Windows 2008: Sharing and NTFS Permission

Hi,
I have an enterprise network as the followings:
-Domain Controller: Window server 2008
- File Server called “bobafilesrv”: window server 2008
There are some folders to be shared. The folders are located at bobafilesrv. The folders are as the followings:
1)      C:\Accounting\Payable (The share drive is “M:”)
2)      C:\Accounting\Receivable (The share drive is “R:”)
3)      C:\Accounting \Tax (The share drive is “T:”)
4)      C:\Accounting\Payroll(The share drive is “W:”)
5)      C:\Public (The share drive is “P:”)

The users and the GOAL:
1)      Jblack will get M:, R:, T:, W: and P:
2)      Jwhite will get M:, W: and P:
3)      Kbrown will get R: & T:
4)      Kgreen will get M: & P:

The things that I did:

I)      For ACCOUNTING  folder
1)SHARING permission:
      * Authenticated Users get “Full Control”
       * jblack gets “Full Control”
2) NTFS permission:
      * jblack gets “Full Control”
      * Authenticated users get “Special Permission” [a1) Create Folder/Append Data for This folder only, a2) List Folder/Read Data for This folder only, a3) Read Attributes for This folder only, a4) Traverse Folder/Execute file for This folder only]
      II) For PAYABLE  folder
1)      SHARING permission:
•      Authenticated Users get “Full Control”
•      Jblack gets “Full control”
•      Jwhite gets “Full Control”
•      Kgreen gets “Full Control”
2)      NTFS permission:
•      Jblack gets “Full Control”
•      Jwhite gets “Full Control”
•      Kgreen gets “Full Control”
•      Note: I remove the “authenticated users” from this ntfs permission

III)      For  RECEIVABLE  folder
1)      Sharing Permission:
•      Authenticated users gets “Full Control”
•      Jblack gets “Full control”
•      Kbrown gets “Full control”

2)      NTFS Permission:
•      Jblack gets “Full Control”
•      Kbrown  also gets “Full Control”

IV)      For TAX Folder
1)      Sharing Permission
•      Jblack gets “Full Control”
•      Kbrown gets “Full Control”
2)      NTFS Permission
•      Jblack gets “Full Control”
•      Kbrown gets “Full Control”

V)      For PAYROLL folder
1)      Sharing Permission
•      Jblack gets “Full Control”
•      Jwhite gets “Full control”
2)      NTFS Permission
•      Jblack gets “Full Control”
•      Jwhite gets “Full Control”

VI)      For PUBLIC folder
1)      Sharing Permission
•      Authenticated Users get “Full Control”
2)      NTFS Permission
•      Authenticated Users get “Full Control”

The Results that I get as the followings:
1)      When I login as “jblack”, I can access ALL the folders (ACCOOUNTING, PAYABLE, RECEIVABLE, TAX, PAYROLL  and PUBLIC) (Result: This is good as the Goal)
2)      When I login as “jwhite”; it is the same I am able to access all the folders  (Result: Wrong; not as the Goal)
3)      When I login as “kbrown”; I also can access  all the folders (Result: Wrong)
4)      When I login as “kgreen”: I also can access all the folders (Result: Wrong)

I need help from the experts so I can achieve the Goal.

Thanks,
tjie
tjieAsked:
Who is Participating?
 
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
You have not set the permision correctly.One the folders(Payable,Receivable...etc) share permission add everyone with read only permission and domain admin group with full permission and then in NTFS permission add the required user with full permission and deny the access to other user if required.

Eg Kbrown requires R: & T:So on share permission of Receivable & Tax folder everyone will have read permission and domain admin has full control.In NTFS security permission(Receivable & Tax folder)  add the user with full control.

But now user have read access to other folder(Payable,payroll,etc).If you want to deny the same just add the user with deny read permission in NTFS on the (Payable,payroll,Public)

Shared Folder and NTFS Permissions
http://www.techexams.net/technotes/70290/permissions.shtml
http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml
http://technet.microsoft.com/en-us/library/cc754178.aspx

Hope this helps
0
 
djsharmaTechnical ConsultantCommented:
Give change and read permissions in sharing for your users.
According to your requirement give NTFS permissions to particular user.
http://technet.microsoft.com/en-us/library/cc754178.aspx
http://technet.microsoft.com/en-us/library/cc771309.aspx
0
 
Satish AutiConnect With a Mentor Senior System AdministratorCommented:
Hi,

For better understanding about share & NTFS permissions follow the below links with screenshots.

http://msmvps.com/blogs/acefekay/archive/2011/02/04/share-permissions-and-ntfs-permissions-folder-access-control-amp-folder-permissions.aspx
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Radhakrishnan RSenior Technical LeadCommented:
Hi,

I always use, share the folder and add everyone full control then go to security, add the appropriate user who need access on this folder.
0
 
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
Just forgot to mentioned on the share permission give read and change only full control is not required.If the share has read only permission to everyone then user can browse the folder but cannot create or modify folders/files.
0
 
rindiConnect With a Mentor Commented:
Apart from what has been mentioned above, always use groups when you give ntfs permissions, and then add the necessary users to those groups. Never give or revoke permissions to actual users. It is much easier to keep track of and manage groups than to do the same with users. Even though at the moment it might seem logical to use users, in the long run using groups is much simpler (Users come and go, Groups usually stay).
0
 
Leon FesterSenior Solutions ArchitectCommented:
Your problem lies with the  "Authenticated Users get “Full Control”" permission.

What is an authenticated user? Any user who has successfully been validated during a logon procedure...which would be any user who logged onto the network.

Especially on the C:\accounting folder...if you've got permissions being inheritted then the permissions on this folder will be carried through to the rest of the folders higher in the hierachy.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.