?
Solved

Windows 2008: Sharing and NTFS Permission

Posted on 2012-09-15
7
Medium Priority
?
1,059 Views
Last Modified: 2012-09-18
Hi,
I have an enterprise network as the followings:
-Domain Controller: Window server 2008
- File Server called “bobafilesrv”: window server 2008
There are some folders to be shared. The folders are located at bobafilesrv. The folders are as the followings:
1)      C:\Accounting\Payable (The share drive is “M:”)
2)      C:\Accounting\Receivable (The share drive is “R:”)
3)      C:\Accounting \Tax (The share drive is “T:”)
4)      C:\Accounting\Payroll(The share drive is “W:”)
5)      C:\Public (The share drive is “P:”)

The users and the GOAL:
1)      Jblack will get M:, R:, T:, W: and P:
2)      Jwhite will get M:, W: and P:
3)      Kbrown will get R: & T:
4)      Kgreen will get M: & P:

The things that I did:

I)      For ACCOUNTING  folder
1)SHARING permission:
      * Authenticated Users get “Full Control”
       * jblack gets “Full Control”
2) NTFS permission:
      * jblack gets “Full Control”
      * Authenticated users get “Special Permission” [a1) Create Folder/Append Data for This folder only, a2) List Folder/Read Data for This folder only, a3) Read Attributes for This folder only, a4) Traverse Folder/Execute file for This folder only]
      II) For PAYABLE  folder
1)      SHARING permission:
•      Authenticated Users get “Full Control”
•      Jblack gets “Full control”
•      Jwhite gets “Full Control”
•      Kgreen gets “Full Control”
2)      NTFS permission:
•      Jblack gets “Full Control”
•      Jwhite gets “Full Control”
•      Kgreen gets “Full Control”
•      Note: I remove the “authenticated users” from this ntfs permission

III)      For  RECEIVABLE  folder
1)      Sharing Permission:
•      Authenticated users gets “Full Control”
•      Jblack gets “Full control”
•      Kbrown gets “Full control”

2)      NTFS Permission:
•      Jblack gets “Full Control”
•      Kbrown  also gets “Full Control”

IV)      For TAX Folder
1)      Sharing Permission
•      Jblack gets “Full Control”
•      Kbrown gets “Full Control”
2)      NTFS Permission
•      Jblack gets “Full Control”
•      Kbrown gets “Full Control”

V)      For PAYROLL folder
1)      Sharing Permission
•      Jblack gets “Full Control”
•      Jwhite gets “Full control”
2)      NTFS Permission
•      Jblack gets “Full Control”
•      Jwhite gets “Full Control”

VI)      For PUBLIC folder
1)      Sharing Permission
•      Authenticated Users get “Full Control”
2)      NTFS Permission
•      Authenticated Users get “Full Control”

The Results that I get as the followings:
1)      When I login as “jblack”, I can access ALL the folders (ACCOOUNTING, PAYABLE, RECEIVABLE, TAX, PAYROLL  and PUBLIC) (Result: This is good as the Goal)
2)      When I login as “jwhite”; it is the same I am able to access all the folders  (Result: Wrong; not as the Goal)
3)      When I login as “kbrown”; I also can access  all the folders (Result: Wrong)
4)      When I login as “kgreen”: I also can access all the folders (Result: Wrong)

I need help from the experts so I can achieve the Goal.

Thanks,
tjie
0
Comment
Question by:tjie
7 Comments
 
LVL 9

Expert Comment

by:djsharma
ID: 38402577
Give change and read permissions in sharing for your users.
According to your requirement give NTFS permissions to particular user.
http://technet.microsoft.com/en-us/library/cc754178.aspx
http://technet.microsoft.com/en-us/library/cc771309.aspx
0
 
LVL 12

Assisted Solution

by:Satish Auti
Satish Auti earned 300 total points
ID: 38402656
Hi,

For better understanding about share & NTFS permissions follow the below links with screenshots.

http://msmvps.com/blogs/acefekay/archive/2011/02/04/share-permissions-and-ntfs-permissions-folder-access-control-amp-folder-permissions.aspx
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 1400 total points
ID: 38402704
You have not set the permision correctly.One the folders(Payable,Receivable...etc) share permission add everyone with read only permission and domain admin group with full permission and then in NTFS permission add the required user with full permission and deny the access to other user if required.

Eg Kbrown requires R: & T:So on share permission of Receivable & Tax folder everyone will have read permission and domain admin has full control.In NTFS security permission(Receivable & Tax folder)  add the user with full control.

But now user have read access to other folder(Payable,payroll,etc).If you want to deny the same just add the user with deny read permission in NTFS on the (Payable,payroll,Public)

Shared Folder and NTFS Permissions
http://www.techexams.net/technotes/70290/permissions.shtml
http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml
http://technet.microsoft.com/en-us/library/cc754178.aspx

Hope this helps
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 24

Expert Comment

by:Radhakrishnan R
ID: 38402750
Hi,

I always use, share the folder and add everyone full control then go to security, add the appropriate user who need access on this folder.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 1400 total points
ID: 38402787
Just forgot to mentioned on the share permission give read and change only full control is not required.If the share has read only permission to everyone then user can browse the folder but cannot create or modify folders/files.
0
 
LVL 88

Assisted Solution

by:rindi
rindi earned 300 total points
ID: 38403007
Apart from what has been mentioned above, always use groups when you give ntfs permissions, and then add the necessary users to those groups. Never give or revoke permissions to actual users. It is much easier to keep track of and manage groups than to do the same with users. Even though at the moment it might seem logical to use users, in the long run using groups is much simpler (Users come and go, Groups usually stay).
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38405256
Your problem lies with the  "Authenticated Users get “Full Control”" permission.

What is an authenticated user? Any user who has successfully been validated during a logon procedure...which would be any user who logged onto the network.

Especially on the C:\accounting folder...if you've got permissions being inheritted then the permissions on this folder will be carried through to the rest of the folders higher in the hierachy.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question