Solved

User Access to NTFS ACLs on Windows Server 2008 R2

Posted on 2013-11-05
6
699 Views
Last Modified: 2013-11-22
Hello,
I have a customer that is requesting an easy way to delegate and assign read/write/modify access to certain folders to certain users on our file server.  Currently these changes are done by Domain Admins through remote desktop through the security tab of the folders property window.  Is there a M$ or 3rd party software to enable a non-domain admin access to this same capability on select folders without sharing remote desktop access to them?

Any suggestions would be greatly appreciated.

Thanks,
Robert
0
Comment
Question by:Robert Davis
6 Comments
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 39626675
Create groups for each folder and assign them NTFS permissions to the folders.
Modify the "Managed by" field of the groups and add a user or another group of users to manage the membership of the groups.
Install Active Directory Users and Computers mmc on the systems of the "managers" and show them how to add or remove users to the groups.

Disadvantage: users need to logoff and logon to get the change in group membership applied.
0
 
LVL 23

Expert Comment

by:Coralon
ID: 39627324
This is easily accomplished by assigning those users Full Control of the selected directories.  

The permissions that truly matter are:
Take Ownership - this allows them to sieze control of the item and modify permissions.
Modify permisions - obviously allows them to modify the permissions on that item.

Once they have those, they can access it through a share and modify the permissions, as long as the share allows Full Control.  If not, then you have to look at things like Hyena, etc. that let you do limited management, and it has to be assigned by the domain admins.

Coralon
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39628683
You can of course share the root of c:/d:/... what ever drive you are talking about and assign full control to your non-domain admins. That way they can modify the ACLs without RDP.
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 
LVL 1

Author Comment

by:Robert Davis
ID: 39635114
When I give a test user full control and test it out (add another user with r/w), all the inherited permissions are removed and I have to take ownership of the folder as an Admin, and re-check "Inherit permissions..." to get back to where I started.  Is this normal behavior?  The test user is adding the second user through the permissions tab of the folder, when access through a UNC path (\\servername\sharename\folderusercanchange).

Having a group per folder would mean the same amount of downtime as a unique group would need to be created for the individual and new folders created by the user they wish to lock down or share with other users.

Basically this is so a manager can share certain folders of theirs on a network share with certain users, without having to have IT set the permissions each time for each folder.  Full control is the solution, except that all the inherited permissions seem to be getting wiped.

Is this what is happening for you Coralon?
0
 
LVL 23

Accepted Solution

by:
Coralon earned 500 total points
ID: 39635142
You want to do this from the command line - when you use explorer, you overwrite the permissions that are there.  If you use cacls, xcacls, icacls, etc. you have the option to edit  the permissions without overwriting it.  

My thoughts were more along the line of something like this.  
Let's say the directory is f:\parentdirectory\childdirectory\childdirectory2.
Your share for this is \\server\parentshare and you want the person in question to be able to modify the directories at childdirectory and lower.

On that server, you would do something like
 cacls f:\parentdirectory\childdirectory /e /t /g domain\thisuser:f

Open in new window


From a remote directory, it would be relatively the same thing:
cacls \\server\parentshare\childdirectory /e /t /g domain\thisuser:f

Open in new window


The /e is for edit, the /t is for subdirectories, and the /g is to grant.   Explorer does a lot of undesirable things for permissions in this circumstance.  It tries to reorder permissions, rewrite them, etc.  If you want to modify the permissions graphically, you have to turn off the inheritance first, and copy the permissions, and then you can set what you need to.  I'm not a fan of having to do this.

Coralon
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 39660377
Won't the laymen manager user also have to then use cacls?

Robert
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Cloud file services can fill many different roles for your business. Often, the use of cloud file services begins with employees using consumer products, like Dropbox, to share files with customers and each other. While sync-and-share can be an effe…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now