Share Permissions

I have a share that usable by everyone.  I have a group called everyone_no Adminstrator.  I am having and issue with users creating folders on this share.  I don't want that.  My idea was to make the everyone_no Administrator group read only on the share, however, is this going to stop users from creating files and posting files to the other shares if the NTFS permission allow it?  I know that windows takes the most restrictive - however shouldn't NTFS override that share?
WellingtonISAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hir0Commented:
There are two kinds of permissions involved in any shared folder - those on the actual share and those imposed by the underlying file system.  These permissions are subttractive.  This means the most restrictive permissions will win.
 Windows SBS 2011 MS Press

Generally speaking you should pick either NTFS or Share permissions to control file access and stick with one or the other.  I recommend setting share permissions to Full control for authenticated users and using a combination of NTFS and groups to manage access.
0
marcocerrutiCommented:
Hi!
If you make the users member of the "Everyone_no Administrator" group and you give the group the Read permission only on the share, they should not be able to create anything, even if the NTFS permissions allows it.
However you might have some different behavior if the users are members also of another group to which you gave more permissions on the share.

CHeck this document and test before applying.
http://technet.microsoft.com/en-us/library/cc770962.aspx

Effective Permissions Tool
http://technet.microsoft.com/en-us/library/cc756795(v=ws.10).aspx

I hope it helps!
0
WellingtonISAuthor Commented:
I do understand that however, I need to find a way to prevent my users from creating folders on the share... Is that even possible?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

WellingtonISAuthor Commented:
Stupid question... The security tap on the share...  Isn't that controlling the permissions on the share?  If I deny write/create files for everyone_no administrator won't that solve my issue?
0
marcocerrutiCommented:
Ok, on the folder you have 2 tabs:
- Sharing and Security

Security, defines NTFS permissions
Sharing, controls the Sharing of the folder and the Sharing permissions

The Sharing permissions only kick in if you access the folder through the network. NTFS permissions are defined on the volume if it has been formatted using NTFS.

Now, When you set the sharing permissions, it's like an "entrance" permission on the folder, so if you set "Read" for a user, that user, no matter what NTFS permission it has, cannot do anything else but Read.

However, if you set "Change" or "Full Control" on the Share permission, you can restrict on the NTFS later.

So the ultimate result depends on the combination of Share and NTFS permissions, and the application of these permissions on Users, Groups and ultimately the membership of the users.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hir0Commented:
Sounds like you want to control the directory structure.  With NTFS  If they can create files then they can create folders.  You should set the share permissions to full control for authenticated users and then set the NTfs permissions for the everyone_no_adminitrator group to modify, go into advanced permissions  for the group and uncheck delete and check delete sub folders and files.  Do this for all top level folders in the root of share.  This way users can see the directory tree but they can't write files or folders to the root, only inside the folders sub folders.
0
WellingtonISAuthor Commented:
Thanks guys.  I'm going to "play" with it and hopefully I'll get my result.  I'm going to give the everyone_no administrator read and change and I'll take care of the rest via NTFS on the security tab.  Maybe, just maybe I'll get my result.
0
WellingtonISAuthor Commented:
Thanks guys I figured it out and it works the way I want it to.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.