Solved

Issue with Windows folder permissions

Posted on 2014-07-30
6
180 Views
Last Modified: 2014-08-28
I'm having an issue with giving a user access to a particular folder on one of our servers.

Server is Windows 2008 R2 and has a folder off the root which is shared as 'Level1'

Under this folder are several levels of subfolder -  \\server\level1\level2\level3

The 'level1' share is only accessible to one group (accounts) - no-one else has access to 'level1' or anything under it

I now want to allow another user (not a member of accounts) access to only the 'level3' folder. I go into the Security properties of this folder, and add the user, giving them "full control" permissions.

When the user types '\\server\level1\level2\level3' into Windows Explorer, the contents of the folder is shown (as I would expect). However, the folder is Read Only - ie he cannot Add, Delete, Copy etc any files within this folder.

I've checked 'Effective Permissions' and it shows him as having full rights.

It's not a propagation issue - I've made various 'test' changes which are reflected pretty much straight away.

I've tried removing inheritance from this folder, copying the existing inheritance settings and adding the user again - same result

I've confirmed that the administrator account is the Owner of everything from 'Level1' down

If I go into the 'Sharing' properties of the 'Level3' folder, and click on 'Share' under 'Network File and Folder Sharing', it shows that the user has 'Read/Write' access.

Any idea as to why this isn't working?
0
Comment
Question by:Michael986
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 10

Expert Comment

by:Korbus
ID: 40231032
Hmm,  it sounds like you have not granted the user write access to the SHARE permission.  I think you will need to do this for the user to be able to have REMOTE write access.

You could also create a new SHARE, directly on the folder you want the user to have access to, and grant permission there.

Keep in mind, the share that you access the folder through, will "filter" permissions (granting no more than is authorized by BOTH the share and NTFS).
0
 

Author Comment

by:Michael986
ID: 40231044
Could you expand on that. The user has full rights on the 'level3' folder (and the 'share' on that folder). What do I need to do that I haven't done already?

And what do you mean by 'REMOTE write access'?
0
 
LVL 3

Expert Comment

by:Mike Sun
ID: 40231349
It is the combination of "Share" permissions" and "NTFS" permissions that gives you "effective" permissions which will be the more restrictive of the two.
0
Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

 
LVL 10

Expert Comment

by:Korbus
ID: 40231603
REMOTE access: simply means accessing those files when NOT on the machine they are stored on.  (over the network)  I'm sure if you logon to windows on your file-server, with that user, there will be no problem read/writing to that folder.

Each server can have multiple SHARES, If you access you level 3 folder via:
\\server\level1\level2\level3
then you are NOT using the level 3 SHARE, but rather the level 1 share (and using THOSE permissions defined for the level 1 share)

I was suggestion you create a NEW share, on the level 3 folder called say.. LEV3
This share would be accessed by \\server\LEV3 (and using the defined permissions for the level 3 share)

granting no more than is authorized by BOTH the share and NTFS:
As an example, If only ONE of those grants read or write access, you WONT get read or write access-  you need BOTH share permission and NTFS to have read-write access for the user to be able to read-write to the folder remotely.

>>The user has full rights on the 'level3' folder (and the 'share' on that folder)
I'm not clear on what you mean by "the 'share' on that folder".  Are you accessing that folder VIA the "share on that folder"?  If not, then those share permission don't matter.  A single share cannot have different permissions for different sub-folders, THAT is up to NTFS (or additional shares).
0
 

Author Comment

by:Michael986
ID: 40233420
I understand that I could create a new share specifically for 'Level3', but I would like to understand why it doesn't work with the current setup.

>>I'm not clear on what you mean by "the 'share' on that folder".  

I'm on the server itself (may or may not be relevant), and use Windows Explorer to browse to the 'level3' folder, right click on it and select 'Properties', then select the 'Sharing' tab.

'Level3' has not been specifically shared (only 'Level1'), but under 'Network File and Folder Sharing' it is showing as 'Shared', and clicking on the 'Share' button it shows the user as having Read/Write access

If I do the same thing for 'Level1', there is not mention of the user (which is to be expected) - therefore this suggests that 'Level3' is not (or at least should not be) using the same share criteria as 'Level1'

And if I go into the security tab for 'level3' it shows that the user has "Full Control"

So I'm still unsure why the user can access the folder (ie they have permissions to do that) but that the folder is Read Only (which isn't specified anywhere - the only rights for this user are "Full Control" and 'Read/Write')
0
 
LVL 10

Accepted Solution

by:
Korbus earned 500 total points
ID: 40233431
>>So I'm still unsure why the user can access the folder (ie they have permissions to do that) but that the folder is Read Only (which isn't specified anywhere - the only rights for this user are "Full Control" and 'Read/Write')

Because you have not granted the user that permission on the share being USED (Level1) to write to the folder.

The share permissions that you see when you look at the properties of level3, shows the permissions you WOULD have if you DID create a share, but are otherwise meaningless.  Share permission don't get actually inherited by sub folders, like NTFS does.  Rather, it grants AND limits access to ANY files accessed through the share, as defined by the share permissions.

So, without creating a new share, you will need to the grant the user write-permission in the Level1 share.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question