Solved

Delegate User to Set Permissions on File Server

Posted on 2014-01-10
5
1,962 Views
Last Modified: 2014-01-19
Hello Experts,

I am having an issue setting up a user to be able to change permissions on a folder and subfolders on a file server.

The file server is 2008 R2 and in a domain. I am the only administrator.
I have given this user (userA) the Full control permissions for this folder, and he can make, save, delete just fine. But he cannot change permissions of any subfolders in this folder.

Let me explain the situation….
Management wants all CAD models placed in the “PARTS” folder with userA being the only one to have read, write (full control) of this folder.
Inside the Parts folder is a folder named for each part number. Inside each part number folder is 4 folders (Master, Original, QA, Tooling).
The permissions are inherited from the parent as follows;
  UserA = Full Control
  Engineering = read & execute, list folder contents, read

I would like to have UserA to be in charge of this folder/subfolders and be able to change the permissions on the QA and Tooling folders, so Engineering group would have “Modify” rights on just these two folders.

(hope this all makes since)

How do I delegate rights for this user (UserA) to be able to do this without him being an admin of the server?

Client computers are Windows XP and Windows 7 pro.
The Parts folder is shared and users have the Parts folder mapped to their computers.

Sounds like a lot of micro-managing (and it is), if someone has a better solution, would like to here.

Thanks

  Fubr
0
Comment
Question by:Fubr
  • 3
  • 2
5 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39771963
1st you need to logon on server as administrator (domain admins membership will be just fine)
Then give required user (delegated user) full control share permissions on required folder (parts)

Then from advanced security permissions of parts folder go to owner tab and new entry there for delegated user and grant him folder ownership with "replace owner on subcontaners" checkbox selected

It may warn you, accept the warning and now the delegated user will become owner of folder
Now close all windows, again go to ntfs permissions of parts folder and add delegated user there and give him full control permissions and remove any other users and groups full control permissions except administrator \ administrators and click apply.
Also remove creator owner group from access control list of parts folder.

Then go to advanced security permissions and select replace permissions... checkbox and click apply.
This will ensure that delegated user will have full control permissions on parts folder and subfolders and files in the hierarchy.

The only problem with this method is you may lose all other users permissions from sub folders and root folder that you may need to assign again.

The another option is you can use subinacl tool from MS to change owner of parts folder and sub folders and grant delegated user full control on parts folder and sub folder
Syntax:
subinacl /subdirectories "c:\folder\*.*" /setowner=yourdomain\youraccount

subinacl /subdirectories "c:\folder\" /grant=yourdomain\youraccount =F
OR
subinacl /subdirectories "c:\folder\*.*" /grant=yourdomain\youraccount =F

http://www.microsoft.com/en-us/download/details.aspx?id=23510

Mahesh
0
 

Author Comment

by:Fubr
ID: 39779914
Hi Mahesh,

I tried both and still get "access denied" when I have the userA try to change permission on QA and Tooling folders.

Now the only thing I did different, was I created a group (GroupA) adding user to this group and use this instead of UserA. Will subinacl still work on a group instead of user?

Permissions show GroupA as Full control
subinacl shows all good in command prompt  
(Done: 2049,  Modified: 2049, Failed: 0,  Syntax errors: 0)

Any ideas??

Thanks

  Fubr
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39780180
Yes you can grant ownership and access to groups through Subinacl

The above syntax is for just for reference

Make sure you have logged on server with account having local administrators group membership.
Instead of providing permissions to GroupA grant ownership to local server administrators group

subinacl /subdirectories "c:\folder\*.*" /setowner=servername\administrators
Then
subinacl /subdirectories "c:\folder\" /grant=your_domain\UserA =F

Then just logoff server and user workstation as well once and check if you got access as expected ?

Alternatively you can try GUI method mentioned above

Mahesh
0
 

Author Comment

by:Fubr
ID: 39791816
Hey Mahesh,

Couldn't get it to work with the subinacl.
But I was able to get it going with the GUI method as you explain.

Thank you

  Fubr
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39791853
Thanks

Just check below thread on same topic which shade some more light on this and to avoid this issue in future.
http://www.experts-exchange.com/Q_28307926.html

Mahesh
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question