Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Restricting root permissions

Posted on 2014-03-04
9
Medium Priority
?
223 Views
Last Modified: 2014-03-27
Dear Experts,

We would like to restrict the permissions on the root level folder of our shared drive so that users cannot save files directly to the root anymore. At the moment we have:

Domain Admins - Full Control - This folder, subfolders and files
Domain Users - Read, write & execute - This folder, subfolders and files
SERVER\Users - Read & Execute - This folder, subfolders and files
CREATOR OWNER - Special
SYSTEM - Full control

How do I accomplish this without affecting the folders below some of which do not inherit permissions?
0
Comment
Question by:Bladey001
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39904075
Go to advance security permissions and change it...
Make sure do not inherit or replace permission is selected.
perm
0
 
LVL 30

Expert Comment

by:serialband
ID: 39905195
DON'T do that.  You'll deny Administrators too and EVERYONE including the system account.  Your pagefile will error out and your hibernate file and all your other hidden system files will start generating errors.

It's actually best not to use deny unless you're sure that's exactly what you want.  It's better to remove permissions.  Remove Domain Users from the permission list instead.  Be sure that Domain Users still exist in the subfolders that need it.  Make sure you don't propagate the removal to the subdirectories.
0
 
LVL 35

Assisted Solution

by:Seth Simmons
Seth Simmons earned 532 total points
ID: 39905364
Remove Domain Users from the permission list instead.

if you remove domain users from the ACL, they will get access denied when just trying to reach the root of the drive unless they are a domain admin

if you change the domain users permissions by only selecting these items for 'this folder only ' then it should work; they can see everything but can't write to the top-level folder

traverse folder / execute file
list folder / read data
read attributes
read extended attributes
read permissions
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39905782
@serialband, My intention is to show, how to deny to create the files on DATA/root folder as per author request  not SYSTEM DRIVE.  (now i realized that you are referring my screenshot)
0
 

Author Comment

by:Bladey001
ID: 39905927
Is it best practice to remove the SERVER\Users account and just use 'Domain Users'?

The users will need to be able to create folders just not be able to write files to the root.

So if I use the permissions suggested by Seth but also add Create Folders this should accomplish what I need right?
0
 
LVL 13

Accepted Solution

by:
Santosh Gupta earned 536 total points
ID: 39906033
try this...

to use those you dont want to give the file creation rights.
permi
0
 
LVL 30

Assisted Solution

by:serialband
serialband earned 532 total points
ID: 39908046
Seth Simmons is right.  I just saw the deny everyone screenshot and responded quickly, because I saw a disaster about to happen.  No matter what the situation, you don't deny unless you have a very good reason or have exhausted other options.  It's still far better to uncheck the permissions rather than deny them.  You're more likely to run into problems later on if you deny permissions without some planning.  There's already an implicit deny when you're not in the permissions list.

You might also want to uncheck the 5 checkboxes directly below the highlighted section in the image that sgupta1181 provided if you also don't want them to modify the permissions and edit the files.
Create olders/append data
Write attributes
Write extended attributes
Delete subfolders and files
Delete
0
 

Author Comment

by:Bladey001
ID: 39925804
So essentially I've removed Create files / write data from Domain Users (This folder only) and had to add another entry for domain users (subfolders and files only) to give them read, write & execute
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 39928296
does that mean the issue is resolved or do you still need assistance?
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question