Michael986
asked on
Issue with Windows folder permissions
I'm having an issue with giving a user access to a particular folder on one of our servers.
Server is Windows 2008 R2 and has a folder off the root which is shared as 'Level1'
Under this folder are several levels of subfolder - \\server\level1\level2\lev
The 'level1' share is only accessible to one group (accounts) - no-one else has access to 'level1' or anything under it
I now want to allow another user (not a member of accounts) access to only the 'level3' folder. I go into the Security properties of this folder, and add the user, giving them "full control" permissions.
When the user types '\\server\level1\level2\le
I've checked 'Effective Permissions' and it shows him as having full rights.
It's not a propagation issue - I've made various 'test' changes which are reflected pretty much straight away.
I've tried removing inheritance from this folder, copying the existing inheritance settings and adding the user again - same result
I've confirmed that the administrator account is the Owner of everything from 'Level1' down
If I go into the 'Sharing' properties of the 'Level3' folder, and click on 'Share' under 'Network File and Folder Sharing', it shows that the user has 'Read/Write' access.
Any idea as to why this isn't working?
Server is Windows 2008 R2 and has a folder off the root which is shared as 'Level1'
Under this folder are several levels of subfolder - \\server\level1\level2\lev
The 'level1' share is only accessible to one group (accounts) - no-one else has access to 'level1' or anything under it
I now want to allow another user (not a member of accounts) access to only the 'level3' folder. I go into the Security properties of this folder, and add the user, giving them "full control" permissions.
When the user types '\\server\level1\level2\le
I've checked 'Effective Permissions' and it shows him as having full rights.
It's not a propagation issue - I've made various 'test' changes which are reflected pretty much straight away.
I've tried removing inheritance from this folder, copying the existing inheritance settings and adding the user again - same result
I've confirmed that the administrator account is the Owner of everything from 'Level1' down
If I go into the 'Sharing' properties of the 'Level3' folder, and click on 'Share' under 'Network File and Folder Sharing', it shows that the user has 'Read/Write' access.
Any idea as to why this isn't working?
ASKER
Could you expand on that. The user has full rights on the 'level3' folder (and the 'share' on that folder). What do I need to do that I haven't done already?
And what do you mean by 'REMOTE write access'?
And what do you mean by 'REMOTE write access'?
It is the combination of "Share" permissions" and "NTFS" permissions that gives you "effective" permissions which will be the more restrictive of the two.
REMOTE access: simply means accessing those files when NOT on the machine they are stored on. (over the network) I'm sure if you logon to windows on your file-server, with that user, there will be no problem read/writing to that folder.
Each server can have multiple SHARES, If you access you level 3 folder via:
\\server\level1\level2\lev
then you are NOT using the level 3 SHARE, but rather the level 1 share (and using THOSE permissions defined for the level 1 share)
I was suggestion you create a NEW share, on the level 3 folder called say.. LEV3
This share would be accessed by \\server\LEV3 (and using the defined permissions for the level 3 share)
granting no more than is authorized by BOTH the share and NTFS:
As an example, If only ONE of those grants read or write access, you WONT get read or write access- you need BOTH share permission and NTFS to have read-write access for the user to be able to read-write to the folder remotely.
>>The user has full rights on the 'level3' folder (and the 'share' on that folder)
I'm not clear on what you mean by "the 'share' on that folder". Are you accessing that folder VIA the "share on that folder"? If not, then those share permission don't matter. A single share cannot have different permissions for different sub-folders, THAT is up to NTFS (or additional shares).
Each server can have multiple SHARES, If you access you level 3 folder via:
\\server\level1\level2\lev
then you are NOT using the level 3 SHARE, but rather the level 1 share (and using THOSE permissions defined for the level 1 share)
I was suggestion you create a NEW share, on the level 3 folder called say.. LEV3
This share would be accessed by \\server\LEV3 (and using the defined permissions for the level 3 share)
granting no more than is authorized by BOTH the share and NTFS:
As an example, If only ONE of those grants read or write access, you WONT get read or write access- you need BOTH share permission and NTFS to have read-write access for the user to be able to read-write to the folder remotely.
>>The user has full rights on the 'level3' folder (and the 'share' on that folder)
I'm not clear on what you mean by "the 'share' on that folder". Are you accessing that folder VIA the "share on that folder"? If not, then those share permission don't matter. A single share cannot have different permissions for different sub-folders, THAT is up to NTFS (or additional shares).
ASKER
I understand that I could create a new share specifically for 'Level3', but I would like to understand why it doesn't work with the current setup.
>>I'm not clear on what you mean by "the 'share' on that folder".
I'm on the server itself (may or may not be relevant), and use Windows Explorer to browse to the 'level3' folder, right click on it and select 'Properties', then select the 'Sharing' tab.
'Level3' has not been specifically shared (only 'Level1'), but under 'Network File and Folder Sharing' it is showing as 'Shared', and clicking on the 'Share' button it shows the user as having Read/Write access
If I do the same thing for 'Level1', there is not mention of the user (which is to be expected) - therefore this suggests that 'Level3' is not (or at least should not be) using the same share criteria as 'Level1'
And if I go into the security tab for 'level3' it shows that the user has "Full Control"
So I'm still unsure why the user can access the folder (ie they have permissions to do that) but that the folder is Read Only (which isn't specified anywhere - the only rights for this user are "Full Control" and 'Read/Write')
>>I'm not clear on what you mean by "the 'share' on that folder".
I'm on the server itself (may or may not be relevant), and use Windows Explorer to browse to the 'level3' folder, right click on it and select 'Properties', then select the 'Sharing' tab.
'Level3' has not been specifically shared (only 'Level1'), but under 'Network File and Folder Sharing' it is showing as 'Shared', and clicking on the 'Share' button it shows the user as having Read/Write access
If I do the same thing for 'Level1', there is not mention of the user (which is to be expected) - therefore this suggests that 'Level3' is not (or at least should not be) using the same share criteria as 'Level1'
And if I go into the security tab for 'level3' it shows that the user has "Full Control"
So I'm still unsure why the user can access the folder (ie they have permissions to do that) but that the folder is Read Only (which isn't specified anywhere - the only rights for this user are "Full Control" and 'Read/Write')
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You could also create a new SHARE, directly on the folder you want the user to have access to, and grant permission there.
Keep in mind, the share that you access the folder through, will "filter" permissions (granting no more than is authorized by BOTH the share and NTFS).