Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Fileserver Permissions - 2008 R2

Posted on 2013-12-12
5
Medium Priority
?
300 Views
Last Modified: 2013-12-19
I'm having strange issues trying to work out some permissions on a fileserver.
Users have a mapped drive to a root folder within which they see their departmental main folder and then within that are a single level of subfolders with distinct permissions requirements.

At the departmental folder level, the users are a member of a group that gives them Read access to "this folder only".  They are then members of groups specific to each subfolder in there as required.  These are configured as follows:

Each (first-level) subfolder has two permissions entries for the latter type of group.  The first is applied to "This Folder Only" and has just read access and the second applied to "Subfolders and Files" has full control.

Despite this, users cannot, for example rename folders within the subfolder.  Effective permissions on one such folder shows the user as having full control!  The folder is not read-only either.
If I remove the "This Folder Only" entry and change the full control entry to "Folder, Subfolders and files" then all is well.

What am I missing? Thanks!
0
Comment
Question by:cantoris
  • 3
5 Comments
 
LVL 10

Expert Comment

by:jmanishbabu
ID: 39713748
Do u have 2 permissions for same users on the parent folder

If yes one of the Permissions with read or Deny is denying users from changing the policy.

Check if u have 2 groups with same users permissions . If yes the one with least permission should be removed or edited ,.
0
 
LVL 16

Author Comment

by:cantoris
ID: 39713822
- DeptFolder = "This Folder Only" =Read
     |____ SubFolder = ("This Folder Only" = Read)+("Subfolders and Files" = Full)
                  |_____ Deeper level = Inherited permissions only.


User cannot rename that deeper level folder despite Effective Permissions confirming user has full control!  It's almost as though the SubFolder level "This Folder Only" permissions are silently applying to all subfolders too.  (The "apply at this level" checkbox is greyed out when you apply permissions to the folder only.)
0
 
LVL 2

Assisted Solution

by:gruppomg
gruppomg earned 1500 total points
ID: 39713896
My suggestion: Don't use Full Control for users, these means that the users are able to modify the permissions, instead of "Full Control" use "Modify" option.

To set the permissions
- DeptFolder - Remove the users permission. Add ADmin and System Full Control permission.
 UnCheck the option "replicate all child ..."
In advanced option, add The "Domain Users" group and select the following option:
   - This folder Only
   - Transverse folder / execute file
   - List Folder / Read Data
   - read Attributes
   - read extended Attributes
   - read permissions

Ok

Go to the second level folders
   Go to security > Advanced > Change Permissions
   If there are any permission for the users group being replicated, please, remove it.
   Add the Group for that should have permission for that folder "Dept_IT_Group" and use:
   For This folder Only - Read - Do not select to replicate for child itens
  Add the same Group "Dept_IT_Group" and select Subfolder and Files Only add modify permissions

Hope it helps
Regards
0
 
LVL 16

Accepted Solution

by:
cantoris earned 0 total points
ID: 39714097
Thanks for your thoughts.  We've used Modify instead of Full Control as you suggested.  What you said for the second level folders is essentially what we'd already tried.

We've changed the subfolder group to have an entry with Modify rights for "This folder, subfolder and files".  Then we've added an entry for "This folder only" where that group is merely Denied "Delete" and "Delete subfolders and files".
This is now behaving as required.

Thanks for reading.
0
 
LVL 16

Author Closing Comment

by:cantoris
ID: 39728761
Ultimately made it work with a Deny permission!
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question