Solved

Restricting NTFS permissions on folder share

Posted on 2014-01-21
10
761 Views
Last Modified: 2014-02-09
Dear Experts,

Our shared drive has become very messy and we're looking to restrict the NTFS permissions on the top 2 levels of the folder structure.
Our structure resembles the following:

S:\Project\ (Folder level 1)
S:\Project\101-200\ (Folder level 2)
S:\Project\101-200\101\(Folder level 3)

At the moment everyone has full access to all levels and one of the problems we are facing is users *accidentally* moving folders into other folders and renaming folders.

What we would like is for a new admin security group to have modify access at the 2 top levels so that only they can create folders. All other domain users must have read,write and delete access to all the lower levels and to be able to copy files from one folder to another. They also must be able to traverse the 2 top levels to be able to reach all projects.

This is a live production environment and there are existing non-inheritable permissions on certain project folders. There are also thousands of folders.

What’s the best way to tackle this? And what permissions do I need to set to accomplish this?
0
Comment
Question by:Bladey001
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39797619
Your administrators should have full access on folder from top to bottom in order to manage it efficiently

1st of all you need to logon as domain administrator \ domain account having local admin rights on server and need to take ownership of all Projects folder (with replace owner selected) in replace mode.
Then add authenticated users on shared permissions and provide them change permissions on the project folder
Then go to security tab of Projects folder and grant authenticated users "list folder contents" permissions. Also remove "Creator owner" group from the list.
Then go to properties of projects\100-200 folder and provide authenticated users Modify permissions and click apply.
Then from advanced properties of 100-200 folder edit permissions of authenticated users and allow subfolder and files and deny delete
Lastly remove everyone group from projects folder share and security permissions.
So now authenticated users can create folders under projects\100-200 folder as they wish and can copy \ move files from one folder to another as well, but they can't delete 100-200 folder.
Some thing looks like below.
100-200 folder basic permissions100-200 advanced permissions
Let me know if this is you are looking for ?

Mahesh
0
 

Author Comment

by:Bladey001
ID: 39799949
Thanks for your response Mahesh. Looks quite complicated so I’m just trying to understand this better.
What’s the purpose of taking ownership of all the folders? And what happens when new folders are created. Who do I replace the owner with? the servers local admin group?
Also what’s the different in using authenticated users and domain users?

The new ‘admin’ security group will consist of users who are not domain admins. Just ‘admin’ staff who will look after the folders, create new folders etc.. to take the burden off IT. Will this change anything if it's not a domain admin creating the new folders?

So to summarise is this correct?

Projects folder share permissions:
Domain Admins – Full Control
Authenticated users – Change

Project folder NTFS permissions:
Domain Admins – Full Control
Authenticated users – list folder contents only
SYSTEM – Full Control

101-200 folder NTFS permissions:
Domain Admins - Full Control
Authenticated users – Modify
SYSTEM

101 folder etc will just inherit permissions from above folder
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39800516
Yes, you are right.

To answer your questions:
Since current you must be having Creator owner group having full control permissions on Projects folder ACL and subfolder acls and also everyone group is there.
Due to this creator owner group, the users who will create sub folder underneath 100-200  folder, will become owner of that folders
This will restrict you from flowing down inherited permissions for domain admins \ other users and groups and will create access issues (access denied) once you removed everyone group permissions
That's why I suggest you to remove creator owner group from ACL of projects folder.
Also I suggest you to grant authenticated users modify control (not full control) so that they can't take explicit ownership of folders as full control will grant you rights to take ownership as well.
To avoid such issues:
You must take ownership of root folder (Projects) and all sub folders 1st with replace option selected. You could grant ownership to built-in administrators group instead of domain admins as your account and domain admins both are also members of built-in administrators group on file server.
Then you can flow required permissions without issues as only you are the owner of all folders.
Now if users create new folder, it will just getting modify permissions and ownership will remains with you that is what is expected to manage folder permissions effectively

