User Access to NTFS ACLs on Windows Server 2008 R2

Posted on 2013-11-05
Medium Priority
Last Modified: 2013-11-22
I have a customer that is requesting an easy way to delegate and assign read/write/modify access to certain folders to certain users on our file server.  Currently these changes are done by Domain Admins through remote desktop through the security tab of the folders property window.  Is there a M$ or 3rd party software to enable a non-domain admin access to this same capability on select folders without sharing remote desktop access to them?

Any suggestions would be greatly appreciated.

Question by:Robert Davis
LVL 29

Expert Comment

by:Michael Pfister
ID: 39626675
Create groups for each folder and assign them NTFS permissions to the folders.
Modify the "Managed by" field of the groups and add a user or another group of users to manage the membership of the groups.
Install Active Directory Users and Computers mmc on the systems of the "managers" and show them how to add or remove users to the groups.

Disadvantage: users need to logoff and logon to get the change in group membership applied.
LVL 25

Expert Comment

ID: 39627324
This is easily accomplished by assigning those users Full Control of the selected directories.  

The permissions that truly matter are:
Take Ownership - this allows them to sieze control of the item and modify permissions.
Modify permisions - obviously allows them to modify the permissions on that item.

Once they have those, they can access it through a share and modify the permissions, as long as the share allows Full Control.  If not, then you have to look at things like Hyena, etc. that let you do limited management, and it has to be assigned by the domain admins.

LVL 58

Expert Comment

ID: 39628683
You can of course share the root of c:/d:/... what ever drive you are talking about and assign full control to your non-domain admins. That way they can modify the ACLs without RDP.
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.


Author Comment

by:Robert Davis
ID: 39635114
When I give a test user full control and test it out (add another user with r/w), all the inherited permissions are removed and I have to take ownership of the folder as an Admin, and re-check "Inherit permissions..." to get back to where I started.  Is this normal behavior?  The test user is adding the second user through the permissions tab of the folder, when access through a UNC path (\\servername\sharename\folderusercanchange).

Having a group per folder would mean the same amount of downtime as a unique group would need to be created for the individual and new folders created by the user they wish to lock down or share with other users.

Basically this is so a manager can share certain folders of theirs on a network share with certain users, without having to have IT set the permissions each time for each folder.  Full control is the solution, except that all the inherited permissions seem to be getting wiped.

Is this what is happening for you Coralon?
LVL 25

Accepted Solution

Coralon earned 1500 total points
ID: 39635142
You want to do this from the command line - when you use explorer, you overwrite the permissions that are there.  If you use cacls, xcacls, icacls, etc. you have the option to edit  the permissions without overwriting it.  

My thoughts were more along the line of something like this.  
Let's say the directory is f:\parentdirectory\childdirectory\childdirectory2.
Your share for this is \\server\parentshare and you want the person in question to be able to modify the directories at childdirectory and lower.

On that server, you would do something like
 cacls f:\parentdirectory\childdirectory /e /t /g domain\thisuser:f

Open in new window

From a remote directory, it would be relatively the same thing:
cacls \\server\parentshare\childdirectory /e /t /g domain\thisuser:f

Open in new window

The /e is for edit, the /t is for subdirectories, and the /g is to grant.   Explorer does a lot of undesirable things for permissions in this circumstance.  It tries to reorder permissions, rewrite them, etc.  If you want to modify the permissions graphically, you have to turn off the inheritance first, and copy the permissions, and then you can set what you need to.  I'm not a fan of having to do this.


Author Comment

by:Robert Davis
ID: 39660377
Won't the laymen manager user also have to then use cacls?


Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question