Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

User Access to NTFS ACLs on Windows Server 2008 R2

Posted on 2013-11-05
6
Medium Priority
?
742 Views
Last Modified: 2013-11-22
Hello,
I have a customer that is requesting an easy way to delegate and assign read/write/modify access to certain folders to certain users on our file server.  Currently these changes are done by Domain Admins through remote desktop through the security tab of the folders property window.  Is there a M$ or 3rd party software to enable a non-domain admin access to this same capability on select folders without sharing remote desktop access to them?

Any suggestions would be greatly appreciated.

Thanks,
Robert
0
Comment
Question by:Robert Davis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 29

Expert Comment

by:Michael Pfister
ID: 39626675
Create groups for each folder and assign them NTFS permissions to the folders.
Modify the "Managed by" field of the groups and add a user or another group of users to manage the membership of the groups.
Install Active Directory Users and Computers mmc on the systems of the "managers" and show them how to add or remove users to the groups.

Disadvantage: users need to logoff and logon to get the change in group membership applied.
0
 
LVL 25

Expert Comment

by:Coralon
ID: 39627324
This is easily accomplished by assigning those users Full Control of the selected directories.  

The permissions that truly matter are:
Take Ownership - this allows them to sieze control of the item and modify permissions.
Modify permisions - obviously allows them to modify the permissions on that item.

Once they have those, they can access it through a share and modify the permissions, as long as the share allows Full Control.  If not, then you have to look at things like Hyena, etc. that let you do limited management, and it has to be assigned by the domain admins.

Coralon
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39628683
You can of course share the root of c:/d:/... what ever drive you are talking about and assign full control to your non-domain admins. That way they can modify the ACLs without RDP.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:Robert Davis
ID: 39635114
When I give a test user full control and test it out (add another user with r/w), all the inherited permissions are removed and I have to take ownership of the folder as an Admin, and re-check "Inherit permissions..." to get back to where I started.  Is this normal behavior?  The test user is adding the second user through the permissions tab of the folder, when access through a UNC path (\\servername\sharename\folderusercanchange).

Having a group per folder would mean the same amount of downtime as a unique group would need to be created for the individual and new folders created by the user they wish to lock down or share with other users.

Basically this is so a manager can share certain folders of theirs on a network share with certain users, without having to have IT set the permissions each time for each folder.  Full control is the solution, except that all the inherited permissions seem to be getting wiped.

Is this what is happening for you Coralon?
0
 
LVL 25

Accepted Solution

by:
Coralon earned 1500 total points
ID: 39635142
You want to do this from the command line - when you use explorer, you overwrite the permissions that are there.  If you use cacls, xcacls, icacls, etc. you have the option to edit  the permissions without overwriting it.  

My thoughts were more along the line of something like this.  
Let's say the directory is f:\parentdirectory\childdirectory\childdirectory2.
Your share for this is \\server\parentshare and you want the person in question to be able to modify the directories at childdirectory and lower.

On that server, you would do something like
 cacls f:\parentdirectory\childdirectory /e /t /g domain\thisuser:f

Open in new window


From a remote directory, it would be relatively the same thing:
cacls \\server\parentshare\childdirectory /e /t /g domain\thisuser:f

Open in new window


The /e is for edit, the /t is for subdirectories, and the /g is to grant.   Explorer does a lot of undesirable things for permissions in this circumstance.  It tries to reorder permissions, rewrite them, etc.  If you want to modify the permissions graphically, you have to turn off the inheritance first, and copy the permissions, and then you can set what you need to.  I'm not a fan of having to do this.

Coralon
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 39660377
Won't the laymen manager user also have to then use cacls?

Robert
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question