Solved

Delegate User to Set Permissions on File Server

Posted on 2014-01-10
5
1,780 Views
Last Modified: 2014-01-19
Hello Experts,

I am having an issue setting up a user to be able to change permissions on a folder and subfolders on a file server.

The file server is 2008 R2 and in a domain. I am the only administrator.
I have given this user (userA) the Full control permissions for this folder, and he can make, save, delete just fine. But he cannot change permissions of any subfolders in this folder.

Let me explain the situation….
Management wants all CAD models placed in the “PARTS” folder with userA being the only one to have read, write (full control) of this folder.
Inside the Parts folder is a folder named for each part number. Inside each part number folder is 4 folders (Master, Original, QA, Tooling).
The permissions are inherited from the parent as follows;
  UserA = Full Control
  Engineering = read & execute, list folder contents, read

I would like to have UserA to be in charge of this folder/subfolders and be able to change the permissions on the QA and Tooling folders, so Engineering group would have “Modify” rights on just these two folders.

(hope this all makes since)

How do I delegate rights for this user (UserA) to be able to do this without him being an admin of the server?

Client computers are Windows XP and Windows 7 pro.
The Parts folder is shared and users have the Parts folder mapped to their computers.

Sounds like a lot of micro-managing (and it is), if someone has a better solution, would like to here.

Thanks

  Fubr
0
Comment
Question by:Fubr
  • 3
  • 2
5 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39771963
1st you need to logon on server as administrator (domain admins membership will be just fine)
Then give required user (delegated user) full control share permissions on required folder (parts)

Then from advanced security permissions of parts folder go to owner tab and new entry there for delegated user and grant him folder ownership with "replace owner on subcontaners" checkbox selected

It may warn you, accept the warning and now the delegated user will become owner of folder
Now close all windows, again go to ntfs permissions of parts folder and add delegated user there and give him full control permissions and remove any other users and groups full control permissions except administrator \ administrators and click apply.
Also remove creator owner group from access control list of parts folder.

Then go to advanced security permissions and select replace permissions... checkbox and click apply.
This will ensure that delegated user will have full control permissions on parts folder and subfolders and files in the hierarchy.

The only problem with this method is you may lose all other users permissions from sub folders and root folder that you may need to assign again.

The another option is you can use subinacl tool from MS to change owner of parts folder and sub folders and grant delegated user full control on parts folder and sub folder
Syntax:
subinacl /subdirectories "c:\folder\*.*" /setowner=yourdomain\youraccount

subinacl /subdirectories "c:\folder\" /grant=yourdomain\youraccount =F
OR
subinacl /subdirectories "c:\folder\*.*" /grant=yourdomain\youraccount =F

http://www.microsoft.com/en-us/download/details.aspx?id=23510

Mahesh
0
 

Author Comment

by:Fubr
ID: 39779914
Hi Mahesh,

I tried both and still get "access denied" when I have the userA try to change permission on QA and Tooling folders.

Now the only thing I did different, was I created a group (GroupA) adding user to this group and use this instead of UserA. Will subinacl still work on a group instead of user?

Permissions show GroupA as Full control
subinacl shows all good in command prompt  
(Done: 2049,  Modified: 2049, Failed: 0,  Syntax errors: 0)

Any ideas??

Thanks

  Fubr
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39780180
Yes you can grant ownership and access to groups through Subinacl

The above syntax is for just for reference

Make sure you have logged on server with account having local administrators group membership.
Instead of providing permissions to GroupA grant ownership to local server administrators group

subinacl /subdirectories "c:\folder\*.*" /setowner=servername\administrators
Then
subinacl /subdirectories "c:\folder\" /grant=your_domain\UserA =F

Then just logoff server and user workstation as well once and check if you got access as expected ?

Alternatively you can try GUI method mentioned above

Mahesh
0
 

Author Comment

by:Fubr
ID: 39791816
Hey Mahesh,

Couldn't get it to work with the subinacl.
But I was able to get it going with the GUI method as you explain.

Thank you

  Fubr
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39791853
Thanks

Just check below thread on same topic which shade some more light on this and to avoid this issue in future.
http://www.experts-exchange.com/Q_28307926.html

Mahesh
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

Suggested Solutions

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now