• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 143
  • Last Modified:

Setting up a share and files with specific permissions

Here's what I'm trying to set up:

A share on my Windows 2003 Server's C: drive named "Evaluations".  Under that will be folders for departments, "Dept1", "Dept2", etc.  Within each department folder are Word documents specific to individual employees that are their performance evaluations for the year.  Only the user and his/her supervisor should have the ability to open and change the Word docs.  I keep running into permission problems with this one.  

I assign limited rights to the Everyone group so that they can see the "Evaluations" share, but I can't seem to assign permissions to the individual files to limit their access to just the user and their supervisor.  I don't care if, in the example below, Fred can see that there's another file named "Jane.docx", but I don't want him to be able to open it. I have created a drive map group policy so that all users have a drive mapped to \\servername\evaluations.

(Note - the screenshot is from a Windows 7 workstation, but I'm actually setting this up on a Windows 2003 Server).  Any help will be greatly appreciated!  file structure
0
dgbritt
Asked:
dgbritt
  • 5
  • 4
1 Solution
 
Gerald26Commented:
Can you modify Dept1 dept2 Advanced permission and specify This folder only ?

 ntfs2.jpg

This way, rights wont be applied on files and you can define specific ACL for each one [Manager, user and administrator]
0
 
dgbrittAuthor Commented:
I have done that.  I then go to the individual user file and assign modify rights to the user and the supervisor, but after that when the user opens the file it opens as "read only".
0
 
Gerald26Commented:
Can I get an output of the following command ?

cacls fred.docx

Open in new window

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
dgbrittAuthor Commented:
I thought to keep the confusion down I should include a screenshot of the actual files on the server rather than the made-up ones. file structure
"Evaluations" is the share name and users in the security group "evaluations" have a drive mapped at login.

Here is the cacls results on both the share "evaluations" and the user file "chism.docx".   cacls for ee
When set up like this, Mr. Chism can open his file, make changes and save it.  But the wierd thing is, once he's done that the permissions change.  The user chism is gone and now "evaluations" has change rights, meaning any other user can now open his file. after saving doc
0
 
Gerald26Commented:
I can see that ID (herited) flag is back from a OI/CI flag on a parent directory

In this case I'd start over and remove OI CI on evaluation (this folder, folders and files)
Replace with CI (This folder and subfodlers)
Double check that Senior Staff-Bobby Jones is not set to IO-CI (Folder/SubFolder and files)

Can you copy paste result of CACLS "Senior Staff-Bobby Jones" ?
0
 
dgbrittAuthor Commented:
Here it is, but sorry, I'm a little fuzzy on OI, CI, etc??
Capture5.JPG
0
 
Gerald26Commented:
Sorry for the oi ci stuff, it's all explained here :)

http://technet.microsoft.com/en-us/library/bb490872.aspx

I see that both herited (ID) and manually added right are set on this senior folder. Evaluation Herits a C right where it should only have a R right

Can you go in advanced security and uncheck 'allow rights from parents to be inherited no this object' then choose DELETE choice
This will keep manual rights and delete other ones

check that there is only a FBCJ\Evaluation R(ead) right on this folder
no more entries with ID should appear in cacls output
0
 
dgbrittAuthor Commented:
Thanks for helping with this; I know this is one of those situations where face-to-face might work better, but it is what it is!  When I change Evaluation to just R rights, then when chism opens the doc and makes changes he gets an access denied when trying save the file.
0
 
Gerald26Commented:
Indeed, but it makes us understand exactly what happens and take time to think.

Good now Chism can not save the file. I expected this behaviour.
Now that no right are inherited on the file, add a last manual rights on this document and grant Chism the right to read and write into this file.
Test and enjoy, it should work pretty well.


Now time to reset everything

Final rights to set are these :

On evaluation folder :
Remove all inheritd rights. Delete them. If you cant get access to folder anymore, dont panic, you have to take ownership and ull get all rights back

Now add rights :

domain admins : Full control --> Folders , sub, files
Any user you want to give full rights on everything : Full control --> Fodlers , sub , files
System : Full control --> Fodlers , sub , files
Evaluation group : Read and execute -- > [Folders and subfolders] ONLY
That gives the group the right to browse directory and see files. They can not open them.

On this Evaluation fodler, there will be no 'greyed' right.

Erase all subfolders manual rights and check Allow inheritable permissions from the parent to propagate to this object and all child objects.

All folders must be clean, rights greyed out because of inheritance, all the same right than Evaluation folder.

Do the same on files (you could propagate the rights but I want you to remove any individual rights set before)

Now everything is clean, you can give rights on a file level to grant final user the ability to open and save his file.

Of course you can test everything with one subfolder before doing all other.
This could be done using cacls or subinacl but I dont feel like making you type command lines, and I must leave for bed, so you're on your own untill tomorrow :p

Good luck

Gerald
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now