Setting up a share and files with specific permissions

Here's what I'm trying to set up:

A share on my Windows 2003 Server's C: drive named "Evaluations".  Under that will be folders for departments, "Dept1", "Dept2", etc.  Within each department folder are Word documents specific to individual employees that are their performance evaluations for the year.  Only the user and his/her supervisor should have the ability to open and change the Word docs.  I keep running into permission problems with this one.  

I assign limited rights to the Everyone group so that they can see the "Evaluations" share, but I can't seem to assign permissions to the individual files to limit their access to just the user and their supervisor.  I don't care if, in the example below, Fred can see that there's another file named "Jane.docx", but I don't want him to be able to open it. I have created a drive map group policy so that all users have a drive mapped to \\servername\evaluations.

(Note - the screenshot is from a Windows 7 workstation, but I'm actually setting this up on a Windows 2003 Server).  Any help will be greatly appreciated!  file structure
Who is Participating?
Gerald26Connect With a Mentor Commented:
Indeed, but it makes us understand exactly what happens and take time to think.

Good now Chism can not save the file. I expected this behaviour.
Now that no right are inherited on the file, add a last manual rights on this document and grant Chism the right to read and write into this file.
Test and enjoy, it should work pretty well.

Now time to reset everything

Final rights to set are these :

On evaluation folder :
Remove all inheritd rights. Delete them. If you cant get access to folder anymore, dont panic, you have to take ownership and ull get all rights back

Now add rights :

domain admins : Full control --> Folders , sub, files
Any user you want to give full rights on everything : Full control --> Fodlers , sub , files
System : Full control --> Fodlers , sub , files
Evaluation group : Read and execute -- > [Folders and subfolders] ONLY
That gives the group the right to browse directory and see files. They can not open them.

On this Evaluation fodler, there will be no 'greyed' right.

Erase all subfolders manual rights and check Allow inheritable permissions from the parent to propagate to this object and all child objects.

All folders must be clean, rights greyed out because of inheritance, all the same right than Evaluation folder.

Do the same on files (you could propagate the rights but I want you to remove any individual rights set before)

Now everything is clean, you can give rights on a file level to grant final user the ability to open and save his file.

Of course you can test everything with one subfolder before doing all other.
This could be done using cacls or subinacl but I dont feel like making you type command lines, and I must leave for bed, so you're on your own untill tomorrow :p

Good luck

Can you modify Dept1 dept2 Advanced permission and specify This folder only ?


This way, rights wont be applied on files and you can define specific ACL for each one [Manager, user and administrator]
dgbrittAuthor Commented:
I have done that.  I then go to the individual user file and assign modify rights to the user and the supervisor, but after that when the user opens the file it opens as "read only".
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Can I get an output of the following command ?

cacls fred.docx

Open in new window

dgbrittAuthor Commented:
I thought to keep the confusion down I should include a screenshot of the actual files on the server rather than the made-up ones. file structure
"Evaluations" is the share name and users in the security group "evaluations" have a drive mapped at login.

Here is the cacls results on both the share "evaluations" and the user file "chism.docx".   cacls for ee
When set up like this, Mr. Chism can open his file, make changes and save it.  But the wierd thing is, once he's done that the permissions change.  The user chism is gone and now "evaluations" has change rights, meaning any other user can now open his file. after saving doc
I can see that ID (herited) flag is back from a OI/CI flag on a parent directory

In this case I'd start over and remove OI CI on evaluation (this folder, folders and files)
Replace with CI (This folder and subfodlers)
Double check that Senior Staff-Bobby Jones is not set to IO-CI (Folder/SubFolder and files)

Can you copy paste result of CACLS "Senior Staff-Bobby Jones" ?
dgbrittAuthor Commented:
Here it is, but sorry, I'm a little fuzzy on OI, CI, etc??
Sorry for the oi ci stuff, it's all explained here :)

I see that both herited (ID) and manually added right are set on this senior folder. Evaluation Herits a C right where it should only have a R right

Can you go in advanced security and uncheck 'allow rights from parents to be inherited no this object' then choose DELETE choice
This will keep manual rights and delete other ones

check that there is only a FBCJ\Evaluation R(ead) right on this folder
no more entries with ID should appear in cacls output
dgbrittAuthor Commented:
Thanks for helping with this; I know this is one of those situations where face-to-face might work better, but it is what it is!  When I change Evaluation to just R rights, then when chism opens the doc and makes changes he gets an access denied when trying save the file.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.