cpitzaferro
asked on
Shared Permissions in Server 2008
I have a server 2008 environment with a very complex permissions structure. My main level folder is called "shares". Within this folder there are many folders with different permissions. I have all the permissions set for all the folders within the "shares" giving people proper access to read/write. Even with the proper permissions set, my employees are able to move folders around at the "shares" level and are able to delete folders. I do not want anyone except admins to be able to move and delete any folders. Is this possible? Can this be done?
Thank you
Thank you
Remember , NTFS permissions get combined with shared permissions. if they connect remotely ;the most restricted combination will be applied . If they login locally to that server ; they get most open combination . isn't that the case for you ?
so , to test ; under a shared folder give a test user - full control
under the same share ; create a folder or file , right click -> properties > security and setup "read-only" for the same user . the result should be "read-only" access for that particular user .
if you see oddities in your environment ; download solarwinds permission analyzer ; it tells you what group membership or inherited setting grants access to a user .
under the same share ; create a folder or file , right click -> properties > security and setup "read-only" for the same user . the result should be "read-only" access for that particular user .
if you see oddities in your environment ; download solarwinds permission analyzer ; it tells you what group membership or inherited setting grants access to a user .
You can also check the effective permission on the folder for a specific user to see what it the right he/she has on the folder. Right click Property, Security tab, Advanced button, Effective Permissions tab and then click on select... Choose your user, ok and you will see what is the permission. It's an easy way to see the right for a specific user or group.
ASKER
thanks for your feedback and help.
i want users to be able to have full control over the contents of the folder, i dont want them to be able to delete the files in the folder, the folder itself or move folders to different locations on the network. is something like this possible?
i want users to be able to have full control over the contents of the folder, i dont want them to be able to delete the files in the folder, the folder itself or move folders to different locations on the network. is something like this possible?
Typically you would grant full access to everyone at the share level and then manage permissions using NTFS. The main folder which is shared should have read-only access on for all users except admins and then subfolders would have modify access. This would mean that they couldn't create any new folders at the top-level but they would still be able to delete existing folders. At some point you need to give users write access and then you do run the risk of them deleting things. That's why you should have a backup as well.
Chris
Chris
They way I would do this is the NTFS permissions (security tab) on the Share Folder:
Domain Admins & Administrators Full Control
Domain Users, Users & any other security group you have I would give List permissions..(This will show them List all folders under the Share Folder)
Now for permissions for the individual folders, go to the ntfs permissions and advance, you will want to uncheck "Include inhertiable permissions"
Now you will be able to remove accounts that do not have access to the folder and add ones that do need access. The you will want to give them modify rights. This will all them to add, remove items inside the folder but not the ability to delete the root folder.
Domain Admins & Administrators Full Control
Domain Users, Users & any other security group you have I would give List permissions..(This will show them List all folders under the Share Folder)
Now for permissions for the individual folders, go to the ntfs permissions and advance, you will want to uncheck "Include inhertiable permissions"
Now you will be able to remove accounts that do not have access to the folder and add ones that do need access. The you will want to give them modify rights. This will all them to add, remove items inside the folder but not the ability to delete the root folder.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The way I have my file servers setup is.. is that I create 2 security groups for each folder. So lets say we have Share Folder called Human Resources. I would create the following two security groups:
[servername/abbrevation]_H umanResour ces_Modify
[servername/abbrevation]_H umanResour ces_Read
and then I would do the above,, remove inheritance, add the groups and set the correct permissions for each group.. The reason I always put the server name first it identifies where the share is located, I create a read and modify group because I always have people who need different access to the folders. After that is completed you just need to add the people to the right security groups.
The initial deployment of this does take a while but in the end it makes manageability of shares much easier.
Also with 2008 Access Based Enumeration is installed so you can map people to the root share and they will only see the folders that they have access to.
[servername/abbrevation]_H
[servername/abbrevation]_H
and then I would do the above,, remove inheritance, add the groups and set the correct permissions for each group.. The reason I always put the server name first it identifies where the share is located, I create a read and modify group because I always have people who need different access to the folders. After that is completed you just need to add the people to the right security groups.
The initial deployment of this does take a while but in the end it makes manageability of shares much easier.
Also with 2008 Access Based Enumeration is installed so you can map people to the root share and they will only see the folders that they have access to.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks this completed