Now if you want to grant special admins group to be able to create folders within folders which is simply not required.
Because authenticated users will have modify rights on Projects\100-200 folder so that they can create folders under 100-200 folder if wanted to. If you don't provide this rights then they cannot move \ delete files and folders underneath 100-200 folder.
However in order to protect 100-200 folder itself from accidental \ intentional deletion, I suggested you to provide authenticated users deny delete permissions on that folder so that they can't delete that folder.
If they wanted to create \ delete folder under Projects root folder, then you \ server admins should create it as on that new folder you have to provide authenticated users modify rights as well, By doing this you get surety that users will not delete any 2nd level folders which is one of the objective and it make sense.

Any domain user can be removed from Domain users group if wanted to by setting up another group as primary if user is member of multiple group.
But you cannot remove any user from authenticated users group as any domain user is by default a member of authenticated users group (who can authenticate with DC)
Hence I have suggested you authenticated users and this group is not visible through ADUC
However you can use domain users instead of authenticated users if wanted to.

Lastly, your summary is correct except one point is missing in last point:
101-200 folder NTFS permissions:
Domain Admins - Full Control
Authenticated users – Modify
SYSTEM
Here once your granted permissions and select apply, you need to go to advanced permissions of 100-200 folder and need to select "replace all child object permissions with inheritable permissions from this object" and click apply so that you can get assurance that your applied permissions will flow down to each and every sub folders and files

Hope that helps

Mahesh
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:Bladey001
ID: 39821145
Thanks very much for your explanation. The requirement has changed slightly (there’s an extra level) can you please review if this is correct before we go ahead and apply the changes:

Projects folder share permissions:
Domain Admins – Full Control
Authenticated users – Change

Project folder NTFS permissions
Domain Admins – Full Control
Authenticated users – list folder contents only
SYSTEM – Full Control

10001-20000 folder NTFS permissions:
Domain Admins - Full Control
Authenticated users – list folder contents only
SYSTEM – Full Control

10101-10200 folder NTFS permissions:
Domain Admins – Full Control
Authenticated users – Modify and Deny delete
System – Full Control
Replace all child object permissions with inheritable permissions

10001 folder etc. will inherit permissions from parent level.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39827526
This seems to be perfect.
The permission model depends upon what is your requirements.
I guess 10101-10200 is the new folder (level) you have added.
Hence what ever permissions you provide on this folder will inherited by sub folders and files.
For Ex:
Projects
    10001-20000
        10101-10200
                        10101
                        10102
and so on.

Mahesh
0
 

Author Comment

by:Bladey001
ID: 39835151
Thanks Mahesh, this is great. One final thing, can you tell me what will happen when these permissions are applied as far as Renaming folders is concerned
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39835200
The users \ group having modify and above permissions only can rename \ move folders \ delete files and folders
Without that its not possible for users to rename \ move files folder
The basic idea is to restrict users from deleting \ renaming parent folder such as 10101-10200

Let me know if you are looking for more restrictions \ restrictive permissions

Mahesh
0
 

Author Comment

by:Bladey001
ID: 39835215
So if the authenticated users have Modify but Deny Delete on a folder can they rename the folder?
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39835290
on the advanced security permissions of 10101-10200 folder, you will find two entries for authenticated users, one is having allow modify rights and one is having deny delete.
You need to change deny delete entry scope to "This Folder only".
If you do not find entry for deny delete, then you need to add it explicitly as shown below with "This folder only" as a scope.

Deny Delete entry with "This Folder Only" as a scope
Once you done that, users can delete \ rename \ move files and folders underneath 10101-10200 parent folder, but they can't delete\ rename parent folder itself.

Hope that helps

Mahesh
0
 

Author Closing Comment

by:Bladey001
ID: 39845182
Worked a treat. Many thanks for your help throughout!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange 2010 mailbox move 7 68
Remote desktop connection frequent connection lost 5 95
CTIOS error on Windows 10 3 61
Remote Desktop Terminal License Issue 5 46
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
An article on effective troubleshooting
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question