comment

ID: 36893014
Ok, i'm understanding two different answers here. Yes, i should keep SYSTEM in the default folder permission or YES, REMOVE the SYSTEM group since it isn't needed for a file share?
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 36893163
Ok if you accessing files only throw network you can REMOVE SYSTEM.

Author Closing Comment

ID: 36893216
Vague answer with a long response time to what was a very simple answer. The answer appears to be cut and paste since nowhere in my question do i mention Windows XP and mentions using groups when i had already mentioned that i was using groups and not individual users. A lot of the sub-questions remain unanswered

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
Introduction: Sometimes when I receive a call from my users to solve their problems it is very difficult for me to found their computer IP address. Even finding their computer Host to provide remote support can be a problem.  So I resorted to Goo…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question