groupshare permissions question

Posted on 2011-10-28
Medium Priority
Last Modified: 2012-05-12
I received a request to re-configure public drives on our Windows Server 2008 and Windows Server 2003 file servers in such a manner that allows our group1 users the ability to create files and folders in the public drive and only allow that user (creator/owner) the ability to edit/delete the objects, while giving all of group1 users the ability to read.

I believe this was setup originally so that creator/owner had modify rights while group1 users had read only. I dont know if the permissions ever really worked, but recently users complained of problems with the configuration - group1 users were modifying files they did not create.  

1. I need to know if this configuration is indeed possible.
2. If possible, is there a method of resetting the existing files and folders to re-apply the permissions as described above?

Thank you-

Question by:CCLProTech
  • 6
  • 2
LVL 22

Expert Comment

ID: 37049475
yes, that is possible.  

It may be some work though.

To Clarify:
Group1 users can only read, and create new files and folders
If John is in Group1 then he can also edit and delete any files that HE created.  Other Group1 members can only read Johns files.

on a folder remove inheritance if extra permissions on propagating from a higher level
add Creator Owner as Modify
add the Group1 and give them Read
Set the folder Owner as John (if we are editing Johns folder) and apply ownership to child objects

set those fodlers permissions to apply to child folders and files.  inheritance should be active on the child folders

This is assuming that your structure is that John has his folder and other contributors have their folders.  So you can reset Folders based on each user and set the user as the Owner

If you have 1 public folder and a mess of files in there  or there is no organization thenyou should check the current Owner of each file and make sure that it is set to the person who made it.

For backup purposes I would also set some domain admin account as read at the top level(s).
LVL 22

Expert Comment

ID: 37049504
If you do have folders for each user then you should not allow inheritance on those folders, otherwise users can create files in John's folder for example.
LVL 22

Expert Comment

ID: 37049511
Sorry,  on the top folder you have to give Group1 a special permission.
Use the Advanced button to set these permissions.
Give Group1 Create Files / Write Data  and  Create Folders / Append Data
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

ID: 37050581
Currently all users do NOT have their own folder. Users created folders as needed and at least half of the data seems scattered about - it's a messy directory. If I understand correctly, I dont know how feasible it is to manage each persons folder. I probably have 400 users/folders that would need set manually, and anytime a new user is hired we'd have to manually setup a folder for that user and modify permissions so they're the owner.

I think I need to look for another solution. Any ideas?  
LVL 22

Expert Comment

ID: 37050608
If you check the current Owner on some folders and files, are they set to a specific user already?

you could write a script to get the owner, then script the task to reset the permissions based on the current owner and add the Group1 as Read then make the script process all the files and folders.

If the current Owner doesn't give you information then it's going to be difficult to fix the permissions, how to know who created a file?

Author Comment

ID: 37061816
The existing files seem to have the correct user listed as owner, but creator/owner is not listed in the ACL.

Any suggestions on script syntax to get the owner and reset permissions so group1 can read?  
LVL 22

Accepted Solution

chakko earned 1500 total points
ID: 37064544
Try this script.  It's not pretty but should work.  TEST first.
save as .vbs file and then edit any line with 'EDIT in it, use your info
Before it tries to modify a file it will write to a log file.  If it crashes then you can see where it crashed.
Delete or rename the log file before running script again.
If inheritance is active then you may end up with extra permissions at places in subfolders.
There is a line in there for using takeown or subinacl for taking ownership.  If a folder is blocked to your admin account then it will crash.  
You should test some and decide which one you want to use (either takeown or subinacl).  I found one some test folders that the subinacl didn't seem like it would reset the permissions on a Folder, so I tried the takeown program and that worked.

good luck

LVL 22

Expert Comment

ID: 37064610
I just thought of something, when testing, make sure that after you rest a permission that group1 can still create a new file.  You may have to set an inheritance at the root level for them to create/write file and create/write folder , or adjust the script to add that.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question