Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Delegate User to Set Permissions on File Server

Posted on 2014-01-10
5
Medium Priority
?
2,117 Views
Last Modified: 2014-01-19
Hello Experts,

I am having an issue setting up a user to be able to change permissions on a folder and subfolders on a file server.

The file server is 2008 R2 and in a domain. I am the only administrator.
I have given this user (userA) the Full control permissions for this folder, and he can make, save, delete just fine. But he cannot change permissions of any subfolders in this folder.

Let me explain the situation….
Management wants all CAD models placed in the “PARTS” folder with userA being the only one to have read, write (full control) of this folder.
Inside the Parts folder is a folder named for each part number. Inside each part number folder is 4 folders (Master, Original, QA, Tooling).
The permissions are inherited from the parent as follows;
  UserA = Full Control
  Engineering = read & execute, list folder contents, read

I would like to have UserA to be in charge of this folder/subfolders and be able to change the permissions on the QA and Tooling folders, so Engineering group would have “Modify” rights on just these two folders.

(hope this all makes since)

How do I delegate rights for this user (UserA) to be able to do this without him being an admin of the server?

Client computers are Windows XP and Windows 7 pro.
The Parts folder is shared and users have the Parts folder mapped to their computers.

Sounds like a lot of micro-managing (and it is), if someone has a better solution, would like to here.

Thanks

  Fubr
0
Comment
Question by:Fubr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39771963
1st you need to logon on server as administrator (domain admins membership will be just fine)
Then give required user (delegated user) full control share permissions on required folder (parts)

Then from advanced security permissions of parts folder go to owner tab and new entry there for delegated user and grant him folder ownership with "replace owner on subcontaners" checkbox selected

It may warn you, accept the warning and now the delegated user will become owner of folder
Now close all windows, again go to ntfs permissions of parts folder and add delegated user there and give him full control permissions and remove any other users and groups full control permissions except administrator \ administrators and click apply.
Also remove creator owner group from access control list of parts folder.

Then go to advanced security permissions and select replace permissions... checkbox and click apply.
This will ensure that delegated user will have full control permissions on parts folder and subfolders and files in the hierarchy.

The only problem with this method is you may lose all other users permissions from sub folders and root folder that you may need to assign again.

The another option is you can use subinacl tool from MS to change owner of parts folder and sub folders and grant delegated user full control on parts folder and sub folder
Syntax:
subinacl /subdirectories "c:\folder\*.*" /setowner=yourdomain\youraccount

subinacl /subdirectories "c:\folder\" /grant=yourdomain\youraccount =F
OR
subinacl /subdirectories "c:\folder\*.*" /grant=yourdomain\youraccount =F

http://www.microsoft.com/en-us/download/details.aspx?id=23510

Mahesh
0
 

Author Comment

by:Fubr
ID: 39779914
Hi Mahesh,

I tried both and still get "access denied" when I have the userA try to change permission on QA and Tooling folders.

Now the only thing I did different, was I created a group (GroupA) adding user to this group and use this instead of UserA. Will subinacl still work on a group instead of user?

Permissions show GroupA as Full control
subinacl shows all good in command prompt  
(Done: 2049,  Modified: 2049, Failed: 0,  Syntax errors: 0)

Any ideas??

Thanks

  Fubr
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39780180
Yes you can grant ownership and access to groups through Subinacl

The above syntax is for just for reference

Make sure you have logged on server with account having local administrators group membership.
Instead of providing permissions to GroupA grant ownership to local server administrators group

subinacl /subdirectories "c:\folder\*.*" /setowner=servername\administrators
Then
subinacl /subdirectories "c:\folder\" /grant=your_domain\UserA =F

Then just logoff server and user workstation as well once and check if you got access as expected ?

Alternatively you can try GUI method mentioned above

Mahesh
0
 

Author Comment

by:Fubr
ID: 39791816
Hey Mahesh,

Couldn't get it to work with the subinacl.
But I was able to get it going with the GUI method as you explain.

Thank you

  Fubr
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39791853
Thanks

Just check below thread on same topic which shade some more light on this and to avoid this issue in future.
http://www.experts-exchange.com/Q_28307926.html

Mahesh
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question