Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Setting Permission

Posted on 2014-01-09
12
Medium Priority
?
137 Views
Last Modified: 2014-02-11
I have a SHARE folder on SBS2011 where the group name "STAFF" has FULL ACCESS. The "STAFF" includes most domain users. The SHARE folder has many sub-folders. Today one of the users asked me if I can set the permissions on a specific sub-folder (under SHARE) so that some users would have FULL access where some has READ only access.
However all the users belong to the group "STAFF".
To be specific, say there are User1, User2, User3 and User4 that are members of the group "STAFF". The STAFF group has full access to D:\SHARE and its sub-folders. Now I need to set the permission on D:\SHARE\SubDir1\SubDir2\...\VacationLog folder so that User1 and User2 have Full Access whereas User3 and User4 have Read-Only access.
Yesterday I attempted, but was not successful.
Can you help?
0
Comment
Question by:sglee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
12 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 668 total points
ID: 39767908
Create a group called Read Access and place User 3 and User 4 in that group.   Apply Read access to SubDIR1

Although User3 and 4 are in both groups the most restrictive permissions win so they will only have read and those only in staff will still have full.

User 3 and 4 will have to log off and log back in after you add them to the new group.


Thanks

Mike
0
 

Author Comment

by:sglee
ID: 39767924
@mkline71,
I will try that and post the result.
0
 
LVL 143

Assisted Solution

by:Guy Hengel [angelIII / a3]
Guy Hengel [angelIII / a3] earned 1332 total points
ID: 39767925
put user3 and user4 into a new group.
in the VacationLog folder, set that group to have a "Deny Write" permission.

note that the user3/4 may need to log in again in order that they get that new group membershop permissions ...
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:sglee
ID: 39767959
ReadUserGroup@Mike,
 
 After creating a new group "VacationReadUsers", I added the new group to Vacation folder with read/list permissions only, but I was able to change the contents of EXCEL file and save it.

  I will try "DENY" option as Guy Hengel suggested.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39767996
Guy is right, sorry  I was thinking of share and NTFS permissions for most restrictive.  These are all NTFS.

THanks

Mike
0
 

Author Comment

by:sglee
ID: 39768004
Permission PropertiesAfter adding "Write Deny" as Guy Hengel suggested, it worked.

Now I did not think of this: The group "STAFF" currently pretty much includes every domain users and not everyone should be able to make changes to the files in this folder.
If I want to allow only handful/selected users to have WRITE permission on this folder, what is the best way to accomplish that given the fact that STAFF group includes everyone pretty much and that group currently has full permission on VACATION folder.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39768014
On that particular folder you could make Staff only have read and then create a write group and give them write permissions.

Thanks

Mike
0
 
LVL 143

Assisted Solution

by:Guy Hengel [angelIII / a3]
Guy Hengel [angelIII / a3] earned 1332 total points
ID: 39768019
then you do this:
* create a new group VACATION_LOG, and grant read+write on that folder to that group
* add user1 and user2 to that group
* specify for the STAFF folder thant WRITE permissions are removed, and not inherited

the risk is that if at some point someone is reapplying the permissions from root folder to subfolders, this may get lost
0
 

Author Comment

by:sglee
ID: 39768093
Security WarningAfter creating a new group "VacationWriteUsers" giving FULL Permission to User 1 and User2, I wanted to take out WRITE permission from STAFF folder.
So I went to "Advanced" and chose "Change Permission" for STAFF and when I uncheck the checkbox for "Include inheritable permission from this object's parent", I get this warning.
0
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 39768105
this is exactly what you want to achieve: this folder will NOT inherit any permissions you set at a higher level
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39768107
Click add on that dialogue box, then you can go in and change the staff permission.

Thanks

Mike
0
 

Author Comment

by:sglee
ID: 39768146
After "unchecking" the checkbox, now I am free to set permission level to STAFF group.
I removed Full Control/Modify/Write permissions.

Thank you for your help.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question