Solved

Restricting NTFS permissions on folder share

Posted on 2014-01-21
10
738 Views
Last Modified: 2014-02-09
Dear Experts,

Our shared drive has become very messy and we're looking to restrict the NTFS permissions on the top 2 levels of the folder structure.
Our structure resembles the following:

S:\Project\ (Folder level 1)
S:\Project\101-200\ (Folder level 2)
S:\Project\101-200\101\(Folder level 3)

At the moment everyone has full access to all levels and one of the problems we are facing is users *accidentally* moving folders into other folders and renaming folders.

What we would like is for a new admin security group to have modify access at the 2 top levels so that only they can create folders. All other domain users must have read,write and delete access to all the lower levels and to be able to copy files from one folder to another. They also must be able to traverse the 2 top levels to be able to reach all projects.

This is a live production environment and there are existing non-inheritable permissions on certain project folders. There are also thousands of folders.

What’s the best way to tackle this? And what permissions do I need to set to accomplish this?
0
Comment
Question by:Bladey001
  • 5
  • 5
10 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39797619
Your administrators should have full access on folder from top to bottom in order to manage it efficiently

1st of all you need to logon as domain administrator \ domain account having local admin rights on server and need to take ownership of all Projects folder (with replace owner selected) in replace mode.
Then add authenticated users on shared permissions and provide them change permissions on the project folder
Then go to security tab of Projects folder and grant authenticated users "list folder contents" permissions. Also remove "Creator owner" group from the list.
Then go to properties of projects\100-200 folder and provide authenticated users Modify permissions and click apply.
Then from advanced properties of 100-200 folder edit permissions of authenticated users and allow subfolder and files and deny delete
Lastly remove everyone group from projects folder share and security permissions.
So now authenticated users can create folders under projects\100-200 folder as they wish and can copy \ move files from one folder to another as well, but they can't delete 100-200 folder.
Some thing looks like below.
100-200 folder basic permissions100-200 advanced permissions
Let me know if this is you are looking for ?

Mahesh
0
 

Author Comment

by:Bladey001
ID: 39799949
Thanks for your response Mahesh. Looks quite complicated so I’m just trying to understand this better.
What’s the purpose of taking ownership of all the folders? And what happens when new folders are created. Who do I replace the owner with? the servers local admin group?
Also what’s the different in using authenticated users and domain users?

The new ‘admin’ security group will consist of users who are not domain admins. Just ‘admin’ staff who will look after the folders, create new folders etc.. to take the burden off IT. Will this change anything if it's not a domain admin creating the new folders?

So to summarise is this correct?

Projects folder share permissions:
Domain Admins – Full Control
Authenticated users – Change

Project folder NTFS permissions:
Domain Admins – Full Control
Authenticated users – list folder contents only
SYSTEM – Full Control

101-200 folder NTFS permissions:
Domain Admins - Full Control
Authenticated users – Modify
SYSTEM

101 folder etc will just inherit permissions from above folder
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39800516
Yes, you are right.

To answer your questions:
Since current you must be having Creator owner group having full control permissions on Projects folder ACL and subfolder acls and also everyone group is there.
Due to this creator owner group, the users who will create sub folder underneath 100-200  folder, will become owner of that folders
This will restrict you from flowing down inherited permissions for domain admins \ other users and groups and will create access issues (access denied) once you removed everyone group permissions
That's why I suggest you to remove creator owner group from ACL of projects folder.
Also I suggest you to grant authenticated users modify control (not full control) so that they can't take explicit ownership of folders as full control will grant you rights to take ownership as well.
To avoid such issues:
You must take ownership of root folder (Projects) and all sub folders 1st with replace option selected. You could grant ownership to built-in administrators group instead of domain admins as your account and domain admins both are also members of built-in administrators group on file server.
Then you can flow required permissions without issues as only you are the owner of all folders.
Now if users create new folder, it will just getting modify permissions and ownership will remains with you that is what is expected to manage folder permissions effectively

