• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 745
  • Last Modified:

User Access to NTFS ACLs on Windows Server 2008 R2

Hello,
I have a customer that is requesting an easy way to delegate and assign read/write/modify access to certain folders to certain users on our file server.  Currently these changes are done by Domain Admins through remote desktop through the security tab of the folders property window.  Is there a M$ or 3rd party software to enable a non-domain admin access to this same capability on select folders without sharing remote desktop access to them?

Any suggestions would be greatly appreciated.

Thanks,
Robert
0
Robert Davis
Asked:
Robert Davis
1 Solution
 
Michael PfisterCommented:
Create groups for each folder and assign them NTFS permissions to the folders.
Modify the "Managed by" field of the groups and add a user or another group of users to manage the membership of the groups.
Install Active Directory Users and Computers mmc on the systems of the "managers" and show them how to add or remove users to the groups.

Disadvantage: users need to logoff and logon to get the change in group membership applied.
0
 
CoralonCommented:
This is easily accomplished by assigning those users Full Control of the selected directories.  

The permissions that truly matter are:
Take Ownership - this allows them to sieze control of the item and modify permissions.
Modify permisions - obviously allows them to modify the permissions on that item.

Once they have those, they can access it through a share and modify the permissions, as long as the share allows Full Control.  If not, then you have to look at things like Hyena, etc. that let you do limited management, and it has to be assigned by the domain admins.

Coralon
0
 
McKnifeCommented:
You can of course share the root of c:/d:/... what ever drive you are talking about and assign full control to your non-domain admins. That way they can modify the ACLs without RDP.
0
Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
Robert DavisAuthor Commented:
When I give a test user full control and test it out (add another user with r/w), all the inherited permissions are removed and I have to take ownership of the folder as an Admin, and re-check "Inherit permissions..." to get back to where I started.  Is this normal behavior?  The test user is adding the second user through the permissions tab of the folder, when access through a UNC path (\\servername\sharename\folderusercanchange).

Having a group per folder would mean the same amount of downtime as a unique group would need to be created for the individual and new folders created by the user they wish to lock down or share with other users.

Basically this is so a manager can share certain folders of theirs on a network share with certain users, without having to have IT set the permissions each time for each folder.  Full control is the solution, except that all the inherited permissions seem to be getting wiped.

Is this what is happening for you Coralon?
0
 
CoralonCommented:
You want to do this from the command line - when you use explorer, you overwrite the permissions that are there.  If you use cacls, xcacls, icacls, etc. you have the option to edit  the permissions without overwriting it.  

My thoughts were more along the line of something like this.  
Let's say the directory is f:\parentdirectory\childdirectory\childdirectory2.
Your share for this is \\server\parentshare and you want the person in question to be able to modify the directories at childdirectory and lower.

On that server, you would do something like
 cacls f:\parentdirectory\childdirectory /e /t /g domain\thisuser:f

Open in new window


From a remote directory, it would be relatively the same thing:
cacls \\server\parentshare\childdirectory /e /t /g domain\thisuser:f

Open in new window


The /e is for edit, the /t is for subdirectories, and the /g is to grant.   Explorer does a lot of undesirable things for permissions in this circumstance.  It tries to reorder permissions, rewrite them, etc.  If you want to modify the permissions graphically, you have to turn off the inheritance first, and copy the permissions, and then you can set what you need to.  I'm not a fan of having to do this.

Coralon
0
 
Robert DavisAuthor Commented:
Won't the laymen manager user also have to then use cacls?

Robert
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now