Solved

Fileserver Permissions - 2008 R2

Posted on 2013-12-12
5
298 Views
Last Modified: 2013-12-19
I'm having strange issues trying to work out some permissions on a fileserver.
Users have a mapped drive to a root folder within which they see their departmental main folder and then within that are a single level of subfolders with distinct permissions requirements.

At the departmental folder level, the users are a member of a group that gives them Read access to "this folder only".  They are then members of groups specific to each subfolder in there as required.  These are configured as follows:

Each (first-level) subfolder has two permissions entries for the latter type of group.  The first is applied to "This Folder Only" and has just read access and the second applied to "Subfolders and Files" has full control.

Despite this, users cannot, for example rename folders within the subfolder.  Effective permissions on one such folder shows the user as having full control!  The folder is not read-only either.
If I remove the "This Folder Only" entry and change the full control entry to "Folder, Subfolders and files" then all is well.

What am I missing? Thanks!
0
Comment
Question by:cantoris
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 10

Expert Comment

by:jmanishbabu
ID: 39713748
Do u have 2 permissions for same users on the parent folder

If yes one of the Permissions with read or Deny is denying users from changing the policy.

Check if u have 2 groups with same users permissions . If yes the one with least permission should be removed or edited ,.
0
 
LVL 16

Author Comment

by:cantoris
ID: 39713822
- DeptFolder = "This Folder Only" =Read
     |____ SubFolder = ("This Folder Only" = Read)+("Subfolders and Files" = Full)
                  |_____ Deeper level = Inherited permissions only.


User cannot rename that deeper level folder despite Effective Permissions confirming user has full control!  It's almost as though the SubFolder level "This Folder Only" permissions are silently applying to all subfolders too.  (The "apply at this level" checkbox is greyed out when you apply permissions to the folder only.)
0
 
LVL 2

Assisted Solution

by:gruppomg
gruppomg earned 500 total points
ID: 39713896
My suggestion: Don't use Full Control for users, these means that the users are able to modify the permissions, instead of "Full Control" use "Modify" option.

To set the permissions
- DeptFolder - Remove the users permission. Add ADmin and System Full Control permission.
 UnCheck the option "replicate all child ..."
In advanced option, add The "Domain Users" group and select the following option:
   - This folder Only
   - Transverse folder / execute file
   - List Folder / Read Data
   - read Attributes
   - read extended Attributes
   - read permissions

Ok

Go to the second level folders
   Go to security > Advanced > Change Permissions
   If there are any permission for the users group being replicated, please, remove it.
   Add the Group for that should have permission for that folder "Dept_IT_Group" and use:
   For This folder Only - Read - Do not select to replicate for child itens
  Add the same Group "Dept_IT_Group" and select Subfolder and Files Only add modify permissions

Hope it helps
Regards
0
 
LVL 16

Accepted Solution

by:
cantoris earned 0 total points
ID: 39714097
Thanks for your thoughts.  We've used Modify instead of Full Control as you suggested.  What you said for the second level folders is essentially what we'd already tried.

We've changed the subfolder group to have an entry with Modify rights for "This folder, subfolder and files".  Then we've added an entry for "This folder only" where that group is merely Denied "Delete" and "Delete subfolders and files".
This is now behaving as required.

Thanks for reading.
0
 
LVL 16

Author Closing Comment

by:cantoris
ID: 39728761
Ultimately made it work with a Deny permission!
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question