Setting Permissions on a Windows 2012 Server Share - Preventing delete, move, create directory

Hi Experts,

I am a server newbie.

We have a Windows 2012 server with a file share called Scans  We would like only this share to be available to VPN clients who are authenticated through our router.  We want them to be able to read the files from the Scans share only.  We do not want them to be able to modify, delete or move the files or folders.

I setup a VPN group and set specific deny permissions – not sure if this is how it should be done… I set the VPN users as members of the VPN group only, not a member of Users. The VPN group members can no longer rename or create files however, they can still delete and move the files between folders within the Scans share. We need to prevent this.

What am I doing wrong here?  Thanks for your help.

Just to be certain, shouldn’t the VPN member’s username and password be the same as they use to log into their windows laptop?  Also, does the group they belong to on their laptop effect their permission on the server (for example, what if someone is logging in from a laptop where they have admin rights?  That shouldn’t “elevate” their rights on the server, right?

Thanks again,
Mike
jumptohighAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KorbusCommented:
I recommend you adjusted the NTFS folder permissions of the folder (rather than/in addition to, the SHARE).

I suggest you adjust NTFS permissions to simply grant the VPNgroup, "read" and "list folder contents" permissions.  Rather than deny, you can simply NOT grant additional access.
Note: (The reason to do this is so that you can have sub groups, that might have more access.  A DENY will carry through all subgroups.  Also, a member of more that one group can have more access that just a VPN user, but again, a DENY will override this.)

Regarding the vpn users laptop login vs domain login: Not necessarily.  Unless you have the laptop configured as members of the domain;  the laptop user credentials will NOT be the same as the domain credentials.  If they ARE configured as members of the domain, then, YES the user authentication will be via the domain.

Correct, the permission they have to their laptop will NOT effect permission they are granted on the server folders.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jumptohighAuthor Commented:
That worked!!! Thanks so much!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.