Solved

Share Permissions

Posted on 2013-06-11
8
429 Views
Last Modified: 2013-06-11
I have a share that usable by everyone.  I have a group called everyone_no Adminstrator.  I am having and issue with users creating folders on this share.  I don't want that.  My idea was to make the everyone_no Administrator group read only on the share, however, is this going to stop users from creating files and posting files to the other shares if the NTFS permission allow it?  I know that windows takes the most restrictive - however shouldn't NTFS override that share?
0
Comment
Question by:WellingtonIS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 3

Expert Comment

by:Hir0
ID: 39237664
There are two kinds of permissions involved in any shared folder - those on the actual share and those imposed by the underlying file system.  These permissions are subttractive.  This means the most restrictive permissions will win.
 Windows SBS 2011 MS Press

Generally speaking you should pick either NTFS or Share permissions to control file access and stick with one or the other.  I recommend setting share permissions to Full control for authenticated users and using a combination of NTFS and groups to manage access.
0
 
LVL 1

Expert Comment

by:marcocerruti
ID: 39237677
Hi!
If you make the users member of the "Everyone_no Administrator" group and you give the group the Read permission only on the share, they should not be able to create anything, even if the NTFS permissions allows it.
However you might have some different behavior if the users are members also of another group to which you gave more permissions on the share.

CHeck this document and test before applying.
http://technet.microsoft.com/en-us/library/cc770962.aspx

Effective Permissions Tool
http://technet.microsoft.com/en-us/library/cc756795(v=ws.10).aspx

I hope it helps!
0
 

Author Comment

by:WellingtonIS
ID: 39237685
I do understand that however, I need to find a way to prevent my users from creating folders on the share... Is that even possible?
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:WellingtonIS
ID: 39237856
Stupid question... The security tap on the share...  Isn't that controlling the permissions on the share?  If I deny write/create files for everyone_no administrator won't that solve my issue?
0
 
LVL 1

Accepted Solution

by:
marcocerruti earned 250 total points
ID: 39237874
Ok, on the folder you have 2 tabs:
- Sharing and Security

Security, defines NTFS permissions
Sharing, controls the Sharing of the folder and the Sharing permissions

The Sharing permissions only kick in if you access the folder through the network. NTFS permissions are defined on the volume if it has been formatted using NTFS.

Now, When you set the sharing permissions, it's like an "entrance" permission on the folder, so if you set "Read" for a user, that user, no matter what NTFS permission it has, cannot do anything else but Read.

However, if you set "Change" or "Full Control" on the Share permission, you can restrict on the NTFS later.

So the ultimate result depends on the combination of Share and NTFS permissions, and the application of these permissions on Users, Groups and ultimately the membership of the users.
0
 
LVL 3

Assisted Solution

by:Hir0
Hir0 earned 250 total points
ID: 39237892
Sounds like you want to control the directory structure.  With NTFS  If they can create files then they can create folders.  You should set the share permissions to full control for authenticated users and then set the NTfs permissions for the everyone_no_adminitrator group to modify, go into advanced permissions  for the group and uncheck delete and check delete sub folders and files.  Do this for all top level folders in the root of share.  This way users can see the directory tree but they can't write files or folders to the root, only inside the folders sub folders.
0
 

Author Comment

by:WellingtonIS
ID: 39237996
Thanks guys.  I'm going to "play" with it and hopefully I'll get my result.  I'm going to give the everyone_no administrator read and change and I'll take care of the rest via NTFS on the security tab.  Maybe, just maybe I'll get my result.
0
 

Author Closing Comment

by:WellingtonIS
ID: 39238250
Thanks guys I figured it out and it works the way I want it to.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question