[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 125
  • Last Modified:

Shared Permissions in Server 2008

I have a server 2008 environment with a very complex permissions structure.  My main level folder is called "shares".  Within this folder there are many folders with different permissions.  I have all the permissions set for all the folders within the "shares" giving people proper access to read/write.  Even with the proper permissions set, my employees are able to move folders around at the "shares" level and are able to delete folders.  I do not want anyone except admins to be able to move and delete any folders.  Is this possible?  Can this be done?

Thank you
0
cpitzaferro
Asked:
cpitzaferro
  • 4
  • 2
  • 2
  • +2
3 Solutions
 
akhalighiCommented:
Remember , NTFS permissions get combined with shared permissions.  if they connect remotely ;the most restricted combination will be applied . If they login locally to that server ; they get most open  combination . isn't that the case for you ?
0
 
akhalighiCommented:
so , to test ; under a shared folder give a test user - full control
under the same share ; create a folder or file , right click -> properties > security and setup "read-only" for the same user . the result should be "read-only" access for that particular user .

if you see oddities in your environment ; download solarwinds permission analyzer  ; it tells you what group membership or inherited setting grants access to a user .
0
 
Frederic SuneCEO, IT in MIND inc.Commented:
You can also check the effective permission on the folder for a specific user to see what it the right he/she has on the folder. Right click Property, Security tab, Advanced button, Effective Permissions tab and then click on select... Choose your user, ok and you will see what is the permission. It's an easy way to see the right for a specific user or group.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
cpitzaferroAuthor Commented:
thanks for your feedback and help.

i want users to be able to have full control over the contents of the folder, i dont want them to be able to delete the files in the folder, the folder itself or move folders to different locations on the network.  is something like this possible?
0
 
Chris_PCSGCommented:
Typically you would grant full access to everyone at the share level and then manage permissions using NTFS.  The main folder which is shared should have read-only access on for all users except admins and then subfolders would have modify access.  This would mean that they couldn't create any new folders at the top-level but they would still be able to delete existing folders.  At some point you need to give users write access and then you do run the risk of them deleting things.  That's why you should have a backup as well.

Chris
0
 
pnrhaitCommented:
They way I would do this is the NTFS permissions (security tab) on the Share Folder:
Domain Admins & Administrators Full Control
Domain Users, Users & any other security group you have I would give List permissions..(This will show them List all folders under the Share Folder)

Now for permissions for the individual folders, go to the ntfs permissions and advance, you will want to uncheck "Include inhertiable permissions"

Now you will be able to remove accounts that do not have access to the folder and add ones that do need access. The you will want to give them modify rights. This will all them to add, remove items inside the folder but not the ability to delete the root folder.
0
 
cpitzaferroAuthor Commented:
I was able to take away the permission to delete subfolders and files and to delete.  but it seems that i have to do this for every folder.  is that correct? i do not have permissions inheriting becuase we have so many levels of shared files. is there a way to set this up on a domain level for the security of each securicy group in AD?

Thanks for your help
0
 
Chris_PCSGCommented:
Yes, if you remove inheritance then you have to set permissions on every folder.  You could do it with a batch file perhaps.
I don't understand your question about security groups - the whole point of security groups is to allow groups of users access to particular folders/files.
0
 
pnrhaitCommented:
The way I have my file servers setup is.. is that I create 2 security groups for each folder. So lets say we have Share Folder called Human Resources. I would create the following two security groups:

[servername/abbrevation]_HumanResources_Modify
[servername/abbrevation]_HumanResources_Read

and then I would do the above,, remove inheritance, add the groups and set the correct permissions for each group.. The reason I always put the server name first it identifies where the share is located, I create a read and modify group because I always have people who need different access to the folders. After that is completed you just need to add the people to the right security groups.

The initial deployment of this does take a while but in the end it makes manageability of shares much easier.

Also with 2008 Access Based Enumeration is installed so you can map people to the root share and they will only see the folders that they have access to.
0
 
cpitzaferroAuthor Commented:
Thanks.
0
 
cpitzaferroAuthor Commented:
thanks this completed
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now