Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Fileserver Permissions - 2008 R2

Posted on 2013-12-12
5
Medium Priority
?
299 Views
Last Modified: 2013-12-19
I'm having strange issues trying to work out some permissions on a fileserver.
Users have a mapped drive to a root folder within which they see their departmental main folder and then within that are a single level of subfolders with distinct permissions requirements.

At the departmental folder level, the users are a member of a group that gives them Read access to "this folder only".  They are then members of groups specific to each subfolder in there as required.  These are configured as follows:

Each (first-level) subfolder has two permissions entries for the latter type of group.  The first is applied to "This Folder Only" and has just read access and the second applied to "Subfolders and Files" has full control.

Despite this, users cannot, for example rename folders within the subfolder.  Effective permissions on one such folder shows the user as having full control!  The folder is not read-only either.
If I remove the "This Folder Only" entry and change the full control entry to "Folder, Subfolders and files" then all is well.

What am I missing? Thanks!
0
Comment
Question by:cantoris
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 10

Expert Comment

by:jmanishbabu
ID: 39713748
Do u have 2 permissions for same users on the parent folder

If yes one of the Permissions with read or Deny is denying users from changing the policy.

Check if u have 2 groups with same users permissions . If yes the one with least permission should be removed or edited ,.
0
 
LVL 16

Author Comment

by:cantoris
ID: 39713822
- DeptFolder = "This Folder Only" =Read
     |____ SubFolder = ("This Folder Only" = Read)+("Subfolders and Files" = Full)
                  |_____ Deeper level = Inherited permissions only.


User cannot rename that deeper level folder despite Effective Permissions confirming user has full control!  It's almost as though the SubFolder level "This Folder Only" permissions are silently applying to all subfolders too.  (The "apply at this level" checkbox is greyed out when you apply permissions to the folder only.)
0
 
LVL 2

Assisted Solution

by:gruppomg
gruppomg earned 1500 total points
ID: 39713896
My suggestion: Don't use Full Control for users, these means that the users are able to modify the permissions, instead of "Full Control" use "Modify" option.

To set the permissions
- DeptFolder - Remove the users permission. Add ADmin and System Full Control permission.
 UnCheck the option "replicate all child ..."
In advanced option, add The "Domain Users" group and select the following option:
   - This folder Only
   - Transverse folder / execute file
   - List Folder / Read Data
   - read Attributes
   - read extended Attributes
   - read permissions

Ok

Go to the second level folders
   Go to security > Advanced > Change Permissions
   If there are any permission for the users group being replicated, please, remove it.
   Add the Group for that should have permission for that folder "Dept_IT_Group" and use:
   For This folder Only - Read - Do not select to replicate for child itens
  Add the same Group "Dept_IT_Group" and select Subfolder and Files Only add modify permissions

Hope it helps
Regards
0
 
LVL 16

Accepted Solution

by:
cantoris earned 0 total points
ID: 39714097
Thanks for your thoughts.  We've used Modify instead of Full Control as you suggested.  What you said for the second level folders is essentially what we'd already tried.

We've changed the subfolder group to have an entry with Modify rights for "This folder, subfolder and files".  Then we've added an entry for "This folder only" where that group is merely Denied "Delete" and "Delete subfolders and files".
This is now behaving as required.

Thanks for reading.
0
 
LVL 16

Author Closing Comment

by:cantoris
ID: 39728761
Ultimately made it work with a Deny permission!
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question