Solved

User Access to NTFS ACLs on Windows Server 2008 R2

Posted on 2013-11-05
6
720 Views
Last Modified: 2013-11-22
Hello,
I have a customer that is requesting an easy way to delegate and assign read/write/modify access to certain folders to certain users on our file server.  Currently these changes are done by Domain Admins through remote desktop through the security tab of the folders property window.  Is there a M$ or 3rd party software to enable a non-domain admin access to this same capability on select folders without sharing remote desktop access to them?

Any suggestions would be greatly appreciated.

Thanks,
Robert
0
Comment
Question by:Robert Davis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 39626675
Create groups for each folder and assign them NTFS permissions to the folders.
Modify the "Managed by" field of the groups and add a user or another group of users to manage the membership of the groups.
Install Active Directory Users and Computers mmc on the systems of the "managers" and show them how to add or remove users to the groups.

Disadvantage: users need to logoff and logon to get the change in group membership applied.
0
 
LVL 25

Expert Comment

by:Coralon
ID: 39627324
This is easily accomplished by assigning those users Full Control of the selected directories.  

The permissions that truly matter are:
Take Ownership - this allows them to sieze control of the item and modify permissions.
Modify permisions - obviously allows them to modify the permissions on that item.

Once they have those, they can access it through a share and modify the permissions, as long as the share allows Full Control.  If not, then you have to look at things like Hyena, etc. that let you do limited management, and it has to be assigned by the domain admins.

Coralon
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39628683
You can of course share the root of c:/d:/... what ever drive you are talking about and assign full control to your non-domain admins. That way they can modify the ACLs without RDP.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:Robert Davis
ID: 39635114
When I give a test user full control and test it out (add another user with r/w), all the inherited permissions are removed and I have to take ownership of the folder as an Admin, and re-check "Inherit permissions..." to get back to where I started.  Is this normal behavior?  The test user is adding the second user through the permissions tab of the folder, when access through a UNC path (\\servername\sharename\folderusercanchange).

Having a group per folder would mean the same amount of downtime as a unique group would need to be created for the individual and new folders created by the user they wish to lock down or share with other users.

Basically this is so a manager can share certain folders of theirs on a network share with certain users, without having to have IT set the permissions each time for each folder.  Full control is the solution, except that all the inherited permissions seem to be getting wiped.

Is this what is happening for you Coralon?
0
 
LVL 25

Accepted Solution

by:
Coralon earned 500 total points
ID: 39635142
You want to do this from the command line - when you use explorer, you overwrite the permissions that are there.  If you use cacls, xcacls, icacls, etc. you have the option to edit  the permissions without overwriting it.  

My thoughts were more along the line of something like this.  
Let's say the directory is f:\parentdirectory\childdirectory\childdirectory2.
Your share for this is \\server\parentshare and you want the person in question to be able to modify the directories at childdirectory and lower.

On that server, you would do something like
 cacls f:\parentdirectory\childdirectory /e /t /g domain\thisuser:f

Open in new window


From a remote directory, it would be relatively the same thing:
cacls \\server\parentshare\childdirectory /e /t /g domain\thisuser:f

Open in new window


The /e is for edit, the /t is for subdirectories, and the /g is to grant.   Explorer does a lot of undesirable things for permissions in this circumstance.  It tries to reorder permissions, rewrite them, etc.  If you want to modify the permissions graphically, you have to turn off the inheritance first, and copy the permissions, and then you can set what you need to.  I'm not a fan of having to do this.

Coralon
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 39660377
Won't the laymen manager user also have to then use cacls?

Robert
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question