Solved

Fileserver Permissions - 2008 R2

Posted on 2013-12-12
5
294 Views
Last Modified: 2013-12-19
I'm having strange issues trying to work out some permissions on a fileserver.
Users have a mapped drive to a root folder within which they see their departmental main folder and then within that are a single level of subfolders with distinct permissions requirements.

At the departmental folder level, the users are a member of a group that gives them Read access to "this folder only".  They are then members of groups specific to each subfolder in there as required.  These are configured as follows:

Each (first-level) subfolder has two permissions entries for the latter type of group.  The first is applied to "This Folder Only" and has just read access and the second applied to "Subfolders and Files" has full control.

Despite this, users cannot, for example rename folders within the subfolder.  Effective permissions on one such folder shows the user as having full control!  The folder is not read-only either.
If I remove the "This Folder Only" entry and change the full control entry to "Folder, Subfolders and files" then all is well.

What am I missing? Thanks!
0
Comment
Question by:cantoris
  • 3
5 Comments
 
LVL 10

Expert Comment

by:jmanishbabu
ID: 39713748
Do u have 2 permissions for same users on the parent folder

If yes one of the Permissions with read or Deny is denying users from changing the policy.

Check if u have 2 groups with same users permissions . If yes the one with least permission should be removed or edited ,.
0
 
LVL 16

Author Comment

by:cantoris
ID: 39713822
- DeptFolder = "This Folder Only" =Read
     |____ SubFolder = ("This Folder Only" = Read)+("Subfolders and Files" = Full)
                  |_____ Deeper level = Inherited permissions only.


User cannot rename that deeper level folder despite Effective Permissions confirming user has full control!  It's almost as though the SubFolder level "This Folder Only" permissions are silently applying to all subfolders too.  (The "apply at this level" checkbox is greyed out when you apply permissions to the folder only.)
0
 
LVL 2

Assisted Solution

by:gruppomg
gruppomg earned 500 total points
ID: 39713896
My suggestion: Don't use Full Control for users, these means that the users are able to modify the permissions, instead of "Full Control" use "Modify" option.

To set the permissions
- DeptFolder - Remove the users permission. Add ADmin and System Full Control permission.
 UnCheck the option "replicate all child ..."
In advanced option, add The "Domain Users" group and select the following option:
   - This folder Only
   - Transverse folder / execute file
   - List Folder / Read Data
   - read Attributes
   - read extended Attributes
   - read permissions

Ok

Go to the second level folders
   Go to security > Advanced > Change Permissions
   If there are any permission for the users group being replicated, please, remove it.
   Add the Group for that should have permission for that folder "Dept_IT_Group" and use:
   For This folder Only - Read - Do not select to replicate for child itens
  Add the same Group "Dept_IT_Group" and select Subfolder and Files Only add modify permissions

Hope it helps
Regards
0
 
LVL 16

Accepted Solution

by:
cantoris earned 0 total points
ID: 39714097
Thanks for your thoughts.  We've used Modify instead of Full Control as you suggested.  What you said for the second level folders is essentially what we'd already tried.

We've changed the subfolder group to have an entry with Modify rights for "This folder, subfolder and files".  Then we've added an entry for "This folder only" where that group is merely Denied "Delete" and "Delete subfolders and files".
This is now behaving as required.

Thanks for reading.
0
 
LVL 16

Author Closing Comment

by:cantoris
ID: 39728761
Ultimately made it work with a Deny permission!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question