Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Windows Server Permissions - Group vs. Individual

Posted on 2014-01-29
Medium Priority
Last Modified: 2014-10-14
I am having a real problem with going to a totally group based permission structure. All folder permissions had been assigned to individuals only. I started replacing them by putting the relevant users into groups - but I am finding that I am going to have more groups than users in order to give everyone the permissions they need.

We only have 35 users, but it seems that I will end up with 70 groups. It almost seems it is going to be much harder to assign group permissions than just adding the individuals where I can instantly see their permissions than having to remember everyone in each group. But, i see and have benefited with the group structure by just adding a person to a group and they then have permissions to multiple folders instantly. But, then again I am constantly getting hit where someone needs permission to a folder, but they don't need to belong to the assigned group, so I sometimes have to make a new group up for a single individual or maybe just two users.

I have it set where the domain\administrator is the owner of all folders and no one gets full control, but we have so many subfolders that it is hard to have one set of top folder level groups/permissions that carry through to all subfolders.

Is there any documentation on how to effectively restructure a sprawling file system structure?

Another problem I have is with assigning Read and Write access, but not modify in that the newly created folders can't be renamed. You can create a folder, but not change its name from New Folder. And, if you add a file to an existing folder, it creates 2 tmp txt files for every 1 file saved. Do I have to do special permissions through the advanced section in all of these Non-modify situations. I don't understand the Write function since it seems so limited.
Question by:grgar
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2

Assisted Solution

by:Ned Ramsay
Ned Ramsay earned 1000 total points
ID: 39819772
You dont have to use groups if you are uncomfortable with it.
It makes administering a larger domain more cumbersome but it is ultimately the same if you manage the security side properly.

I always start with one shared folder then subfolders with ever more restricting permissions. If you are using server 2008 you can actually hide files and folders people dont have access to so they dont see all the multitude of shares.

So within the Shared folder an IT person may see everything but an HR person will only see the HR folder. Within these folders you can create private folders for individuals if you like or folders that span HR and IT.

But with 35 users, and no sudden need for growth it is not necessary, but good practice.

Author Comment

ID: 39819800
Actually, I am comfortable with the groups and I really like them, especially when removing one person when they leave, they are instantly removed from all the folders of their group and no S-1-x-x-x's left behind. And, again, the benefit of adding one to a group and having them gain permissions to many folders. I guess I really need to create the extra groups and just keep of file listing all the different combinations of users per group as a reference.

we really only have 4 groups Research, Rate Setting, Audit and Compliance, and Legal, the HR is pretty easy to control- but there is so much cross referencing of the other four and there are 100's of different top level folders and thousands of sub folders.

Any ideas on why Write access is so limited? Is that where I will have to do Special Permissions and grant Create folder, but not Delete, etc.?

Expert Comment

by:Ned Ramsay
ID: 39819822
Those file permissions seem strange, especially the creating of temp files. Typically when you open a word document it creates those tmp files while it is open, then removes them when its complete.

I assume SYSTEM has full control over these folders?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


Author Comment

ID: 39819859
Now this is where I may have made a big mistake. Some of the Shares had everyone and everything listed with permissions in the ACL and I removed all of them except the domain\administrator account which is the only owner and has full control of all folders. I also kept Domain Admins with full control. I then added the entire staff as a single group, at the top level, with "Read, Read and Execute, List Folder Contents, and added Write" to the Security permissions. The Share permissions are Read and Change. And, that is where the Write will allow a New Folder to be created, but not named. And, those tmp .txt files to not dissapear unless I go and delete them while logged in as Administrator.

In another Users Share, I only gave the Staff "List Folder Contents" in order to be able to navigate down and access their particular folder, without being able to read anyone elses. And here and the above mentioned Share, Read Only works fine - it is just that I can't assign proper Write permissions and therefore have to grant "Modify" in order for them to be able to create a folder or even just save a file to another folder. It seems I need to go back to the beginning and start all over with my Sharing and Security Permissions knowledge.

Author Comment

ID: 39819939
I found an article with other links for Permissions Best Practices

I see I messed up removing the System permissions. Can I just add it back okay? I don't understand the Local Administrators group while we only use domain accounts and that damn Everyone group always confused and scared me. I have more reading to do and if anyone has any other good links like this one, please share.

Assisted Solution

by:Ned Ramsay
Ned Ramsay earned 1000 total points
ID: 39821578
Its a tough learning curve buddy, don't worry!

Everyone should be used on the Shares.. e.g. Share with EVERYONE full control, then use the Security NTFS permissions to filter down from there.

SYSTEM allows the server and windows domain components to run, manipulate those folders.
Typical permissions for my shares are:
SYSTEM - Full Control
Local-Admin - Full Control
Domain Admin(or admins) - Full Control
Security Group (HR/IT etc) - Read/Write/List (you said you didn't want them to have modify).

Make sure to propagate those permissions down to the folders below them if you need to.

The everyone group shouldnt be used in NTFS permissions, only in the sharing tab, the sharing tab should be Everyone - Full Control
LVL 38

Expert Comment

ID: 39828171
If you want to rename \ delete folders, you must have to provide Modify NTFS permissions, otherwise you cannot rename \ move files, folders.


Author Comment

ID: 39831721
Nedramsay, thanks for the info. and I meant to thank you sooner for the hiding of folders in 2008. We are upgrading to that soon, thus my reason for trying to clean up our permission structure. I added System back with Full Control, and didn't have any snafu's in between. I am still working out a few more issues and report back here and give you the credit necessary, I just want to leave this open a little longer while I work through that.

Mahesh, thanks, too. Yes, I have seen that and will just have to work out my group structure better to have separate Read and Modify groups.
LVL 38

Accepted Solution

Mahesh earned 1000 total points
ID: 39831844
The normal best practises for Shared folder permissions:

1st of all check ownership of root folder and subfolder and if administrators do not have ownership from top to bottom in hierarchy, just take ownership of root folder and all sub folders and files from advanced permissions tab of root folder with replace owner on sub folders selected
On shared tab remove everyone group
On shared tab give authenticated Users change permissions and administrators full control permissions
On security tab, remove everyone, Creator owner group and also remove full control permissions from all other groups except administrators and system account.
Also provide list folder contents permissions to authenticated users
You may require to disable permissions inheritance on root folder.

If you have multiple sub folders with specific users \ group having access permissions to specific folders, then from advanced properties of root folder, ensure that authenticated users permissions scope is limited to This folder only and then provide individual groups \ specific groups modify permissions on respective sub folders so that they can access only those folders and files for which they have got modify access.
This will prevent changing files and folders ownership and access issues. The hole structure ownership remains with administrators group only.


Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question