[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 313
  • Last Modified:

Making a file accessible to a user with limited permissions for an SBS 2011 standard server

Situation is that there's 3 groups of users - A, B, C.  

users in group A can access folder 1 & 2.  
users in group B can access folder 2
users in group C cannot access folder 1 and 2

There's a file in folder 1 that all A users have a shortcut to \\server\folder1\doc on their desktops because they use it so much.

Now they want group B to be able to access that file.

How would you do this to make sure the desktop shortcuts all still work, group B can access the file and group C cannot.

some ways I can think of it:

give group B permission to just that file?  But how much of folder 1 can they see then?  File names?...
Move file to folder2 and change all the shortcuts?
Something else?
0
BeGentleWithMe-INeedHelp
Asked:
BeGentleWithMe-INeedHelp
  • 3
  • 3
  • 2
  • +1
1 Solution
 
John HurstBusiness Consultant (Owner)Commented:
Rather than muck with individual file permissions (which can have unintended consequences), I suggest you put the file in a common folder that is permitted to people who need the file.

That is how I approach folder permission issues.
0
 
BeGentleWithMe-INeedHelpAuthor Commented:
and then change / make a new shortcut on each user's desktop?  If the shortcut goes to \\server\folder1\doc, you can't really replace that target location with another shortcut to \\server\folder2\doc?
0
 
John HurstBusiness Consultant (Owner)Commented:
I make the folder structure so that it fits the permissions requirements and then adjust shortcuts to fit.
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
Joseph O'LoughlinCommented:
The file is one file as regards permissions, so grant group b permissions to the specific file via it's security properties.
Create a symlink to the file in folder 2
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363878(v=vs.85).aspx
0
 
BeGentleWithMe-INeedHelpAuthor Commented:
john - yeah, that's what I would do (put the file somewhere then create shortcut), but the situation changed : )

And Joe - you are saying leave the file in folder 1, allow group B to get to it via a symlink?  hadn't heard of a symlink before and not really following the page you point to. is that any different than just making a shortcut on their desktop to \\server\folder1\doc?

I will likely try it to see for myself, but now, when they type \\server in win explorer, they see all the shares, but when group b clicks on any other than folder2, they get a message about not permitted.  what happens when they have permission to 1 file in a folder they don't have permissions for?!
0
 
RantCanCommented:
Give group B list and read permission to the folder that hosts the file they need in folder 1, and then give them write access to the file they need.
0
 
Joseph O'LoughlinCommented:
It's like a shortcut, but at a lower ntfs level.  Delete it in one place, it's gone from both.  MS use this trick with My Documents / Documents folder.  I suggested it so you would not need to change folder permissions.
0
 
BeGentleWithMe-INeedHelpAuthor Commented:
RantCan:  I think I did this:

Give group B list and read permission to the folder that hosts the file they need in folder 1, and then give them write access to the file they need.

in permissions for the folder1, it says

allow  group b  list folder / read data not inherited   this folder only.

Sound right?

when I type \\server\folder 1 from the group 2 user's machine, I get 'you don't have permission'.

is there the equivalent of gpupdate /force that you have to do when you change permissions for a file?  I rebooted.

Now if I type \\server\folder1, I see the file.  I click on it, it opens.  I make a change, hit save and it says it can't find the file \\server\folder1

Any thoughts?

Something else, \\server\folder1 is a share to the same folder as \\server\f1

browsing in internet explorer to \\server\folder1, I only see that 1 file.

But browsing to \\server\f1, I see all the files?  Both shares have permissions of full for everyone.  ANy thoughts on why 1 share shows all files (can't open them though) and 1 share shows only that 1 file?
0
 
RantCanCommented:
Try adding "traverse" to the NTFS permission so they can navigate to the file they have access to.

Also, what do the *share* permissions look like? Standard is to set those to "Authenticated Users" Full Control.
0
 
Joseph O'LoughlinCommented:
stop confusing folder permissions and share permissions.  Both need to be set correctly, as they were when I recommended you instead change the file permissions and create a symbolic link.
changes to share permissions, file system and registry permissions are instantaneous.  your app will need to be reopened.
the user used by internet information server, if this is providing the page to internet explorer is different to the logged in user
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now