Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Share Permissions

Posted on 2013-06-11
8
Medium Priority
?
431 Views
Last Modified: 2013-06-11
I have a share that usable by everyone.  I have a group called everyone_no Adminstrator.  I am having and issue with users creating folders on this share.  I don't want that.  My idea was to make the everyone_no Administrator group read only on the share, however, is this going to stop users from creating files and posting files to the other shares if the NTFS permission allow it?  I know that windows takes the most restrictive - however shouldn't NTFS override that share?
0
Comment
Question by:WellingtonIS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 3

Expert Comment

by:Hir0
ID: 39237664
There are two kinds of permissions involved in any shared folder - those on the actual share and those imposed by the underlying file system.  These permissions are subttractive.  This means the most restrictive permissions will win.
 Windows SBS 2011 MS Press

Generally speaking you should pick either NTFS or Share permissions to control file access and stick with one or the other.  I recommend setting share permissions to Full control for authenticated users and using a combination of NTFS and groups to manage access.
0
 
LVL 1

Expert Comment

by:marcocerruti
ID: 39237677
Hi!
If you make the users member of the "Everyone_no Administrator" group and you give the group the Read permission only on the share, they should not be able to create anything, even if the NTFS permissions allows it.
However you might have some different behavior if the users are members also of another group to which you gave more permissions on the share.

CHeck this document and test before applying.
http://technet.microsoft.com/en-us/library/cc770962.aspx

Effective Permissions Tool
http://technet.microsoft.com/en-us/library/cc756795(v=ws.10).aspx

I hope it helps!
0
 

Author Comment

by:WellingtonIS
ID: 39237685
I do understand that however, I need to find a way to prevent my users from creating folders on the share... Is that even possible?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:WellingtonIS
ID: 39237856
Stupid question... The security tap on the share...  Isn't that controlling the permissions on the share?  If I deny write/create files for everyone_no administrator won't that solve my issue?
0
 
LVL 1

Accepted Solution

by:
marcocerruti earned 1000 total points
ID: 39237874
Ok, on the folder you have 2 tabs:
- Sharing and Security

Security, defines NTFS permissions
Sharing, controls the Sharing of the folder and the Sharing permissions

The Sharing permissions only kick in if you access the folder through the network. NTFS permissions are defined on the volume if it has been formatted using NTFS.

Now, When you set the sharing permissions, it's like an "entrance" permission on the folder, so if you set "Read" for a user, that user, no matter what NTFS permission it has, cannot do anything else but Read.

However, if you set "Change" or "Full Control" on the Share permission, you can restrict on the NTFS later.

So the ultimate result depends on the combination of Share and NTFS permissions, and the application of these permissions on Users, Groups and ultimately the membership of the users.
0
 
LVL 3

Assisted Solution

by:Hir0
Hir0 earned 1000 total points
ID: 39237892
Sounds like you want to control the directory structure.  With NTFS  If they can create files then they can create folders.  You should set the share permissions to full control for authenticated users and then set the NTfs permissions for the everyone_no_adminitrator group to modify, go into advanced permissions  for the group and uncheck delete and check delete sub folders and files.  Do this for all top level folders in the root of share.  This way users can see the directory tree but they can't write files or folders to the root, only inside the folders sub folders.
0
 

Author Comment

by:WellingtonIS
ID: 39237996
Thanks guys.  I'm going to "play" with it and hopefully I'll get my result.  I'm going to give the everyone_no administrator read and change and I'll take care of the rest via NTFS on the security tab.  Maybe, just maybe I'll get my result.
0
 

Author Closing Comment

by:WellingtonIS
ID: 39238250
Thanks guys I figured it out and it works the way I want it to.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question