Solved

Share Permissions

Posted on 2013-06-11
8
428 Views
Last Modified: 2013-06-11
I have a share that usable by everyone.  I have a group called everyone_no Adminstrator.  I am having and issue with users creating folders on this share.  I don't want that.  My idea was to make the everyone_no Administrator group read only on the share, however, is this going to stop users from creating files and posting files to the other shares if the NTFS permission allow it?  I know that windows takes the most restrictive - however shouldn't NTFS override that share?
0
Comment
Question by:WellingtonIS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 3

Expert Comment

by:Hir0
ID: 39237664
There are two kinds of permissions involved in any shared folder - those on the actual share and those imposed by the underlying file system.  These permissions are subttractive.  This means the most restrictive permissions will win.
 Windows SBS 2011 MS Press

Generally speaking you should pick either NTFS or Share permissions to control file access and stick with one or the other.  I recommend setting share permissions to Full control for authenticated users and using a combination of NTFS and groups to manage access.
0
 
LVL 1

Expert Comment

by:marcocerruti
ID: 39237677
Hi!
If you make the users member of the "Everyone_no Administrator" group and you give the group the Read permission only on the share, they should not be able to create anything, even if the NTFS permissions allows it.
However you might have some different behavior if the users are members also of another group to which you gave more permissions on the share.

CHeck this document and test before applying.
http://technet.microsoft.com/en-us/library/cc770962.aspx

Effective Permissions Tool
http://technet.microsoft.com/en-us/library/cc756795(v=ws.10).aspx

I hope it helps!
0
 

Author Comment

by:WellingtonIS
ID: 39237685
I do understand that however, I need to find a way to prevent my users from creating folders on the share... Is that even possible?
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 

Author Comment

by:WellingtonIS
ID: 39237856
Stupid question... The security tap on the share...  Isn't that controlling the permissions on the share?  If I deny write/create files for everyone_no administrator won't that solve my issue?
0
 
LVL 1

Accepted Solution

by:
marcocerruti earned 250 total points
ID: 39237874
Ok, on the folder you have 2 tabs:
- Sharing and Security

Security, defines NTFS permissions
Sharing, controls the Sharing of the folder and the Sharing permissions

The Sharing permissions only kick in if you access the folder through the network. NTFS permissions are defined on the volume if it has been formatted using NTFS.

Now, When you set the sharing permissions, it's like an "entrance" permission on the folder, so if you set "Read" for a user, that user, no matter what NTFS permission it has, cannot do anything else but Read.

However, if you set "Change" or "Full Control" on the Share permission, you can restrict on the NTFS later.

So the ultimate result depends on the combination of Share and NTFS permissions, and the application of these permissions on Users, Groups and ultimately the membership of the users.
0
 
LVL 3

Assisted Solution

by:Hir0
Hir0 earned 250 total points
ID: 39237892
Sounds like you want to control the directory structure.  With NTFS  If they can create files then they can create folders.  You should set the share permissions to full control for authenticated users and then set the NTfs permissions for the everyone_no_adminitrator group to modify, go into advanced permissions  for the group and uncheck delete and check delete sub folders and files.  Do this for all top level folders in the root of share.  This way users can see the directory tree but they can't write files or folders to the root, only inside the folders sub folders.
0
 

Author Comment

by:WellingtonIS
ID: 39237996
Thanks guys.  I'm going to "play" with it and hopefully I'll get my result.  I'm going to give the everyone_no administrator read and change and I'll take care of the rest via NTFS on the security tab.  Maybe, just maybe I'll get my result.
0
 

Author Closing Comment

by:WellingtonIS
ID: 39238250
Thanks guys I figured it out and it works the way I want it to.
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was asked if I could set up a fax machine so that incoming faxes were delivered to people's Exchange inboxes and so that they could send faxes from their desktops without needing to print the document first.  I knew it was possible but I had no id…
I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question