Setting up a share and files with specific permissions

Posted on 2011-10-19
Last Modified: 2013-04-17
Here's what I'm trying to set up:

A share on my Windows 2003 Server's C: drive named "Evaluations".  Under that will be folders for departments, "Dept1", "Dept2", etc.  Within each department folder are Word documents specific to individual employees that are their performance evaluations for the year.  Only the user and his/her supervisor should have the ability to open and change the Word docs.  I keep running into permission problems with this one.  

I assign limited rights to the Everyone group so that they can see the "Evaluations" share, but I can't seem to assign permissions to the individual files to limit their access to just the user and their supervisor.  I don't care if, in the example below, Fred can see that there's another file named "Jane.docx", but I don't want him to be able to open it. I have created a drive map group policy so that all users have a drive mapped to \\servername\evaluations.

(Note - the screenshot is from a Windows 7 workstation, but I'm actually setting this up on a Windows 2003 Server).  Any help will be greatly appreciated!  file structure
Question by:dgbritt
    LVL 6

    Expert Comment

    Can you modify Dept1 dept2 Advanced permission and specify This folder only ?


    This way, rights wont be applied on files and you can define specific ACL for each one [Manager, user and administrator]

    Author Comment

    I have done that.  I then go to the individual user file and assign modify rights to the user and the supervisor, but after that when the user opens the file it opens as "read only".
    LVL 6

    Expert Comment

    Can I get an output of the following command ?

    cacls fred.docx

    Open in new window


    Author Comment

    I thought to keep the confusion down I should include a screenshot of the actual files on the server rather than the made-up ones. file structure
    "Evaluations" is the share name and users in the security group "evaluations" have a drive mapped at login.

    Here is the cacls results on both the share "evaluations" and the user file "chism.docx".   cacls for ee
    When set up like this, Mr. Chism can open his file, make changes and save it.  But the wierd thing is, once he's done that the permissions change.  The user chism is gone and now "evaluations" has change rights, meaning any other user can now open his file. after saving doc
    LVL 6

    Expert Comment

    I can see that ID (herited) flag is back from a OI/CI flag on a parent directory

    In this case I'd start over and remove OI CI on evaluation (this folder, folders and files)
    Replace with CI (This folder and subfodlers)
    Double check that Senior Staff-Bobby Jones is not set to IO-CI (Folder/SubFolder and files)

    Can you copy paste result of CACLS "Senior Staff-Bobby Jones" ?

    Author Comment

    Here it is, but sorry, I'm a little fuzzy on OI, CI, etc??
    LVL 6

    Expert Comment

    Sorry for the oi ci stuff, it's all explained here :)

    I see that both herited (ID) and manually added right are set on this senior folder. Evaluation Herits a C right where it should only have a R right

    Can you go in advanced security and uncheck 'allow rights from parents to be inherited no this object' then choose DELETE choice
    This will keep manual rights and delete other ones

    check that there is only a FBCJ\Evaluation R(ead) right on this folder
    no more entries with ID should appear in cacls output

    Author Comment

    Thanks for helping with this; I know this is one of those situations where face-to-face might work better, but it is what it is!  When I change Evaluation to just R rights, then when chism opens the doc and makes changes he gets an access denied when trying save the file.
    LVL 6

    Accepted Solution

    Indeed, but it makes us understand exactly what happens and take time to think.

    Good now Chism can not save the file. I expected this behaviour.
    Now that no right are inherited on the file, add a last manual rights on this document and grant Chism the right to read and write into this file.
    Test and enjoy, it should work pretty well.

    Now time to reset everything

    Final rights to set are these :

    On evaluation folder :
    Remove all inheritd rights. Delete them. If you cant get access to folder anymore, dont panic, you have to take ownership and ull get all rights back

    Now add rights :

    domain admins : Full control --> Folders , sub, files
    Any user you want to give full rights on everything : Full control --> Fodlers , sub , files
    System : Full control --> Fodlers , sub , files
    Evaluation group : Read and execute -- > [Folders and subfolders] ONLY
    That gives the group the right to browse directory and see files. They can not open them.

    On this Evaluation fodler, there will be no 'greyed' right.

    Erase all subfolders manual rights and check Allow inheritable permissions from the parent to propagate to this object and all child objects.

    All folders must be clean, rights greyed out because of inheritance, all the same right than Evaluation folder.

    Do the same on files (you could propagate the rights but I want you to remove any individual rights set before)

    Now everything is clean, you can give rights on a file level to grant final user the ability to open and save his file.

    Of course you can test everything with one subfolder before doing all other.
    This could be done using cacls or subinacl but I dont feel like making you type command lines, and I must leave for bed, so you're on your own untill tomorrow :p

    Good luck


    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
    by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now