Solved

Fileserver Permissions - 2008 R2

Posted on 2013-12-12
5
295 Views
Last Modified: 2013-12-19
I'm having strange issues trying to work out some permissions on a fileserver.
Users have a mapped drive to a root folder within which they see their departmental main folder and then within that are a single level of subfolders with distinct permissions requirements.

At the departmental folder level, the users are a member of a group that gives them Read access to "this folder only".  They are then members of groups specific to each subfolder in there as required.  These are configured as follows:

Each (first-level) subfolder has two permissions entries for the latter type of group.  The first is applied to "This Folder Only" and has just read access and the second applied to "Subfolders and Files" has full control.

Despite this, users cannot, for example rename folders within the subfolder.  Effective permissions on one such folder shows the user as having full control!  The folder is not read-only either.
If I remove the "This Folder Only" entry and change the full control entry to "Folder, Subfolders and files" then all is well.

What am I missing? Thanks!
0
Comment
Question by:cantoris
  • 3
5 Comments
 
LVL 10

Expert Comment

by:jmanishbabu
ID: 39713748
Do u have 2 permissions for same users on the parent folder

If yes one of the Permissions with read or Deny is denying users from changing the policy.

Check if u have 2 groups with same users permissions . If yes the one with least permission should be removed or edited ,.
0
 
LVL 16

Author Comment

by:cantoris
ID: 39713822
- DeptFolder = "This Folder Only" =Read
     |____ SubFolder = ("This Folder Only" = Read)+("Subfolders and Files" = Full)
                  |_____ Deeper level = Inherited permissions only.


User cannot rename that deeper level folder despite Effective Permissions confirming user has full control!  It's almost as though the SubFolder level "This Folder Only" permissions are silently applying to all subfolders too.  (The "apply at this level" checkbox is greyed out when you apply permissions to the folder only.)
0
 
LVL 2

Assisted Solution

by:gruppomg
gruppomg earned 500 total points
ID: 39713896
My suggestion: Don't use Full Control for users, these means that the users are able to modify the permissions, instead of "Full Control" use "Modify" option.

To set the permissions
- DeptFolder - Remove the users permission. Add ADmin and System Full Control permission.
 UnCheck the option "replicate all child ..."
In advanced option, add The "Domain Users" group and select the following option:
   - This folder Only
   - Transverse folder / execute file
   - List Folder / Read Data
   - read Attributes
   - read extended Attributes
   - read permissions

Ok

Go to the second level folders
   Go to security > Advanced > Change Permissions
   If there are any permission for the users group being replicated, please, remove it.
   Add the Group for that should have permission for that folder "Dept_IT_Group" and use:
   For This folder Only - Read - Do not select to replicate for child itens
  Add the same Group "Dept_IT_Group" and select Subfolder and Files Only add modify permissions

Hope it helps
Regards
0
 
LVL 16

Accepted Solution

by:
cantoris earned 0 total points
ID: 39714097
Thanks for your thoughts.  We've used Modify instead of Full Control as you suggested.  What you said for the second level folders is essentially what we'd already tried.

We've changed the subfolder group to have an entry with Modify rights for "This folder, subfolder and files".  Then we've added an entry for "This folder only" where that group is merely Denied "Delete" and "Delete subfolders and files".
This is now behaving as required.

Thanks for reading.
0
 
LVL 16

Author Closing Comment

by:cantoris
ID: 39728761
Ultimately made it work with a Deny permission!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question