Solved

Issue with Windows folder permissions

Posted on 2014-07-30
6
173 Views
Last Modified: 2014-08-28
I'm having an issue with giving a user access to a particular folder on one of our servers.

Server is Windows 2008 R2 and has a folder off the root which is shared as 'Level1'

Under this folder are several levels of subfolder -  \\server\level1\level2\level3

The 'level1' share is only accessible to one group (accounts) - no-one else has access to 'level1' or anything under it

I now want to allow another user (not a member of accounts) access to only the 'level3' folder. I go into the Security properties of this folder, and add the user, giving them "full control" permissions.

When the user types '\\server\level1\level2\level3' into Windows Explorer, the contents of the folder is shown (as I would expect). However, the folder is Read Only - ie he cannot Add, Delete, Copy etc any files within this folder.

I've checked 'Effective Permissions' and it shows him as having full rights.

It's not a propagation issue - I've made various 'test' changes which are reflected pretty much straight away.

I've tried removing inheritance from this folder, copying the existing inheritance settings and adding the user again - same result

I've confirmed that the administrator account is the Owner of everything from 'Level1' down

If I go into the 'Sharing' properties of the 'Level3' folder, and click on 'Share' under 'Network File and Folder Sharing', it shows that the user has 'Read/Write' access.

Any idea as to why this isn't working?
0
Comment
Question by:Michael986
  • 3
  • 2
6 Comments
 
LVL 10

Expert Comment

by:Korbus
ID: 40231032
Hmm,  it sounds like you have not granted the user write access to the SHARE permission.  I think you will need to do this for the user to be able to have REMOTE write access.

You could also create a new SHARE, directly on the folder you want the user to have access to, and grant permission there.

Keep in mind, the share that you access the folder through, will "filter" permissions (granting no more than is authorized by BOTH the share and NTFS).
0
 

Author Comment

by:Michael986
ID: 40231044
Could you expand on that. The user has full rights on the 'level3' folder (and the 'share' on that folder). What do I need to do that I haven't done already?

And what do you mean by 'REMOTE write access'?
0
 
LVL 3

Expert Comment

by:Mike Sun
ID: 40231349
It is the combination of "Share" permissions" and "NTFS" permissions that gives you "effective" permissions which will be the more restrictive of the two.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 10

Expert Comment

by:Korbus
ID: 40231603
REMOTE access: simply means accessing those files when NOT on the machine they are stored on.  (over the network)  I'm sure if you logon to windows on your file-server, with that user, there will be no problem read/writing to that folder.

Each server can have multiple SHARES, If you access you level 3 folder via:
\\server\level1\level2\level3
then you are NOT using the level 3 SHARE, but rather the level 1 share (and using THOSE permissions defined for the level 1 share)

I was suggestion you create a NEW share, on the level 3 folder called say.. LEV3
This share would be accessed by \\server\LEV3 (and using the defined permissions for the level 3 share)

granting no more than is authorized by BOTH the share and NTFS:
As an example, If only ONE of those grants read or write access, you WONT get read or write access-  you need BOTH share permission and NTFS to have read-write access for the user to be able to read-write to the folder remotely.

>>The user has full rights on the 'level3' folder (and the 'share' on that folder)
I'm not clear on what you mean by "the 'share' on that folder".  Are you accessing that folder VIA the "share on that folder"?  If not, then those share permission don't matter.  A single share cannot have different permissions for different sub-folders, THAT is up to NTFS (or additional shares).
0
 

Author Comment

by:Michael986
ID: 40233420
I understand that I could create a new share specifically for 'Level3', but I would like to understand why it doesn't work with the current setup.

>>I'm not clear on what you mean by "the 'share' on that folder".  

I'm on the server itself (may or may not be relevant), and use Windows Explorer to browse to the 'level3' folder, right click on it and select 'Properties', then select the 'Sharing' tab.

'Level3' has not been specifically shared (only 'Level1'), but under 'Network File and Folder Sharing' it is showing as 'Shared', and clicking on the 'Share' button it shows the user as having Read/Write access

If I do the same thing for 'Level1', there is not mention of the user (which is to be expected) - therefore this suggests that 'Level3' is not (or at least should not be) using the same share criteria as 'Level1'

And if I go into the security tab for 'level3' it shows that the user has "Full Control"

So I'm still unsure why the user can access the folder (ie they have permissions to do that) but that the folder is Read Only (which isn't specified anywhere - the only rights for this user are "Full Control" and 'Read/Write')
0
 
LVL 10

Accepted Solution

by:
Korbus earned 500 total points
ID: 40233431
>>So I'm still unsure why the user can access the folder (ie they have permissions to do that) but that the folder is Read Only (which isn't specified anywhere - the only rights for this user are "Full Control" and 'Read/Write')

Because you have not granted the user that permission on the share being USED (Level1) to write to the folder.

The share permissions that you see when you look at the properties of level3, shows the permissions you WOULD have if you DID create a share, but are otherwise meaningless.  Share permission don't get actually inherited by sub folders, like NTFS does.  Rather, it grants AND limits access to ANY files accessed through the share, as defined by the share permissions.

So, without creating a new share, you will need to the grant the user write-permission in the Level1 share.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now