Now if you want to grant special admins group to be able to create folders within folders which is simply not required.
Because authenticated users will have modify rights on Projects\100-200 folder so that they can create folders under 100-200 folder if wanted to. If you don't provide this rights then they cannot move \ delete files and folders underneath 100-200 folder.
However in order to protect 100-200 folder itself from accidental \ intentional deletion, I suggested you to provide authenticated users deny delete permissions on that folder so that they can't delete that folder.
If they wanted to create \ delete folder under Projects root folder, then you \ server admins should create it as on that new folder you have to provide authenticated users modify rights as well, By doing this you get surety that users will not delete any 2nd level folders which is one of the objective and it make sense.

Any domain user can be removed from Domain users group if wanted to by setting up another group as primary if user is member of multiple group.
But you cannot remove any user from authenticated users group as any domain user is by default a member of authenticated users group (who can authenticate with DC)
Hence I have suggested you authenticated users and this group is not visible through ADUC
However you can use domain users instead of authenticated users if wanted to.

Lastly, your summary is correct except one point is missing in last point:
101-200 folder NTFS permissions:
Domain Admins - Full Control
Authenticated users – Modify
SYSTEM
Here once your granted permissions and select apply, you need to go to advanced permissions of 100-200 folder and need to select "replace all child object permissions with inheritable permissions from this object" and click apply so that you can get assurance that your applied permissions will flow down to each and every sub folders and files

Hope that helps

Mahesh
0
 

Author Comment

by:Bladey001
ID: 39821145
Thanks very much for your explanation. The requirement has changed slightly (there’s an extra level) can you please review if this is correct before we go ahead and apply the changes:

Projects folder share permissions:
Domain Admins – Full Control
Authenticated users – Change

Project folder NTFS permissions
Domain Admins – Full Control
Authenticated users – list folder contents only
SYSTEM – Full Control

10001-20000 folder NTFS permissions:
Domain Admins - Full Control
Authenticated users – list folder contents only
SYSTEM – Full Control

10101-10200 folder NTFS permissions:
Domain Admins – Full Control
Authenticated users – Modify and Deny delete
System – Full Control
Replace all child object permissions with inheritable permissions

10001 folder etc. will inherit permissions from parent level.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39827526
This seems to be perfect.
The permission model depends upon what is your requirements.
I guess 10101-10200 is the new folder (level) you have added.
Hence what ever permissions you provide on this folder will inherited by sub folders and files.
For Ex:
Projects
    10001-20000
        10101-10200
                        10101
                        10102
and so on.

Mahesh
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:Bladey001
ID: 39835151
Thanks Mahesh, this is great. One final thing, can you tell me what will happen when these permissions are applied as far as Renaming folders is concerned
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39835200
The users \ group having modify and above permissions only can rename \ move folders \ delete files and folders
Without that its not possible for users to rename \ move files folder
The basic idea is to restrict users from deleting \ renaming parent folder such as 10101-10200

Let me know if you are looking for more restrictions \ restrictive permissions

Mahesh
0
 

Author Comment

by:Bladey001
ID: 39835215
So if the authenticated users have Modify but Deny Delete on a folder can they rename the folder?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39835290
on the advanced security permissions of 10101-10200 folder, you will find two entries for authenticated users, one is having allow modify rights and one is having deny delete.
You need to change deny delete entry scope to "This Folder only".
If you do not find entry for deny delete, then you need to add it explicitly as shown below with "This folder only" as a scope.

Deny Delete entry with "This Folder Only" as a scope
Once you done that, users can delete \ rename \ move files and folders underneath 10101-10200 parent folder, but they can't delete\ rename parent folder itself.

Hope that helps

Mahesh
0
 

Author Closing Comment

by:Bladey001
ID: 39845182
Worked a treat. Many thanks for your help throughout!
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now