Solved

Issue with Windows folder permissions

Posted on 2014-07-30
6
175 Views
Last Modified: 2014-08-28
I'm having an issue with giving a user access to a particular folder on one of our servers.

Server is Windows 2008 R2 and has a folder off the root which is shared as 'Level1'

Under this folder are several levels of subfolder -  \\server\level1\level2\level3

The 'level1' share is only accessible to one group (accounts) - no-one else has access to 'level1' or anything under it

I now want to allow another user (not a member of accounts) access to only the 'level3' folder. I go into the Security properties of this folder, and add the user, giving them "full control" permissions.

When the user types '\\server\level1\level2\level3' into Windows Explorer, the contents of the folder is shown (as I would expect). However, the folder is Read Only - ie he cannot Add, Delete, Copy etc any files within this folder.

I've checked 'Effective Permissions' and it shows him as having full rights.

It's not a propagation issue - I've made various 'test' changes which are reflected pretty much straight away.

I've tried removing inheritance from this folder, copying the existing inheritance settings and adding the user again - same result

I've confirmed that the administrator account is the Owner of everything from 'Level1' down

If I go into the 'Sharing' properties of the 'Level3' folder, and click on 'Share' under 'Network File and Folder Sharing', it shows that the user has 'Read/Write' access.

Any idea as to why this isn't working?
0
Comment
Question by:Michael986
  • 3
  • 2
6 Comments
 
LVL 10

Expert Comment

by:Korbus
ID: 40231032
Hmm,  it sounds like you have not granted the user write access to the SHARE permission.  I think you will need to do this for the user to be able to have REMOTE write access.

You could also create a new SHARE, directly on the folder you want the user to have access to, and grant permission there.

Keep in mind, the share that you access the folder through, will "filter" permissions (granting no more than is authorized by BOTH the share and NTFS).
0
 

Author Comment

by:Michael986
ID: 40231044
Could you expand on that. The user has full rights on the 'level3' folder (and the 'share' on that folder). What do I need to do that I haven't done already?

And what do you mean by 'REMOTE write access'?
0
 
LVL 3

Expert Comment

by:Mike Sun
ID: 40231349
It is the combination of "Share" permissions" and "NTFS" permissions that gives you "effective" permissions which will be the more restrictive of the two.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 10

Expert Comment

by:Korbus
ID: 40231603
REMOTE access: simply means accessing those files when NOT on the machine they are stored on.  (over the network)  I'm sure if you logon to windows on your file-server, with that user, there will be no problem read/writing to that folder.

Each server can have multiple SHARES, If you access you level 3 folder via:
\\server\level1\level2\level3
then you are NOT using the level 3 SHARE, but rather the level 1 share (and using THOSE permissions defined for the level 1 share)

I was suggestion you create a NEW share, on the level 3 folder called say.. LEV3
This share would be accessed by \\server\LEV3 (and using the defined permissions for the level 3 share)

granting no more than is authorized by BOTH the share and NTFS:
As an example, If only ONE of those grants read or write access, you WONT get read or write access-  you need BOTH share permission and NTFS to have read-write access for the user to be able to read-write to the folder remotely.

>>The user has full rights on the 'level3' folder (and the 'share' on that folder)
I'm not clear on what you mean by "the 'share' on that folder".  Are you accessing that folder VIA the "share on that folder"?  If not, then those share permission don't matter.  A single share cannot have different permissions for different sub-folders, THAT is up to NTFS (or additional shares).
0
 

Author Comment

by:Michael986
ID: 40233420
I understand that I could create a new share specifically for 'Level3', but I would like to understand why it doesn't work with the current setup.

>>I'm not clear on what you mean by "the 'share' on that folder".  

I'm on the server itself (may or may not be relevant), and use Windows Explorer to browse to the 'level3' folder, right click on it and select 'Properties', then select the 'Sharing' tab.

'Level3' has not been specifically shared (only 'Level1'), but under 'Network File and Folder Sharing' it is showing as 'Shared', and clicking on the 'Share' button it shows the user as having Read/Write access

If I do the same thing for 'Level1', there is not mention of the user (which is to be expected) - therefore this suggests that 'Level3' is not (or at least should not be) using the same share criteria as 'Level1'

And if I go into the security tab for 'level3' it shows that the user has "Full Control"

So I'm still unsure why the user can access the folder (ie they have permissions to do that) but that the folder is Read Only (which isn't specified anywhere - the only rights for this user are "Full Control" and 'Read/Write')
0
 
LVL 10

Accepted Solution

by:
Korbus earned 500 total points
ID: 40233431
>>So I'm still unsure why the user can access the folder (ie they have permissions to do that) but that the folder is Read Only (which isn't specified anywhere - the only rights for this user are "Full Control" and 'Read/Write')

Because you have not granted the user that permission on the share being USED (Level1) to write to the folder.

The share permissions that you see when you look at the properties of level3, shows the permissions you WOULD have if you DID create a share, but are otherwise meaningless.  Share permission don't get actually inherited by sub folders, like NTFS does.  Rather, it grants AND limits access to ANY files accessed through the share, as defined by the share permissions.

So, without creating a new share, you will need to the grant the user write-permission in the Level1 share.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now